The Data Chronicles | The FTC’s focus on location data and the hidden collection of sensitive data

I'm Scott Loughlin, this is the Data Chronicles and here are your data points.

Today, we are discussing developments with respect to the FTC's views on the collection and use of sensitive location information.

In other words, the collection and use of information about where people are physically located or maybe where their devices are located. That type of data, the location data, has been a big issue for the FTC recently, especially over the course of 2024.

In the last year alone, the FTC has brought multiple actions surrounding the collection, use, and disclosure of location data against multiple companies, including in-market, where there was an allegation of unfair collection and use of location data to create audience segments

for advertising purposes, for gravy analytics, where there was an allegation of unfair selling of sensitive characteristics, things like health or medical information, political activities, or religious viewpoints, derived from consumer location.

And most recently, in December of 2024, there was an action against mobile walla, which is where I want to spend today. In that action, the FTC issued a press release where the FTC commissioner at the time, Lena Kahn, was quoted as saying that mobile walla exploited

vulnerabilities in the digital ad markets to harvest data at a large scale, and the FTC is cracking down on firms that unlawfully exploit people's sensitive location data to ensure that there is not large scale unchecked surveillance on Americans.

This action, especially when compared to the many other actions that they took in 2024 around location data, signals the first time that the FTC has alleged a section 5 violation based on the collection of consumer data from an RTB auction for purposes other than participating in

the auction. And as a result, it's also significant in that it shows the FTC is concerned

the auction. And as a result, it's also significant in that it shows the FTC is concerned about how downstream recipients of location data manage the collection of consumer consent by their upstream vendors.

To discuss these developments, I've invited my colleague, Ala Saladin, to the podcast. Ala is

a senior associate in the privacy and cybersecurity practice, and she spends much of her time working on ad tech and website technology issues, including represent clients on emerging FTC issues and in connection with FTC enforcement actions. Ala, welcome back to the podcast.

Thank you for having me, Scott. So, Ala, why don't we just jump right into understanding the mobile Walla case? Who is mobile Walla? And how is that they drew the scrutiny from the FTC?

Certainly. So mobile Walla is a data broker that aggregates and sells mobile device data, such as precise location data, mobile advertising IDs, and audience segments based on consumer interests and characteristics derived from the allocation data. Their business is largely B2B, and I think, importantly, they don't have direct relationships with consumers.

Instead, they acquire location data and mobile advertising IDs from other data brokers and, as alleged by the FTC, real-time bidding exchanges. Overall, consumers are likely unaware that mobile Walla is collecting or selling their information, and that is an important component here.

Walk me through how that works, right? Because if I'm understanding the allegation against them is that they themselves are not offering any products or services directly to individuals, but they are part of the larger ad tech advertising community online and would

be gaining access to certain types of data through these real-time bidding or RTB exchanges.

What type of information would be available through those exchanges, and what was it alleged that they have done when they had access to that type of data?

Yep, certainly. So with RTB exchanges, in the ad tech ecosystem and RTB exchange, it just allows advertisers to bid on open ad space on a publisher's platform in real time. At a high level, when a publisher has open ad space, it or others on its behalf may send a bid request

via an RTB exchange. Advertisers then get those bid requests, get information on the consumer who's landed on the publisher website, and in real time bid on whether they would like to send their advertisement over to that consumer as they navigate through the publisher's site.

So really what a mobile Walla is obtaining from the RTB exchanges is bid request information, whatever that may incorporate. And as relevant to the allegations here, the FTC is alleging that what it did was collect the bid request data, which included, at times, sensitive

location data about consumers, as well as mobile advertising IDs, which are tied to each consumer's individual mobile device. For iPhone, it's called an IDFA. For Android, it's an AAID. They effectively collected that data as participants in the ad tech ecosystem, even

AAID. They effectively collected that data as participants in the ad tech ecosystem, even where they did not win a bid request, they retained that data and used it for their own purposes, separately to sell to their own B2B customers.

Interesting. So in other words, they receive data in order to determine whether to make a bid to present an advertisement to a specific consumer. So in this case, let's say it's AAALA's website, and Scott is visiting their AAALA's website. You make ad space available on that

site. RTB solutions are in place for advertisers to then bid to present an ad to Scott, who

site. RTB solutions are in place for advertisers to then bid to present an ad to Scott, who is visiting your site. And then they get certain information relating to Scott in order to make that bid. And what was happening is that that information, effectively, whether they

decided to make a bid or they had the winning bid, they retained the information and then started to amass large quantities of data through that RTB exchange.

