APA Comments
Comments of EPIC in re the Federal Trade Commission’s Proposed Consent Order with InMarket Media LLC
February 22, 2024
Chair Lina M. Khan
Commissioner Rebecca Kelly Slaughter
Commissioner Alvaro Bedoya
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, DC 20580
Re: InMarket Media, LLC, FTC File No. 202-3088
Dear Chair Khan and Commissioners Slaughter and Bedoya,
By notice published January 23, 2024, the Federal Trade Commission (FTC) announced its proposed consent order with InMarket, LLC (InMarket) for InMarket’s alleged violations of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), prohibiting unfair or deceptive acts or practices.[1] The proposed consent order with InMarket is the result of the FTC’s complaint alleging that InMarket violated the FTC Act in four ways: (1) unfair collection and use of consumer location data; (2) unfair collection and use of consumer location data from third party apps; (3) unfair retention of consumer location data; (4) deceptive failure to disclose InMarket’s use of consumer location data.[2]
The Electronic Privacy Information Center (EPIC) submits this letter to applaud the FTC’s enforcement efforts in this matter and to provide recommendations to strengthen the proposed order (and others like it in future cases concerning location data). EPIC is a public interest research center in Washington, D.C. established in 1994 to focus public attention on emerging civil liberties issues and to secure the fundamental right to privacy in the digital age for all people through advocacy, research, and litigation. EPIC routinely files comments in response to proposed FTC consent orders and complaints regarding business practices that violate privacy rights.[3]
EPIC commends the Commission for using its authority to investigate and take enforcement action against companies like InMarket that use misleadingly obtained data to create and maintain consumer profiles for targeted advertising. As the Commission knows, location data can reveal highly sensitive traits about consumers, including medical conditions and treatments. A consumer’s privacy is violated when their location data is used for out-of-context purposes unrelated to the purpose for which it was collected, and EPIC is encouraged by the Commission’s actions to prevent such harmful uses. The Commission’s complaint confirms that a data processor, like InMarket, that fails to follow data minimization principles by limiting the collection, use, or retention of precise location information has engaged in an unlawful trade practice. InMarket wrongfully collected and used consumers’ sensitive personal information for targeted advertising—and did so without meaningfully notifying consumers.[4] In apps that incorporated InMarket’s SDK, users were prompted with disclosures that cited a reason for using location information (e.g., providing discounts), but the prompt failed to disclose that location information would be collected and used to maintain a detailed consumer profile and target ads.[5] The complaint further alleges that InMarket’s retention of data for longer than reasonably necessary for its business purposes was a likely source of substantial injury to consumers.[6] EPIC is heartened to see that the proposed order incorporates safeguards against the overcollection, out-of-context use, and excessive retention of consumers’ location information, but we suggest that imposing a data minimization framework—rather than relying heavily on individual consent—would be the best means of limiting the personal data available for use by InMarket in the future.
First, EPIC supports the proposed order’s prohibition against InMarket selling or licensing precise location data. The prohibition contained in Section II of the proposed order is the strongest and most effective way to protect consumers’ location data against wrongful disclosure. EPIC further supports the proposed prohibition on selling licensing, transferring, or sharing any product or service that categorizes or targets consumers based on sensitive location data. As explained in the complaint, consumers face substantial injury in the form of a loss of privacy concerning their day-to-day movements when their location information is unfairly collected or misused.[7] Using this information to profile consumers and target them with advertisements is unrelated to the apparent purpose for which such location information is collected. A consumer does not expect—and certainly cannot be said to have consented to—such a secondary use of their precise geolocation information. Recognizing that InMarket’s overcollection, excessive retention, and misuse of location across adversely affected millions of consumers, the Commission has rightly proposed to prohibit InMarket from selling or licensing location data in the future.
Second, as we have noted previously in comments and filings with the Commission, the best way to mitigate the harms from the collection, use, and disclosure of personal information is a data minimization framework rather than a system that places a heavy burden on consumers to grant or withhold consent. Here, imposing an across-the-board data minimization framework on InMarket’s collection and use of location data would limit the personal information available to InMarket in the first place and minimize the risk of future data misuse—all while reducing the burden on consumers to manage InMarket’s collection and use of their own precise location information. However, to the extent that the order relies on individual consent to limit the location data collected and processed by InMarket, EPIC commends the Commission for including strong requirements in its definitions of “Affirmative Express Consent” and “Clear and Conspicuous,” as well as in the “Withholding and Withdrawing Consent” and “Obligations When Consent is Withdrawn” provisions of the proposed order.
Finally, EPIC commends the proposed requirement for InMarket to delete or destroy all historic location data that the company collected through its apps. Section XII’s disgorgement requirement is the most effective remedy to prevent InMarket from further profiting from wrongfully obtained personal data. Disgorgement prevents companies like InMarket from developing subsequent products and services based on ill-gotten personal data and disincentivizes harmful data practices across the industry. EPIC is pleased to see the Commission make use of this remedy again and hopes it will continue to feature in future consent decrees.
