10 January 2024

5 Key Takeaways on the FTC Location Data Ruling

The Federal Trade Commission recently imposed landmark penalties against location data companies X-Mode Social and Outlogic over privacy breaches related to selling sensitive consumer GPS data without consent.

The settlement order hands down strict prohibitions on precise location data sharing alongside tougher technical safeguarding mandates that together establish a new high-water mark for privacy and ethical data handling accountability.

Here are five big takeaways for GRC professionals to be mindful of:

Broad Ban on Monetizing Sensitive Location Data

The order bans the sale of location data tied to sensitive venues like medical facilities, places of worship, and domestic abuse shelters. Deemed high-risk by the FTC, these sites could allow tracking of protected groups or activities, enabling potential emotional, physical, or social harm.

Analytics firms must now maintain restricted location lists, auditing data flows to guarantee no associated consumer GPS trails ever get externally commercialized or de-anonymized. As raw location details remain identifiable, the FTC sees unpermitted sharing as an unchecked threat.

Opt-In Consent Mandatory for All Location Collection

Citing deceptive notice practices, the ruling requires explicit opt-in consent for location data collection rather than only instances tied to sensitive sites.

Governance teams must revisit current app permissions protocols, SDK integrator partnerships, and third-party data supplier relationships to ensure transparency in commercial uses—any continued location harvest absent express user approvals now courts action given expanded FTC prohibitions against misleading disclosures.

Orders Enhanced Due Diligence on Commercial Partners

The FTC also mandated stronger safeguards on location data after initial sale to third-party industries. New principles require firms to audit partners and halt sharing with those unable to prove compliant opt-in policies govern their location gathering.

For GRC leaders, this enlarged accountability across the supply ecosystem represents a priority, as downstream gaps could tarnish records indirectly.

Individual Access and Deletion Rights Expanded

On top of revamped handling rules, the order also upgrades individual transparency and control entitlements over historical location data by introducing rights around understanding commercial buyers and information deletion options.

While potentially spurring adjustments to data mapping and architecture planning to accommodate these access prerequisites, the shift removes the previous “free license” treatment for locations as a personally owned asset.

Signals Regulatory Expectations of Expansive Accountability

While the new rules directly target X-Mode and Outlogic, they indicate wider FTC expectations. The agency demands privacy and ethics embedded organization-wide for all firms monetizing personal data.

Preventing repeat unauthorized uses of location details necessitates comprehensive governance controls under executive supervision. The order sets a new norm as data misuse has regulatory consequences.

Recent posts
12 July 2024
CFPB proposes streamlined loss mitigation framework rule
The Consumer Financial Protection Bureau (CFPB) has proposed amendments to Regulation X to make it easier for homeowners to get help when they struggle to pay their mortgages.
11 July 2024
Regulatory challenges await post Corner Post ruling
The Supreme Court's Corner Post ruling is set to raise the stakes on regulatory bodies in the U.S.
10 July 2024
Proposed OCC rules for $100b+ banks will spur Internal Audit hiring
At MBK Search, we expect that this will spur hiring in key risk management and compliance functions. Here are the key takeaways:
5 July 2024
Key takeaways from the Bank of England's Financial Stability Report 2024
The Bank of England released its biannual Financial Stability Report, and there was plenty for GRC professionals to sink their teeth into. Here are six key takeaways.