That's right. And importantly, about TC does point out that these RTB exchanges have contractual terms in place that prohibit entities from using bid request data for any purpose other than advertising purposes as part of the ad tech bidding process.

Here, MobileWall is alleged to have retained that data completely separate in part from those purposes and use it for its own non-advertising purposes, such as to create geoferences around home addresses of consumers, for example, for employers who wish to poach employees

from their competitors or to track work locations, union organizers, and otherwise to provide consumer information to government entities for governmental purposes.

So in other words, when they started to create all of this large database through this data harvesting, then then effectively used that data for other unrelated commercial purposes. And

as you described them earlier, effectively operating like that data broker capacity, where they would be selling that data or selling insights into that data or enabling other products and services leveraging that data.

Yes, that's right. And the FTC there alleged that this was an unfair practice, particularly given-- and they do highlight in particular the fact that the RTB exchange terms specifically prohibit this non-advertising use of bid request data.

And the exchange creates a framework that indicates, hey, anybody who's gaining access to this data, there are commercial rules effectively. This is not set as a matter of law. This

is set as a contract or set of terms that all of the participants in the exchange have to agree to. And what the FTC did wasn't necessarily say, hey, you violated a law by the

agree to. And what the FTC did wasn't necessarily say, hey, you violated a law by the collection of this information. It's just that you breached the terms of the participation itself. And because you did that, and then you used this personal data about individuals

itself. And because you did that, and then you used this personal data about individuals where they either didn't know it was happening or they didn't gain a sense, that that itself was an unfair trade practice?

Yes, and I think really the basis of this is that as a normal consumer going about my day, I would not necessarily expect for an entity like Mobile Wallet to be geofencing my home to identify my movements for purposes of selling that data to a competitor of my employer so

that they can coach me for work purposes or where I'm a union organizer, my comings and goings. And effectively, the whole concept of it is that it was unfair to consumers because

goings. And effectively, the whole concept of it is that it was unfair to consumers because consumers could not have prevented this. And it really did get to some sensitive sort of purposes overall, or uses, shall I say.

Yeah, interesting. I mean, I'm interested in trying to frame this because in some ways I can look at this and you'd say, all right, well, the implications for it are narrow, right? In

other words, don't collect information through an RTB exchange and then use that data in large scales to be able to do unrelated activities.

But I'm also thinking about the development in this space, especially in the ad ecosystem in light of the many other FTC-oriented cases that have also targeted that space. In particular,

the passive collection of information through different types of online tooling, online technologies, cookies, and pixels, and other similar types of technology, of which there were a number of other FTC cases during that period of time. So as I'm thinking about the

implications more broadly, one thing that jumps out is that oftentimes consumers don't have a clear visibility into that in general about all of the different types of ad tech tooling that is used to collect information about individuals' use of the internet and engagement with internet-based systems and applications.

Yeah, that makes perfect sense. Overall, I think the differentiator here is that where I go to Scott's website, Scott has an obligation to notify me and make their-- Scott's use of various web tracking technologies providing with necessary information, obtain any necessary

consent. And in that respect, I have a direct relationship with my visit to Scott's website.

consent. And in that respect, I have a direct relationship with my visit to Scott's website.

Here, the difference really more so is that consumers don't really have that ability to get notice from the wall of-- even understand that their data is being collected and used in these ways outside of the scope of what their general expectation may be.

Right. So I mean, that's a good and important distinction. So suppose that if you're just a standard website technology that's on there, then there may be some notice in the privacy notice or the privacy policy. Could be a specific cookie policy that's on there that describes how the operator of the website has implemented different types of cookie tracking

technologies and thus the consumer has some level of notice.

In this case, the exchanges had expressly prohibited the collection of this information in this way such that no operator of a website would have described what Mobile Walla was doing.

And Mobile Walla was effectively operating in the background, harvesting all of this information without any type of direct user engagement or any type of direct notice or transparency to the users.

Another component of the FTC complaint against Mobile Walla is an allegation of unfair collection and use of consumer location information without consent verification.

And this really gets to the issue where unlike in circumstances where a consumer is landing on Scott's website, let's say, and Scott is providing notice about use of web tracking technologies and any consent choices that may exist. Here, the FTC is alleging that with

Mobile Walla that does not have a direct relationship with consumers. What they failed to do is obtain consent verification from upstream vendors of the data. And this is important here because precise geolocation has long been on the FTC's radar as a sensitive data for which

the FTC expects some level of often consent. Allegations against Mobile Walla really are bad.

What it ought to have done is ensure through, for example, contractual assurances and ongoing due diligence that its upstream vendors of data were obtaining the appropriate consumer consent.

