Data Brokers X-Mode and Outlogic Hit with Restrictions Over Sale of Sensitive Location Data
Data Brokers X-Mode and Outlogic Hit with Restrictions Over Sale of Sensitive Location DataIn an unprecedented move, the Federal Trade Commission (“FTC”) has cracked down on the practice of selling sensitive location data, taking action against data broker X-Mode Social and its successor, Outlogic. The settlement, which marks the first time the FTC has specifically targeted a data broker for the sale of sensitive geolocation information, outlines strict limitations on how these companies can collect, sell, and use location data moving forward. This is a major step toward greater privacy protections for consumers in an increasingly data-driven world.
The case began in January 2024 when the FTC unveiled its charges against X-Mode and Outlogic, accusing them of selling precise location data that could track individuals’ visits to sensitive locations like medical and reproductive health clinics, places of worship, and domestic abuse shelters. This was a significant case for the FTC, as it highlighted the risks of data brokers collecting and selling highly personal information without consumer consent.
X-Mode, based in Virginia, collected location data from a variety of sources, including its own mobile apps, third-party apps that incorporated its software development kit (“SDK”), and other data brokers. This data was then sold to hundreds of clients across industries such as real estate, finance, and marketing. The FTC alleged that the company did not adequately safeguard this sensitive data, nor did it ensure consumers knew how their location data was being used. In fact, until May 2023, X-Mode/Outlogic had no policies in place to remove sensitive locations from the data it sold.
The FTC’s complaint detailed several key issues with X-Mode’s practices. First, the data broker was found to be selling raw, un-anonymized location data that could easily be traced back to individual consumers. This data included specific locations, such as medical clinics or places of worship, that could reveal deeply personal information about individuals’ behaviors and beliefs. The complaint also accused X-Mode of failing to ensure third-party app developers fully disclosed how they would use the location data.
The charges went further, accusing the company of allowing its clients to use the data in ways that could lead to discrimination, harassment, and even physical harm. For example, data sold by X-Mode/Outlogic could be used to target individuals who visited reproductive health clinics or LGBTQ+ services, potentially exposing them to significant risks.
Additionally, the FTC highlighted that X-Mode/Outlogic failed to implement technical safeguards that would allow consumers to opt out of being tracked or to opt out of receiving personalized advertisements, which is a fundamental consumer right under privacy laws.
These practices violated the FTC Act, which prohibits unfair or deceptive practices. The FTC’s decision to take action underscores its increasing focus on the unregulated data broker industry and the need for stronger consumer protections.
In April 2024, the FTC finalized its order, imposing even stricter requirements on X-Mode and Outlogic. The companies are now prohibited from selling or sharing sensitive location data and must take steps to prevent any downstream misuse of consumer data. Among the key provisions of the order are:
-
Deletion of Sensitive Data. X-Mode and Outlogic must delete or render non-sensitive any previously collected location data unless they can obtain informed consent from consumers.
-
Consumer Control. The companies are required to provide consumers with a clear and simple method to withdraw their consent for data collection and to delete their data from commercial databases.
-
Enhanced Transparency. The companies must ensure consumers know exactly which third parties have access to their location data, and they must establish a system for consumers to request the identity of businesses or individuals who have purchased their data.
-
Ongoing Oversight. X-Mode/Outlogic is mandated to implement a comprehensive privacy program to safeguard consumer information and ensure compliance with the order.
This action not only puts significant pressure on X-Mode/Outlogic but also sends a clear message to other data brokers in the industry: selling sensitive location data without consumer consent is no longer acceptable.
The FTC said their action against X-Mode and Outlogic shines a light on the murky world of data brokers, who often operate in the shadows, collecting and selling personal information without consumers’ knowledge. These brokers have made billions by selling data that can reveal incredibly personal details about an individual’s life, from their health decisions to where they pray. As consumers become increasingly aware of how their data is being used, the pressure on businesses to respect privacy rights has only grown.
The FTC’s ruling is a strong reminder that location data is not just another commodity to be bought and sold. The privacy implications are immense, especially when the data can reveal sensitive aspects of a person’s life. This case highlights the need for robust consumer consent processes, transparency in data collection practices, and accountability for how data is used by third parties.
In the coming years, we can expect more scrutiny and regulation around location data, as this case sets a precedent for how the FTC will approach privacy violations in the data broker industry.
If you would like to read more about this case and others, visit Our Case Studies Library.
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.