EPIC commends the Commission for taking enforcement action against InMarket and for protecting consumers from harmful location data practices. EPIC applauds the Commission for the proposed order’s prohibition on InMarket selling or licensing precise location data and on InMarket selling licensing, transferring, or sharing any product or service that categorizes or targets consumers based on sensitive location data. EPIC further suggests that the Commission rely on data minimization requirements rather than individual consent in the final order and in future orders to best protect consumer privacy. Finally, EPIC supports the proposed order’s requirement that InMarket delete or destroy all historic location data that the company collected through its apps and encourages the Commission to continue using this remedy in future consent orders. Please feel free to reach out to EPIC Counsel Sara Geoghegan at [email protected] if you have any questions.
Sincerely,
/s/ John Davisson
EPIC Director of Litigation &
Senior Counsel
/s/ Sara Geoghegan
EPIC Counsel
ELECTRONIC PRIVACY
INFORMATION CENTER (EPIC)
1519 New Hampshire Ave. NW
Washington, DC 20036
202-483-1140 (tel)
202-483-1248 (fax)
[1] InMarket Medica LLC; Analysis of Proposed Consent Order To Aid Public Comment, 89 Fed. Reg. 4,301 (Jan. 23, 2024), https://www.federalregister.gov/documents/2024/01/23/2024-01269/inmarket-media-llc-analysis-of-proposed-consent-order-to-aid-public-comment [hereinafter Federal Register Notice].
[2] Id.; InMarket, LLC Complaint, In the Matter of InMarket, LLC, FTC File No. 202-3088 (2024), https://www.ftc.gov/system/files/ftc_gov/pdf/Complaint-InMarketMediaLLC.pdf [hereinafter Complaint].
[3] See, e.g., Comments of EPIC, FTC Proposed Trade Regulation Rule on Commercial Surveillance and Data Security (Nov. 2022), https://epic.org/wp-content/uploads/2022/12/EPIC-FTC-commercial-surveillance-ANPRM-comments-Nov2022.pdf [hereinafter EPIC Commercial Surveillance Comments]; Comments of EPIC, Demand Progress, & EFF, In re X-Mode Social, Inc., FTC File No. 202-3038 (2024), https://epic.org/documents/comments-of-epic-demand-progress-and-eff-in-re-the-federal-trade-commissions-proposed-order-settlement-with-x-mode-social-inc/; Comments of EPIC, In re BetterHelp, Inc,, FTC File No. 202-3169 (2023), https://epic.org/documents/comments-of-epic-in-re-the-federal-trade-commissions-proposed-order-settlement-with-betterhelp-inc/; Comments of EPIC, In re CafePress, File No. 192-3209 (2022), https://epic.org/wp-content/uploads/2022/04/EPIC-comments-in-re-cafepress.pdf; Comments of EPIC, In re Matter of Support King, LLC (SpyFone.com), FTC File No. 192-3003 (2021), https://archive.epic.org/apa/comments/In-re-SpyFone-Order-EPIC-comment-100821.pdf; Comments of EPIC et al., In re Zoom Video Communications, Inc., FTC File No. 192-3167 (2020), https://epic.org/apa/comments/EPIC-FTC-Zoom-Dec2020.pdf; Complaint of EPIC, In re Online Test Proctoring Companies (Dec. 9, 2020), https://epic.org/wp-content/uploads/privacy/dccppa/online-test-proctoring/EPIC-complaint-in-re-online-test-proctoring-companies-12-09-20.pdf; Complaint of EPIC, In re Airbnb (Feb. 26, 2020), https://epic.org/privacy/ftc/airbnb/EPIC_FTC_Airbnb_Complaint_Feb2020.pdf; Complaint of EPIC, In re HireVue (Nov. 6, 2019), https://epic.org/privacy/ftc/hirevue/EPIC_FTC_HireVue_Complaint.pdf; Comments of EPIC, In re Unrollme, Inc., FTC File No. 172-3139 (2019), https://epic.org/apa/comments/EPICFTC-Unrollme-Sept2019.pdf; Comments of EPIC, In re Aleksandr Kogan and Alexander Nix, FTC File Nos. 182-3106 & 182-3107 (2019), https://epic.org/apa/comments/EPIC-FTCCambridgeAnalytica-Sept2019.pdf; EPIC, Comments on Standards for Safeguarding Customer Information, Docket No. 2019-04981 (Aug. 1, 2019), https://epic.org/apa/comments/EPIC-FTC-Safeguards-Aug2019.pdf; Complaint of EPIC, In re Zoom Video Commc’ns, Inc. (July 11, 2019), https://epic.org/privacy/ftc/zoomEPIC-FTC-Complaint-In-re-Zoom-7-19.pdf.
[4] Complaint, supra note 2 at ¶ 12.
[5] Complaint, supra note 2 at ¶ 23.
[6] Complaint, supra note 2 at 6.
[7] Complaint, supra note 2 at ¶ 32.
News
See All NewsSupport Our Work
EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.
Donate