On January 14, the FTC issued a consent order against a company and its subsidiary for allegedly engaging in unfair practices concerning the collection, use and sale of consumer location data in violation of the FTC Act. The FTC alleged these companies collected precise geolocation data from consumers without taking “reasonable steps to verify that consumers provid[ed] informed consent” for collection, use or sale. This data, which was linked to unique persistent identifiers, allegedly revealed consumers’ visits to sensitive locations, including medical facilities, religious sites, and venues associated with political activities. The FTC claimed these practices exposed consumers to risks such as stigma, discrimination, physical violence, emotional distress, and other harms.

Under the terms of the consent order, the companies were prohibited from misrepresenting the extent to which they review data suppliers’ compliance and consent frameworks, consumer disclosures, sample notices, and opt in controls as well as the extent to which they collect, use, maintain, disclose or delete any covered information. It also barred them from using, selling or disclosing sensitive location data unless specific conditions are met, such as obtaining affirmative express consent from consumers. To address these issues, the order mandated a “Sensitive Location Data Program” be implemented, designed to identify and prevent the misuse of sensitive location data.

Furthermore, the order required the companies to delete all historical location data collected without consumer consent, unless they can demonstrate that consent was obtained. They must also establish a comprehensive privacy program to protect consumer data, which will include regular risk assessments, the implementation of safeguards, and annual privacy training for employees. The companies must provide consumers with clear and conspicuous means to withdraw consent and request the deletion of their location data. Additionally, the order included provisions for compliance monitoring, requiring the companies to submit regular reports to the FTC such as third-party incident reports and maintain detailed records to demonstrate adherence to the order’s requirements.