Federal regulators are banning OutLogic from selling or sharing sensitive location data to third parties, marking the latest effort by government officials to address the thorny issue of data brokers and what they do with the massive amounts of personal information they collect.

In this case, the Federal Trade Commission (FTC), in its first settlement with a data a broker, found that Outlogic – formerly known as X-Mode Social – sold the precise location data of individuals that other entities could use to track visits to such places as places of worship, domestic abuse or homeless shelters, or medical and reproductive health clinics.

The FTC also said that X-Mode, and then Outlogic, had no safeguards in place that dictated how the location information could be used by third parties.

“Geolocation data can reveal not just where a person lives and whom they spend time with but also, for example, which medical treatments they seek and where they worship,” FTC Chair Lina Khan said in a statement, adding that “businesses do not have free license to market and sell Americans’ sensitive location data.”

The data Outlogic sold violated the privacy of consumers and opened them up to possible harms like discrimination, physical violence, and emotion distress, the FTC wrote in its initial complaint from 2022.

Enhanced Scrutiny

Federal and state agencies in recent years have put their attention on the highly controversial and unregulated data broker industry, where companies collect and aggregate huge amounts of personal information that they then sell and license. In an increasingly digital world that is now seeing rapid innovation around AI, the data broker market is booming, with some analyst firms saying it could grow from $319 billion in 2021 to more than $545 billion by 2031.

There are about 4,000 data brokers around the world, and while some of them – such as Oracle and Experian – are well-known names, others work in more obscurity. However, the job is the same: collect personal information and make money off of it by making it available to other companies.

California state lawmakers last year passed a law making it easier for residents to stop data brokers from collecting and selling their personal data.

Also last year, the Consumer Financial Protection Bureau (CFPB) began looking into prohibiting some of the information data brokers can sell, such as an individual’s Social Security number, income, or criminal history record.

In addition, the bipartisan Fourth Amendment is Not for Sale Act, which includes language preventing data brokers from selling personal information to federal agencies and law enforcement without a warrant, was filed last year and is making its way through Congress.

Military Personnel Data on the Market

More pressure was put on data brokers when a 12-month study by Duke University’s School of Public Policy found it was easy and inexpensive to buy from data brokers the personal information of active and retired U.S. military personnel and their families, which in turned posed a significant national security risk if some of that information was used by foreign adversaries to target or compromise a member of the military.

U.S. Sen. Ron Wyden (D-OR), a critic of data brokers and a co-sponsor of the Fourth Amendment is Not for Sale Act, applauded the FTC “for taking touch action to hold this shady location data broker responsible for its sale of Americans’ location data,” but added more needs to be done.

“The agency should not have to play data broker whack-a-mole,” Wyden said in statement. “Congress needs to pass tough privacy legislation to protect Americans’ personal information and prevent government agencies from going around courts by buying our data from data brokers.”

Numerous Violations

According to the FTC’s complaint, Outlogic – and X-Mode before it – collected data from third-party apps that included the data broker’s SDK and from its own mobile apps, Drunk Mode and Walk Against Humanity. The Virginia-based company also bought location data from other data brokers. It then sold the data to hundreds of clients in such industries as real estate and finance, and to private government contractors.

There were a number of problems with how the company ran its operation, including not having policies in place for removing sensitive locations from the raw data it collected and didn’t ensure that those using its apps or the third-party apps using its SDK were completely informed how the data would be used, including the entities that would receive the data.

It also didn’t comply with requests from Android users who said they wanted to opt out of tracking and personalized ads.

“The market for mobile location data is complex and typically opaque to consumers,” the FTC wrote in its compliant. “Mobile location data, as electronically-stored information, is easily transferable and, as Respondents’ practices demonstrate, may be sold and resold multiple times.”

Once the data is collected, many consumers lose control of it, including how its used, spread, and retained, so consumers can reasonably be expected to be able avoid such harms, the agency wrote, adding that “these harms are not outweighed by any countervailing benefits to consumers or competition.”

In its order, the FTC not only is limiting how Outlogic can share the location information, but also requires the company to delete or destroy the data is previously collected unless it got consumer consent or the data is deemed not sensitive, create a program to ensure that company supply it with location data get prior consent, and put procedures in place to make sure the data doesn’t include information that could touch on such subjects as political affiliation or sexual orientation.

Also, consumers should be able to easily opt out of having their location data collected and be told which third parties have bought or licensed their data. In addition, Outlogic needs to create a privacy plan to protect the information and a data retention schedule.