We all know the joke, you talk about buying something or visit somewhere and next thing, all you see are ads for that thing. Well, to no one’s surprise it seems that some data brokers are being less than scrupulous with your private data, and are using it in ways they shouldn’t be.
The Federal Trade Commission (FTC) has initiated legal proceedings against Gravy Analytics Inc. and its subsidiary Venntel Inc., accusing them of illegally tracking and selling consumer location data associated with sensitive sites. This action is part of the FTC’s ongoing efforts to regulate the handling of sensitive location data by data brokers. The proposed settlement order will prevent these companies from dealing in data linked to sensitive locations such as military sites, religious venues, and labor unions.
According to the FTC’s complaint, Gravy Analytics and Venntel violated the FTC Act by selling consumer location data without obtaining informed and verifiable consent from users. This data was allegedly used to generate lists of consumers attending events at health-related locations and places of worship, exposing them to potential privacy risks. The FTC claims that the companies continued to use this data despite being aware that consumers did not provide informed consent.
Gravy Analytics and Venntel are accused of acquiring location data from other suppliers and processing billions of signals daily from numerous mobile devices. The data, which the FTC claims is not anonymized, could potentially identify consumers and link them to sensitive characteristics such as health, political activities, and religious beliefs. The companies reportedly used geofencing technology to gather this data.
The proposed settlement order requires Gravy Analytics and Venntel to cease selling, sharing, or using sensitive location data except in cases involving national security or law enforcement. The order mandates the establishment of a sensitive location data program to identify and restrict the use of data linked to locations such as medical facilities, religious organizations, correctional facilities, and military sites. Additionally, the companies must delete all historical location data and related products.
Gravy Analytics and Venntel must also notify customers who have received location data in the past three years about the FTC’s requirement to delete or de-identify such data. The order includes a provision for retaining data only if it is de-identified or if consumer consent is obtained. The companies are further required to implement a supplier assessment program to ensure consent is secured for any data revealing precise consumer locations.
The FTC’s decision to issue the complaint and accept the consent agreement was unanimous. This is the fifth enforcement action by the FTC against data brokers for improper handling of sensitive location data. Previous actions include cases against companies like Kochava, X-Mode, and InMarket for similar violations. The FTC has also announced action against Mobilewalla for selling location data linked to sensitive sites.
The FTC will publish the consent agreement details in the Federal Register, allowing a 30-day public comment period before making a final decision on the order. For further details, visit the FTC’s website here.