Yeah, I mean, that is an interesting point, which I think presents many implications for organizations because many organizations like Mobile Walla or others who are effectively operating like a B2B to C business are not in the position of getting consent.

And here, the FTC is saying, well, listen, you're not in the position of getting consent, but consent was still required. And so Mobile Walla in this scenario would have been required to have obtained assurances, conducted diligence, done other means by which they would have

obtained assurances that the relevant consents were in place for them to have engaged in this location-based targeting activity.

The complaint also alleges that Mobile Walla required data suppliers to complete an annual certification that consumers have provided their consent, but it failed to implement any procedures to verify the accuracy of those certifications or view data suppliers' notices to consumers.

And interestingly, the FTC alleges that Mobile Walla failed to monitor data suppliers' notices to consumers on an ongoing basis, just based on the idea that privacy notices on a website would generally disclose information about an entity's disclosure collection, sale of

data, but those notices may change over time. And the FTC is alleging overall that Mobile Walla should have done more diligence to review its data suppliers' notices to confirm that they did not change their data practices at any point in time.

So, in other words, just getting a contractual assurance and bearing it with inside of the agreement that the relevant consents have been obtained in the FTC's mind wasn't sufficient.

There would need to be more that would need to be taken place in order for Mobile Walla to appropriately rely on third parties to obtain the relevant consents for Mobile Walla to use the data in the way that it intended.

Yeah, really, the FTC, one of the very slight allegations is that Mobile Walla did not contractually require suppliers to obtain consent, but through various other allegations, it does appear to be that the FTC would have expected even more than just a contractual term and instead would have expected ongoing diligence to confirm that consent was obtained on an

ongoing basis and data suppliers' privacy practices did not shift over time.

Yeah, I mean, that's really interesting and has broader implications because that type of contract set of issues, I think, comes up with some frequency.

Maybe as I zoom out from this, I think I'm interested from your perspective, where do you see that the big takeaways are for businesses, especially those who are participating within the ad tech ecosystem coming from the Mobile Walla case?

Overall, it seems to me that the big takeaways are, companies should be on notice that use of, the collection use and disclosure of sensitive data, like precise location data in the real-time bidding ecosystem, should very much be solely for purposes of advertising or else

maybe viewed as an unfair practice under Section 5 of the FTC Act. And also, the larger takeaway, and I think the supplies more broadly, is that downstream data recipients are not necessarily off the hook and may need to confirm that their upstream data suppliers and partners have appropriate opt-in consent for their collection use and disclosure of consumer

location data and other sensitive data. While contractual provisions are important, they may not be enough and ongoing monitoring and diligence is very much expected, it seems, at least based on the FTC's case against Mobile Walla.

Yeah, and so, I think it also underscores the larger process of like, just because you have the data doesn't mean you have the right to use the data.

And because the data was being provided to you in the context of the RTV, didn't allow you to use the data for purposes outside of that relationship, obviously, without obtaining those additional assurances.

So, if we're thinking those are kind of two big takeaways, especially for the many organizations who participate in this system, and I'm interested to hear from your perspective about perhaps where this line of cases may go, because you know,

we'll now be in this position where there will be a change in leadership at the FTC.

We're recording this before the inauguration of Donald Trump as the next president of the United States, and we're expecting that there to be a new conservative majority within the FTC. Commissioner Ferguson will take over the chairmanship of the FTC itself.

FTC. Commissioner Ferguson will take over the chairmanship of the FTC itself.

And I understand that Commissioner Ferguson concurred in part with this decision and dissented in part, interested to see where the disagreement lies and whether there's anything that we can glean about how this type of facts may be viewed by a future FTC.

Certainly. And before I jump into the differentiator between Ferguson FTC and the current administration, I will raise that another allegation in the FTC's complaint is around the unfair targeting based on sensitive characteristics. So, beyond the fact that mobile wallet

collected and sold precise location data that could be used to identify consumer visits to sensitive locations, the FTC alleges that mobile wallet engaged on fair practices by creating sensitive audience segments based on sensitive characteristics derived from location data.

So, for example, creating audience segments, as noted in the complaint around pregnant women or Hispanic churchgoers or members of the LGBTQ community, and then selling that data to other third parties.

I think that goes in a little bit to what we may expect to see from a Ferguson commission, where as you know, Scott first ended concurrent part and dissented in part in this mobile wallet decision. He did agree that the collection use and disclosure of precise location data

wallet decision. He did agree that the collection use and disclosure of precise location data requires consent. And again, that has long been held as an FTC position.

requires consent. And again, that has long been held as an FTC position.

