Outlogic (X-Mode) just made history. U.S. Federal Trade Commission (FTC) has issued the first-ever ban on the use and sale of sensitive location data. In this decision, the FTC has issued a ban on data broker Outlogic, formerly known as X-Mode Social, prohibiting the sharing or selling of sensitive location data with third parties. The move comes as a result of allegations that the company engaged in the sale of precise location data, capable of tracking individuals’ visits to sensitive places such as medical facilities, places of worship, and domestic abuse shelters.
The Settlement and Restrictions
The ban is part of a comprehensive settlement, requiring Outlogic to cease any sharing or selling of sensitive location data immediately. Additionally, the proposed order mandates the destruction of all previously gathered location data, unless explicit consumer consent is obtained. Outlogic is also obligated to de-identify or render the data non-sensitive. Furthermore, the company is tasked with maintaining a comprehensive list of sensitive locations and developing a robust privacy program with a data retention schedule to prevent potential misuse.
Allegations Against X-Mode Social and Outlogic
The FTC accused X-Mode Social and Outlogic of failing to implement adequate safeguards against the misuse of location data by downstream customers. This marks a significant milestone as the first-ever ban on the use and sale of sensitive location data.
X-Mode Social gained attention in 2020 for selling location data to the U.S. military. The company operates by offering precise location data collected from proprietary apps and third-party apps incorporating its software development kit (SDK). It has also reportedly obtained location data from other data brokers and aggregators.
Apple and Google’s Response
In response to the 2020 revelations, both Apple and Google took measures by urging app developers to remove X-Mode’s SDK from their apps or face potential bans from their respective app stores. The raw location data sold by X-Mode was associated with mobile advertising IDs, unique identifiers linked to each mobile device. Notably, this raw data was not anonymized, posing a risk of matching an individual’s mobile device with their visited locations.
Lack of Transparency and Negligence
The FTC highlighted several key concerns, emphasizing X-Mode’s lack of transparency regarding the entities receiving data through third-party apps with its SDK. Furthermore, the company failed to ensure that these apps obtained informed consent from users for location data access. The agency also criticized X-Mode for not having policies in place, until May 2023, to remove sensitive locations from the sold data, exposing users to potential privacy breaches and harms, including discrimination, violence, and emotional distress.
The agency also raised concerns about X-Mode’s alleged negligence in honoring opt-out requests from some Android users seeking to avoid tracking and personalized ads.
Outlogic’s Response
Outlogic responded to the FTC announcement by expressing disagreement with the “implications” of the decision. The company emphasized that there was no finding indicating misuse of location data. This marks a divergence in perspective between the regulator and Outlogic.
The Larger Call for Privacy Legislation
U.S. Senator Ron Wyden commended the FTC for taking decisive action against Outlogic, stating, “In 2020, I discovered that the company had sold Americans’ location data to U.S. military customers through defense contractors.” While applauding the FTC’s efforts, Wyden stressed the need for comprehensive privacy legislation to protect personal information and prevent government agencies from acquiring citizen data through data brokers.
In conclusion, the FTC’s ban on Outlogic’s sale of sensitive location data signals a significant step in safeguarding individual privacy. As technology evolves, the call for stringent regulations and privacy legislation becomes more apparent. The Outlogic case serves as a reminder of the importance of transparency, informed consent, and proactive measures to protect users from potential data misuse. The ongoing dialogue between regulators, companies, and lawmakers is crucial in establishing a secure and privacy-respecting digital landscape.
