For the second time this month, the Federal Trade Commission is banning a data broker from selling or licensing precise location data without getting the consumer’s consent.

Under the 14-page FTC order, Texas-based data aggregator InMarket Media also is prohibited from selling, licensing, or sharing any product or service that targets consumers or categorizes them based on sensitive location data.

“All too often, Americans are tracked by serial data hoarders that endlessly vacuum up and use personal information,” FTC Chair Lina Khan said in a statement. “Today’s FTC action makes clear that firms do not have free license to monetize data tracking people’s precise location.”

Combined with the previous case banning Outlogic – formerly known as X-Model Social – from similar practices, the order against InMarket indicates the federal agency’s growing belief that the controversial data broker market needs to be more closely scrutinized and policed.

Along the prohibitions against selling the location data or offering tools that enable other organizations to track consumers’ movements, the FTC ordered InMarket and those companies using its products to offer consumers an easy way to have their data removed. They also must notify those whose data was collected about the FTC’s action.

The agency also said that InMarket’s policy of retaining the data it collected for five years was too long and ordered that it be amended and that the company create a comprehensive program to protect the privacy of consumers’ personal information.

A Focus on Data Brokers

The FTC’s order is only the latest attempt by federal and state governments to rein in the abuses of a fast-growing data broker market that is thriving in an increasingly digital world that now includes the rapid adoption of AI technologies. Some estimates have the global data broker industry jumping from $319 billion in 2021 to more than $545 billion by 2031.

There are about 4,000 data brokers worldwide. Some are well known, such as Oracle and Experian, but many run below the radar. They collect and aggregate massive amounts of personal information, that they then sell and license to others.

The FTC last year said it was considering broad new regulations to restrict what personal information companies could collect and how they use it, while the Consumer Financial Protection Bureau is mulling whether to prohibit some of the information that data brokers now sell, such as an individual’s Social Secure number, income, or criminal history.

Congress is working on the bipartisan Fourth Amendment is Not for Sale Act, which would prevent data brokers from selling personal information to federal agencies and law enforcement without a warrant, while at the state level, California last year passed a law making it easier for residents to stop data brokers from collecting and selling their personal data.

Informed Consent Required

According to the complaint filed by the FTC against InMarket, the company didn’t get informed consent from people using its proprietary mobile apps, CheckPoints, a shopping rewards app, and shopping list app ListEase.

“For example, when the company requests to use a consumer’s location data, it states that the data will be used for the app’s function, such as to provide shopping reward points or to remind consumers about items on their shopping list, and fails to inform users that the location data will also be combined with other data obtained about those users and used for targeted advertising,” the FTC wrote.

At the same time, InMarket didn’t ensure that third-party apps that used the company’s SDK had obtained informed consent and didn’t tell such apps that the location data provided via the SDK would be combined with other data to create profiles of consumers.

The FTC wrote that companies using the InMarket SDK could collect the precise data location – the latitude and longitude – of the individuals that had InMarket’s apps on their mobile devices. Included in the location data was a timestamp and unique mobile device identifier, with the mobile devices’ OS providing it as much as every few seconds when the device was on the move.

Broad Use of the SDK

From 2016 to now, about 100 million unique devices sent location data through the InMarket SDK each year.

“Through the InMarket SDK, Respondent collects sensitive information from consumers, including where they live, where they work, where they worship, where their children go to school or obtain child care, where they receive medical treatment (potentially revealing the existence of medical conditions), where they go to rallies, demonstrations, or protests (potentially revealing their political affiliations), and any other information that can be gleaned from tracking a person’s day-to-day movements,” the FTC wrote in the nine-page compliant. “All of the above information is collected along with several identifiers (including a unique mobile device identifier).”

InMarket’s SDK has been downloaded onto more than 390 unique devices since 2017, the agency wrote.

In a statement to news organizations, InMarket said while it was happy to resolve the FTC’s concerns, it disagreed with the agency’s claims. It also wrote that “as a business that provides marketing solutions, we have no interest in selling consumer location data, and we have confirmed we will not do so.”

Location Data a Growing Concern

The issue of tracking individuals’ locations has come to the forefront in recent years as the practice of apps collecting various personal information has collided with ongoing societal shifts, such as the Supreme Court’s 2022 ruling striking down Roe v. Wade and some states subsequently passing laws seeking to prosecute those getting, providing, or aiding someone in getting an abortion.

In addition, the Federal Communications Commission earlier this month asked automakers and wireless service providers to detail how they were protecting survivors of domestic abuse from being tracked by their abusers through the connected devices in their cars.