He dissented and so far, he noted the FTC act does not prohibit a company that has lawfully obtained that data with consent from analyzing the data and drawing conclusions from it. So,

even if those are sensitive inferences, so kind of to backtrack that a little, say it more clearly, Ferguson agrees that the FTC act prohibits the collection of and selling a precise location data without consent. But he does not agree that the FTC act prohibits the company that has lawfully obtained that data with consumer consent from

them using that data to create sensitive inferences about consumers.

Got it. So, you know, the areas where, you know, if you had originally obtained the data with in a lawful way, then, you know, the ongoing processing of that information analysis of that information to identify those sensitive groups or arguably sensitive groups and inferences

that would designate one person to reside in a sensitive group or not reside in a sensitive group, that that itself wasn't going to result in an unfair trade practice. But that's almost besides the point because the underlying activities around the collection of information,

sensitive information without the consent of the individual itself would have been an unfair trade practice. And that's something that the that

trade practice. And that's something that the that Commissioner Ferguson agreed with who also voted in favor of this order.

Yes, that's right. So, overall, it would seem to me that the takeaway is a company that has lawfully obtained often consent for its collection sale of precise location data may then use that data to draw whatever conclusions that may so choose about an individual based on that

information. And that subsequent creation of a sensitive data

information. And that subsequent creation of a sensitive data inference is not does not in itself require that often consent.

Yeah. And in doing so, right, I think what the another key theme and interested in your thoughts is that while there has been a lot of focus over the course of the past couple of years, as you well know, around the uses of website tracking technologies, cookies and pixels

on websites and the legal issues that that may create either in litigation under wiretap rules or in connection with regulatory enforcements for things like violations of Section five, that may not be going away. Because even under new conservative leadership, because

many of the underlying allegations that would have given rise to cases like good or X or better help or the line of the cases that followed those have similar themes, right? In other

words, the collection, the passive collection of what would arguably be sensitive information relating to what individuals are seeing online, and whether that can be then indicative of an underlying health condition, or an underlying area of mental health treatment, you know, all

of those then could be seen as the collection of sensitive information without the consent of the individual, you know, just looking into the future, and this very much remains to be seen, my sense, at

least for person and the other current Republican commissioner of the FTC Holyoke, is that their sense would be in connection with those better health and good or X line of cases, that perhaps the collection of sensitive data element, BOW tracking technology in and of itself

would require the often consent, but a consumer landing on a random web page that discusses a certain health condition doesn't necessarily require the option consent in and of itself, because there's another step that needs to be taken to infer that, okay, this consumer may have this condition, but at the same time, others may

also land on that web page, we don't have the condition, researchers, students who are hoping to learn more about an issue.

So I think it's really the disconnect is there in the logical leap that's required to get to the sensitive data inference.

Right. Like in other words, whether the information on itself would be suggestive of a sensitive condition versus the inferences that would need to be made about the viewer of that site as to whether that person, you know, belong to a sensitive class, which in some ways,

you know, has already been the source of the litigation, you know, especially surrounding the HHS guidance and OCR guidance about how HIPAA would apply on these websites, which very much focused on that same distinction.

And thus, you know, that could be an area that where you may start seeing some at least consensus view about, you know, how a parent is the data on its face sensitive versus what logical leaps or inferences are going to be made to be able to determine whether the data is

sensitive or not. But at least with respect to location data that in the FTC's mind is sensitive information. And that much like other sensitive data doesn't require a lot of

sensitive information. And that much like other sensitive data doesn't require a lot of logical leaps. But it does mean that that requires consent. And it sounds like also needs to

logical leaps. But it does mean that that requires consent. And it sounds like also needs to have some level of assurances that if you're not collecting the consent itself, that you're obtaining the consent through others. And that needs to be more than just having them tell you that they did it.

Yes, that's right. And really, location data is sensitive in and of itself, presumably because where you go very much is indicative of who you are. So to know where I live, where I travel, where I work, and creating a net impression of who I am based on that information, it

just overall, it reveals a lot of information about a consumer in and of itself without the need to go through the logical leaps to create an inference around that.

Well, I really appreciate your sharing your insights on the Mobile Walla case, including kind of the many others that preceded it. I appreciate your perspective on this. And I'm sure it's an area that we will continue to watch and see whether the trends that we've identified in

2024 will continue in the new administration, or whether there will be new areas of priority.

So I appreciate your sharing your views with our audience.

Thanks, Scott. Thank you for having me.

With that, I'm Scott Lachlan. This is The Data Chronicles, and those were your data points.