Skip to main content
close search
site logo
Dive Brief

FTC X-Mode settlement focuses on sensitive data

The company must set up a system to ensure sensitive information, like where people live or get their healthcare, doesn’t get included in data it collects and sells.

Published Jan. 10, 2024
Robert Freedman's headshot
Lead Editor
data privacy, FTC
Map with location point, GPS app. champpixs via Getty Images

Dive Brief:

  • The proposed, first-of-its-kind settlement that the Federal Trade Commission entered into this week with location data broker X-Mode Social and its successor company, Outlogic, limits the collection and sale of data that disclose where a person lives, attends religious services, receives health treatments and other types of sensitive information. Other location data collections and sales remain permissible as long as they’re properly disclosed and handled.
  • “By securing a first-ever ban on the use and sale of sensitive location data, the FTC is continuing its critical work to protect Americans from intrusive data brokers and unchecked corporate surveillance,” FTC Chair Lina Khan said in announcing the settlement.
  • In its response, the company refers to the FTC’s action as a newly introduced policy and says it won’t have to change much to comply because it already has safeguards in place. “Adherence to the FTC’s newly introduced policy will be ensured by implementing additional technical processes and will not require any significant changes to business or products,” the company said in a statement provided to news outlets.

Dive Insight:

The FTC accuses the company of violating the FTC Act, which prohibits unfair business practices, by collecting sensitive data without disclosing fully what the data is used for and doing so even after, in some cases, people have opted out of sharing their data. The agency says the company also didn’t adequately manage third-parties’ disclosure and handling of the data. 

In the complaint, the headline charge is the company’s collection and transfer of information that’s considered sensitive because it exposes people to potential harm by revealing where they practice their religion, the kind of healthcare they’re receiving, what their gender preferences are and what political views they hold, among other information.  

“Identification of sensitive and private characteristics of consumers from the location data sold by X-Mode is an invasion of consumers’ privacy that causes or is likely to cause substantial injury through loss of privacy, exposure to discrimination, physical violence, emotional distress, and other harms,” the FTC said. 

The main way the company collects data is through third parties that insert code in their apps that sends data back to the company. X-Mode also collects data through its own apps, and it also buys data from others. 

The agency says the company didn’t adequately verify that third parties using the code had obtained user permissions, nor did it take action when it learned third parties were collecting data without permission. Nor did it verify if third parties stopped collecting data from Android users, who can opt out of having their data collected. 

“X-Mode failed to employ the necessary technical safeguards and oversight to ensure that consumers’ privacy choices enabled on their Android phones were honored and that their location data was no longer collected or sold for personalized advertising purposes,” the complaint said.  

With its own apps, as well as with third-party apps, X-Mode didn’t disclose that the data was collected and shared for more than just commercial purposes; it was also shared with companies working with government agencies. 

“X-Mode failed to inform consumers that it would be selling data to government contractors for national security purposes,” the FTC said. 

The settlement, if finalized, will require the company to stop collecting and selling sensitive data, destroy the data it has if it doesn’t have permission, rewrite its disclosures, and set up a system to make sure third parties are obtaining permissions and collecting appropriate data, among other steps. 

In its statement agreeing to the settlement, the company took issue with the way the FTC characterized what it was doing. 

“We disagree with the implications of the FTC press release,” the company says. “After a lengthy investigation, the FTC found no instance of misuse of any data and made no such allegation. Since its inception, X-Mode has imposed strict contractual terms on all data customers prohibiting them from associating its data with sensitive locations such as healthcare facilities.”

Sen. Ron Wyden (D-Ore.), who supports legislation to restrict data collection, said the FTC action shows Congress needs to get involved. 

"I commend the FTC for taking tough action to hold this shady location data broker responsible for its sale of Americans' location data,” Wyden said in a Tuesday press release. “In 2020, I discovered that the company had sold Americans' location data to U.S. military customers through defense contractors. While the FTC's action is encouraging, the agency should not have to play data broker whack-a-mole. Congress needs to pass tough privacy legislation to protect Americans' personal information and prevent government agencies from going around the courts by buying our data from data brokers." 

The FTC is taking public comments for a month before deciding whether to finalize the agreement. 

Recommended Reading

Filed Under: Data Privacy

Editors' picks

Company Announcements

View all | Post a press release

Want to share a company announcement with your peers?

Share your announcement

Editors' picks
Latest in Data Privacy
Industry Dive is an Informa TechTarget business.
© 2024 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.