In an article cleverly titled, “How ‘location, location, location’ can lead to ‘enforcement, enforcement, enforcement,’” the FTC reviewed the limits of using personal data, such as data that tracks a consumer’s location, for commercial purposes when the company that uses that data fails to obtain the consent of the consumers.
The FTC is now beginning to enforce the improper collection, use, and sale of consumer’s location data. One recent case explains the FTC’s concerns about new software and software apps that are invading the privacy of consumers.
An illustrative case – a settlement of proposed FTC charges against a company selling location data
The FTC recently brought charges against a Texas company, InMarket Media, that tracks consumer’s mobile devices that use the consumer’s precise geolocation and then cross-reference “their location histories with other personal data to categorize them into roughly 2,000 different audience segments.” InMarket then uses these segments to provide targeted advertising.
The FTC, on learning of these marketing uses, filed charges against InMarket for obtaining and using the data even though the company did not inform the consumers whose information was used and did not get their consent to use their location – “including information linking them to particularly sensitive places.”
FTC Enforces False Advertising Rules Against ‘Cell Repair’ Products
In today’s video, we discuss the dangers of marketing products without proper legal review—in this case, not just FDA enforcement, but even more significantly, FTC (Federal Trade Commission) […]
The FTC, on January 18, 2024, announced a proposed settlement of the charges.
The FTC complaint asserted that InMarket Media, a digital marketing company that “collects vast amounts of consumers’ location data by tracking their movements over time through their mobile devices” matches the data that is collected with other personal data such as what the consumers purchase, their demographics, and the socioeconomic stats of the consumers.
The FTC filed the complaint due to concerns the data could disclose where consumers live and work, where consumers attend religious services, the locations of the schools their children attend, and what medical providers consumers use – even though consumers don’t understand that this consumer information is being collected, used, and sold.
FTC Enforcement Actions Hurt, Don’t Lose Your Shirt
Any health and wellness company not strong or tough enough to take the FTC pain, should have its marketing materials reviewed by legal counsel before putting them up on the Web.
The FTC complaint against InMarket states that InMarket used two sensitive sources:
- InMarket “embedded a location-collecting software development kit (SDK) in its own two apps – shopping rewards app CheckPoints and shopping list app ListEase.” These apps have been downloaded “to more than 30 million unique devices since 2017.”
- InMarket also made the SDK “available to more than 300 third-party apps which were “downloaded to more than 390 million different devices during that same period.”
Consumers who think that the apps are just helping consumers understand where consumers can buy certain products do not understand that the apps consumers innocently buy or use are also being used to provide location information back to InMarket.
The FTC added that the app developers often used the SDK apps developed by In Market due to a unique incentive – “a portion of InMarket’s advertising revenue from each ad served through those apps.”
FTC Regulations You Must Know for Healthcare Advertising
Lots of physicians and healthcare companies have had us reviewed their marketing materials, and inevitably, we’ve quickly spotted gaping holes where they’ve left themselves vulnerable to […]
The FTC’s privacy consumers discussed in the InMarket complaint
The FTC stated that the audience segments disclosed audience segmented information about:
- Low-income millennials
- Parents of home-schooled kids
- Suburban moms with significant assets
- Blue-collar workers
This information was then offered to clients. Along with other sensitive information, InMarket and the people/businesses that used InMarket’s services were able to target these different consumer groups with advertisements. The information was held by InMarket for as long as five years.
InMarket also provided/sold advertisers “a product that sent push notifications based on a consumer’s location and “geofencing” – that person’s real-time proximity to a particular location.” As an example, if a customer is reasonably close to a pharmacy, the consumer may be targeted with advertisements for products typically sold at pharmacies – such as cold medicines and toothpaste.
“In addition, InMarket made its advertising audience segments available on real-time bidding platforms. That way advertisers could select a particular audience and bid on what they were willing to pay each time their ad appeared on the mobile device of a person who fit the selected category. InMarket made money each time an advertiser used that process.”
The FTC complaint
The FTC complaint alleged that InMarket’s collection and use of consumer location data obtained and used as discussed above was collected “unfairly.” The FTC also alleged that InMarket’s data collection was deceptive because the “company deceptively failed to disclose its use of consumer location data and unfairly retained it for longer than was reasonably necessary to effectuate its business purpose.”
The FTC settlement
InMarket, as part of the settlement with the FTC, has agreed to a proposed order. The order:
- Forbids InMarket from “selling or licensing precise location data.”
- Requires that InMarket implement programs that prevent the company from “using or sharing any products or services that categorize or target consumers based on sensitive location data.”
- Requires that InMarket destroy the current location data InMarket has collected already and any products produced by using that data – unless the company obtains the consent of the consumers or “ensures the data has been de-identified or rendered non-sensitive.”
- For consumer location data obtained from InMarket’s own apps, InMarket must notify the consumers about the FTC settlement and give the consumers a “way to request that their location data is deleted.
- InMarket “must provide an easy way for consumers to withdraw their consent for the collection and use of their location data.”
After the “proposed settlement is published in the Federal Register, the FTC will receive public comments for 30 days.”
The lessons of the FTC action against InMarket regarding the collection, use, and sale of consumer location data
The FTC states that its settlement with InMarket helps protect consumers in the following ways:
- The settlement (along with another proposed settlement with X-Mode Social) sends a message that the FTC will protect consumers “against the illegal collection of their location” information; and that the FTC will not stand by while sensitive geolocation data of consumers is collected through deception or unfairly. In short, the settlement informs companies that collect location information that the companies need to review their compliance requirements.
- The settlement should provide guidance about what “constitutes effective consumer consent – and what doesn’t.” For example, half-truths to convince consumers to agree to use InMarket’s shopping list app were unfair and/or deceptive because they didn’t disclose that the use of the shopping list app could identify the user’s location. Simply put, “Consent to one use without an explanation of other uses is no consent at all.”
- The settlement establishes that digital marketing companies must “verify that third parties have effective consumer consent to share location information.” The FTC complaint also asserts that InMarket did not verify failed to verify that “users of third-party apps incorporating its SDK had been notified that their location data would be used to target advertising.”
The FTC recommends that companies who collection, use, share, and sell consumer location information should:
- “Require third-party apps using SDK to get consumers’ informed consent for the specific collection of geolocation data for advertising and marketing purposes – or for whatever purpose their data will be used.”
- “Maintain sufficient records of how third parties are fulfilling that obligation and the steps you’re [InMarket is] taking to monitor compliance.”
The FTC adds that “pro forma statements that developers must “comply with all applicable laws” aren’t enough to show compliance.
The FTC regulates advertising to consumers to ensure that the ads are honest and not misleading A recent settlement confirms that the FTC will file enforcement actions against companies that cleverly use information that is obtained from mobile devices – if that information, such as a consumer’s location information, is obtained without the knowledge of the consumer. The settlement makes clear that advertisers should review their FTC compliance requirements with skilled legal compliance lawyers.
Medical advertisers and pharmaceutical companies should contact Cohen Healthcare Law Group, PC to discuss their legal and healthcare compliance requirements. Our experienced healthcare attorneys advise medical businesses about healthcare compliance laws and regulations.
Contact our healthcare law and FDA attorneys for legal advice relevant to your healthcare venture.