FTC Proposes Settlement Prohibiting InMarket from Selling Consumers’ Precise Location Data
The Federal Trade Commission (FTC) has proposed a settlement with the digital marketing platform provider and data aggregator InMarket Media LLC that resolves allegations the company’s business practices violated the Federal Trade Commission (FTC) Act.
According to the FTC complaint, InMarket Media obtains vast amounts of consumer data including information from mobile devices about consumers’ movements, purchasing habits, demographic data, and information on their socioeconomic background. InMarket Media retains consumer data for 5 years and uses that data to facilitate targeted advertising on consumers’ mobile devices through its InMarket Software Development Kit (SDK). InMarket Media categorizes consumers into advertising audiences and allows its clients to target consumers on third-party advertising platforms. The FTC alleges that InMarket Media failed to notify consumers that their personal data will be used to serve targeted advertisements and did not verify that mobile applications that incorporate the InMarket SDK have notified consumers about such uses of their personal data.
Apps that incorporate the InMarket SDK request access to location data from the mobile device’s operating system. If the user gives the app those permissions, their precise latitude and longitude will be collected and transmitted back to InMarket Media along with a timestamp and a unique mobile device identifier. When a user is moving, the location data is sent every few seconds. According to the FTC, between 2016 and the present, around 100 million unique devices have transmitted location data to InMarket Media each year.
The location data reveals where the user lives and works, where their children go to school or obtain child care, and where medical treatment is provided, which can reveal the existence of medical conditions. The location data can also reveal other sensitive information such as where they go to rallies, demonstrations, or protests, which can reveal political affiliations. The location data can also be used to determine how long an individual is present in a particular location.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The FTC alleges InMarket Media misled consumers by providing “misleading half-truths” about its data uses. For instance, the consent screens for the CheckPoints and ListEase apps state that consumers’ data will be used for the app’s functionality such as earning points and keeping lists, but the consent screens do not state that users’ precise location will be collected and transmitted along with data collected from multiple other sources and that the data will be used to build extensive profiles on users to precisely target them with advertising.
While InMarket Media states in its privacy policy that consumer data will be used for targeted advertising, the consent screen does not link to the privacy policy language, and misleading prompts do not inform consumers of the apps’ data collection and use practices. InMarket is alleged to do very little to verify that third-party apps incorporating its SDK obtain informed consumer consent before granting InMarket access to their sensitive location data and does not require apps that incorporate the SDK to obtain informed consumer consent.
Consequently, InMarket does not know whether users of hundreds of third-party apps that incorporate the InMarket SDK have been informed that their data is being collected and used for targeted advertising. The FTC alleges InMarket Media violated Section 5(a) of the FTC Act, 15 U.S.C. § 45(a) which prohibits unfair or deceptive acts or practices affecting commerce, given that misrepresentations or deceptive failures to disclose a material fact constitute deceptive or unfair practices under Section 5(a) of the FTC Act and the acts are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves.
The complaint alleges four counts of FTC Act violations: unfair collection and use of consumer location data; unfair collection and use of consumer location data from third-party apps; unfair retention of consumer location data; and deceptive failure to disclose InMarket’s use of consumer location data. A settlement has been proposed that prohibits InMarket Media from selling, licensing, transferring, or sharing any product or service that categorizes or targets consumers based on sensitive location data. “All too often, Americans are tracked by serial data hoarders that endlessly vacuum up and use personal information. Today’s FTC action makes clear that firms do not have free license to monetize data tracking people’s precise location,” said FTC Chair Lina M. Khan. “We’ll continue to use all our tools to protect Americans from unchecked corporate surveillance.”
A spokesperson for InMarket Media said the company disagrees with the FTC’s allegations and is expanding its existing sensitive location protections. Also, in December 2023, the company engaged a nonprofit to identify location information close to reproductive healthcare clinics to remove that information from its databases. InMarket Media also confirmed that it is working with its partners to ensure that their notice and consent processes are clear.
The FTC has recently proposed a similar settlement with the data broker X-Mode Social (Outlogic) that also prohibits the sale of precise location data that could be used to track people’s visits to sensitive locations such as medical and reproductive health clinics. The FTC also sued the data broker Kochava for selling geolocation data that could identify visits to sensitive locations.
