10 January 2024

5 Key Takeaways on the FTC Location Data Ruling

The Federal Trade Commission recently imposed landmark penalties against location data companies X-Mode Social and Outlogic over privacy breaches related to selling sensitive consumer GPS data without consent.

The settlement order hands down strict prohibitions on precise location data sharing alongside tougher technical safeguarding mandates that together establish a new high-water mark for privacy and ethical data handling accountability.

Here are five big takeaways for GRC professionals to be mindful of:

Broad Ban on Monetizing Sensitive Location Data

The order bans the sale of location data tied to sensitive venues like medical facilities, places of worship, and domestic abuse shelters. Deemed high-risk by the FTC, these sites could allow tracking of protected groups or activities, enabling potential emotional, physical, or social harm.

Analytics firms must now maintain restricted location lists, auditing data flows to guarantee no associated consumer GPS trails ever get externally commercialized or de-anonymized. As raw location details remain identifiable, the FTC sees unpermitted sharing as an unchecked threat.

Opt-In Consent Mandatory for All Location Collection

Citing deceptive notice practices, the ruling requires explicit opt-in consent for location data collection rather than only instances tied to sensitive sites.

Governance teams must revisit current app permissions protocols, SDK integrator partnerships, and third-party data supplier relationships to ensure transparency in commercial uses—any continued location harvest absent express user approvals now courts action given expanded FTC prohibitions against misleading disclosures.

Orders Enhanced Due Diligence on Commercial Partners

The FTC also mandated stronger safeguards on location data after initial sale to third-party industries. New principles require firms to audit partners and halt sharing with those unable to prove compliant opt-in policies govern their location gathering.

For GRC leaders, this enlarged accountability across the supply ecosystem represents a priority, as downstream gaps could tarnish records indirectly.

Individual Access and Deletion Rights Expanded

On top of revamped handling rules, the order also upgrades individual transparency and control entitlements over historical location data by introducing rights around understanding commercial buyers and information deletion options.

While potentially spurring adjustments to data mapping and architecture planning to accommodate these access prerequisites, the shift removes the previous “free license” treatment for locations as a personally owned asset.

Signals Regulatory Expectations of Expansive Accountability

While the new rules directly target X-Mode and Outlogic, they indicate wider FTC expectations. The agency demands privacy and ethics embedded organization-wide for all firms monetizing personal data.

Preventing repeat unauthorized uses of location details necessitates comprehensive governance controls under executive supervision. The order sets a new norm as data misuse has regulatory consequences.

Recent posts
24 April 2024
The FTC's rule on non-competes: What you need to know
The FTC issued a final rule that alters the landscape for non-compete agreements in the USA. Here's MBK Search's guide to the new rule.
22 April 2024
Combating Elder Financial Exploitation: Key Insights for GRC Professionals
Elder financial exploitation (EFE) has emerged as a significant threat, with the Financial Crimes Enforcement Network (FinCEN) receiving reports of over $27 billion in suspicious activity between June 2022 and June 2023. As the population ages, this issue becomes increasingly pressing for financial institutions, regulators, and society.
17 April 2024
2024 FSB Recommendations to Boost Non-Bank Liquidity
16 April 2024
5 Ways the Internal Audit Code of Practice Will Transform the Profession
The Chartered Institute of Internal Auditors has taken a bold step towards revolutionising the internal audit profession in the UK and Ireland by releasing its draft "Internal Audit Code of Practice."