Updates

FTC Takes Action Against Data Brokers for Selling Sensitive Location Data

December 3, 2024

The Federal Trade Commission announced two proposed settlements today with data brokers that unlawfully sold sensitive location data: one with Gravy Analytics and its subsidiary Venntel, the other with Mobilewalla.

Gravy Analytics and its subsidiary Venntel collect precise consumer location data from other data suppliers to package and sell to private and public sector clients. In its complaint, the FTC alleged that Gravy Analytics bought data from data suppliers that provided vague or no confirmation that users had given informed consent to location data collection. Meanwhile, Venntel wholly relied on Gravy Analytics to confirm that consumers consented to the location data collection. Gravy Analytics used the location data to sell products that targeted consumers based on sensitive characteristics and behaviors such as political affiliation, attendance at places of religious worship, family composition, and medical conditions. “You may not know anything about Gravy Analytics, but Gravy Analytics may know, quite a bit about you,” Commissioner Alvaro Bedoya wrote in his concurring statement.

Under the proposed settlement order, Gravy Analytics and Venntel are prohibited from selling, disclosing, or using sensitive location data in any product excepted in limited circumstances involving national security or law enforcement. The companies must establish a sensitive data location program that develop a list of sensitive locations such as medical and religious facilities, schools, military installations, to ensure that associated location data is not licensed, shared or sold.

Mobilewalla similarly collects precise consumer location data from suppliers and real-time bidding (RTB) exchanges. The FTC alleged that Mobilewalla collected and retained information from failed RTB bids, a practice that is prohibited by the terms of RTB exchanges. The raw location information was not anonymized and was sold by Mobilewalla to third parties that could identify individuals and track them to sensitive locations such as medical facilities, places of religious worship, and domestic abuse shelters. Mobilewalla also created geofences with the data it collected to track travel by union organizers and attendances at political rallies.

In a concurring statement from the case, Chair Lina Khan wrote that “the ease with which real-time bidding technology can be exploited to surveil Americans should raise serious alarm. Researchers report that no real safeguards limit who can access, harness, or retain this data, suggesting that the multi-billion-dollar industry built around targeted advertising may presently leave Americans’ sensitive data extraordinarily exposed.”

Under the proposed settlement order, Mobilewalla will be banned for collecting consumer data from RTB bids for purposes other than participating in those auctions. In addition, Mobilewalla must create a similar sensitive data location program and implement a data deletion method for consumers.

EPIC has long highlighted the ways that data brokers’ collection and sharing of personal information harms national security and puts communities at risk, including domestic violence survivors and immigrants. EPIC has also urged the CFPB to clarify that data brokers are covered by the Fair Credit Reporting Act and place limits on how brokers can collect and share personal information—a step the agency proposed to take today.

Support Our Work

EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.

Donate