Loading...
TerraTrueTerraTrue's privacy by design platform helps teams comply with global privacy regulations, identify risks, and trigger privacy and security reviews.

January 19, 2024

Issue 32 — You’re not gonna SDK your way to their clinics and synagogues, says FTC

Oh Hey! Welcome to The Privacy Beat Newsletter!

Here’s the gist: Written by longtime privacy journalist Angelique Carson, director of content strategy at TerraTrue, you can come here for insights on the hottest topics in privacy. Told through some of our peers’ social posts, this quick read aims to arm you with the knowledge you need to walk into any happy hour or team meeting and sound like the absolute baller you are. No current topic gets by you!

Hello everyone! Angelique here. It’s snowing in DC right now. Enough snow to build things out of it. I’m in my glory. I’m writing to you from my desk, which is directly next to a window that provides a front-row seat to the falling flakes. Winter is the best.

But there’s so much going on in privacy news. This week was on crack. I’ll try to distill it so we can digest it easily. No Tums required.

FTC told data brokers ‘winter is coming,’ wasn’t kidding

The FTC has had a busy January. And it turns out it wasn’t kidding when it alerted the data broker industry it would soon study any collecting or selling of sensitive location data. Within two weeks, the agency brought the hammer down on two data brokers, banning both from selling or licensing precise geolocation data and profiling people based on sensitive data “like where they worship.” It’s a big deal because it’s the first time the FTC has banned selling or licensing precise location data.

The FTC settled its case with Texas-based data broker InMarket Media this week. The agency said InMarket failed to obtain informed consent from users of its shopping apps when it requested to use their location data. In addition, InMarket collects data from third-party apps incorporating its SDK, or software development kit, a little tech bundle allowing mobile apps to track users. The FTC said InMarket uses that data to cross-reference consumers’ location histories to lump them into buckets of audience segments for targeted advertising.

However, its privacy notice said would use the data for the app’s functionality. It didn’t disclose that it would combine it with other data and use it for targeted advertising.

In a similar case last week, the FTC punished X-Mode, which has since re-branded as Outlogic. Billing itself as the “2nd largest U.S. location data company,” X-Mode was selling precise geolocation data about consumers who visited women’s reproductive clinics, domestic abuse shelters, and places of religious worship.

Using that data, third parties could (ostensibly) target a person by tracing their mobile device to a single-family residence.

X-Mode was collecting data through its own apps, as well as through SDKs embedded within third-party partners’ apps, as well as by purchasing location data from other data brokers.

The FTC alleges X-Mode didn’t inform its users how it would use their location data, nor did the third parties hosting its SDK. Without those disclosures, neither X-Mode nor its partners could claim informed consumer consent.

The FTC said X-Mode didn’t anonymize the data it compiled and sold. Until 2023, the company didn’t have policies to remove sensitive locations from the raw location data it doled out, and it didn’t implement safeguards to ensure how its clients used that data.

Here’s part of the FTC’s blog post on the settlement:

The thread here is the FTC enforcing on SDKs and the sensitive location data of which they’re stewards. Interestingly, and I hadn’t seen this before, the FTC’s latest orders require both X-Mode (now Outlogic) and InMarket to develop and maintain an “SDK supplier assessment program to ensure that companies that provide location data to InMarket vis its SDK are obtaining informed consent from consumers,” or else stop using the information.

sdk supplier

I think these cases are pretty cool. It’s the FTC doing what it said it was going to do. After the Dobbs decision, President Biden told the agency to protect individuals’ health privacy, particularly when it involves trips to sensitive locations, and it put data brokers in particular on notice. It also nods to its ongoing rule making on “commercial surveillance.”

The FTC’s Samuel Levine even dropped an Easter egg in his post on the InMarket settlement.

If you want more on this, check out Odia Kagan’s post, where she notes the settlements highlight that the FTC won’t tolerate vague disclosers giving a company free license to use or sell data. And, perhaps more importantly: “You are your client’s keeper.” You must enforce that your third parties are getting informed consent or stop the usage, people.

You must have a separate notice under My Health My Data

tweet

New Jersey: The 13th state to pass a privacy law

New Jersey has entered the chat!

Becoming the 13th U.S. state to do so, it passed a comprehensive privacy law, Senate Bill 332, on Jan. 8, the final day of the state’s legislative session.

According to David Stauss at Husch Blackwell, an excellent source for state privacy law debriefs, the bill is comparable to the Washington Privacy Act model with some slight variations: For example, it includes financial information as a category of personal data, but doesn’t include consumer health data. Also, it doesn’t require controllers to provide a homepage link allowing consumers to opt out of targeted advertising or the sale of their data.

For more on this, read the law, you know? It’s too much.

New Hampshire, too?!

Quick on New Jersey’s heels, New Hampshire passed a comprehensive privacy law. It’s the fourteenth state to do so since California, the influencer that it is, passed the CCPA and started the trend.

I could tell you the highlights of the New Hampshire bill, but Stauss already did that for us. What a guy!

See below.

Latest podcast episode!

Podcast

In this podcast episode, I chat with longtime friend Ruby Zefo, Uber’s CPO. The two discuss Ruby’s working relationship with product & engineering, the unique challenges a company like Uber faces, and why she’s so focused on diversity, equity, and inclusion in the name of raising everyone’s boats.

Listen here!

Hot take of the week

tweet

Thanks for reading! See you soon. Stay warm!

xo,
Angelique

*paraphrase