SUPPLEMENTARY INFORMATION:

Pursuant to section 6(f) of the Federal Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule § 2.34, 16 CFR 2.34, notice is hereby given that the above-captioned consent agreement containing a consent order to cease and desist, having been filed with and accepted, subject to final approval, by the Commission, has been placed on the public record for a period of 30 days. The following Analysis to Aid Public Comment describes the terms of the consent agreement and the allegations in the complaint. An electronic copy of the full text of the consent agreement package can be obtained at https://www.ftc.gov/​news-events/​commission-actions.

You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before January 6, 2025. Write “Gravy Analytics; File No. 212 3035” on your comment. Your comment—including your name and your State—will be placed on the public record of this proceeding, including, to the extent practicable, on the https://www.regulations.gov website.

Because of heightened security screening, postal mail addressed to the Commission will be subject to delay. We strongly encourage you to submit your comments online through the https://www.regulations.gov website. If you prefer to file your comment on paper, write “Gravy Analytics; File No. 212 3035” on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Mail Stop H-144 (Annex G), Washington, DC 20580.

Because your comment will be placed on the publicly accessible website at https://www.regulations.gov, you are solely responsible for making sure your comment does not include any sensitive or confidential information. In particular, your comment should not include sensitive personal information, such as your or anyone else's Social Security number; date of birth; driver's license number or other State identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. You are also solely responsible for making sure your comment does not include sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any “trade secret or any commercial or financial information which . . . is privileged or confidential”—as provided by section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule § 4.10(a)(2), 16 CFR 4.10(a)(2)—including competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names.

Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled “Confidential,” and must comply with FTC Rule § 4.9(c). In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule § 4.9(c). Your comment will be kept confidential only if the General Counsel grants your request in accordance with the law and the public interest. Once your comment has been posted on the https://www.regulations.gov website—as legally required by FTC Rule § 4.9(b)—we cannot redact or remove your comment from that website, unless you submit a confidentiality request that meets the requirements for such treatment under FTC Rule § 4.9(c), and the General Counsel grants that request.

Visit the FTC website at https://www.ftc.gov to read this document and the news release describing the proposed settlement. The FTC Act and other laws the Commission administers permit the collection of public comments to consider and use in this proceeding, as appropriate. The Commission will consider all timely and responsive public comments it receives on or before January 6, 2025. For information on the Commission's privacy policy, including routine uses permitted by the Privacy Act, see https://www.ftc.gov/​site-information/​privacy-policy.

Analysis of Proposed Consent Order To Aid Public Comment

The Federal Trade Commission (“Commission”) has accepted, subject to final approval, an agreement containing a consent order from Gravy Analytics, Inc. (“Gravy Analytics”) and Venntel, Inc. (“Venntel,” and collectively with Gravy Analytics, “Respondents”). The proposed consent order (“Proposed Order”) has been placed on the public record for 30 days for receipt of public comments from interested persons. Comments received during this period will become part of the public record. After 30 days, the Commission will again review the agreement, along with the comments received, and will decide whether it should make final the Proposed Order or withdraw from the agreement and take appropriate action.

Gravy Analytics and Venntel are Delaware corporations with their headquarters in Virginia. Respondent Venntel is a subsidiary of Gravy Analytics. Gravy Analytics and Venntel are data brokers that collect and sell precise geolocation data about consumers' mobile devices.

Gravy Analytics does not collect data directly from consumers. Rather, it purchases precise geolocation data and other personal data for its products from other data suppliers, including other data aggregators. Gravy Analytics offers several data products to its customers. These products include transfers of batch location data, consisting of a unique persistent identifier for the mobile device called a Mobile Advertiser ID (“MAID”) and timestamped latitude and longitude coordinates; audience segments, which are groupings of MAIDs that purportedly share similar traits based on the locations or events the mobile devices and MAIDs have visited; and an online application programming interface that, among other things, enables Gravy Analytics' customers to geofence locations. Gravy Analytics makes its data products available to commercial customers, such as marketers, other data brokers, stores, and other commercial entities.

Venntel obtains mobile location data from Gravy Analytics exclusively. Venntel offers batch transfers of location data and allows customers to geofence specific locations. Venntel also offers its customers access to an online application programming interface through which its customers may search for devices that visited specific ( print page 96988) locations, obtain device information about a particular mobile phone, or obtain location data for individual devices. Venntel sells its data products only to public sector customers, such as government contractors.

The Commission's proposed three-count complaint alleges Respondents violated section 5(a) of the FTC Act by (1) unfairly selling sensitive location data and (2) unfairly collecting, using, and transferring consumer location data without consent verification; and that Gravy Analytics violated section 5 of the FTC Act by (3) unfairly selling inferences about consumers' sensitive characteristics derived from location data.

With respect to the first count, the proposed complaint alleges Respondents sold location data associated with persistent identifiers, such as MAIDs, that could be used to track consumers to sensitive locations, such as medical facilities, places of religious worship, places that may be used to infer an LGBTQ+ identification, domestic abuse shelters, and welfare and homeless shelters. For example, by plotting timestamped latitude and longitude coordinates associated with mobile devices using publicly available map programs, it is possible to identify which consumers' mobile devices visited medical facilities and when.

With respect to the second count, the proposed complaint alleges Respondents failed to verify that their data suppliers obtained informed consent from consumers to have the consumers' location data collected, used, and sold. Respondents' primary mechanism for ensuring that consumers have provided appropriate consent is through contractual requirements with their suppliers. However, contractual provisions, without additional safeguards, are insufficient to protect consumers' privacy.

With respect to the third count, the proposed complaint alleges it was an unfair practice for Gravy Analytics to sell inferences about consumers' sensitive characteristics derived from their location data. Gravy Analytics created custom audience segments for customers based, for example, on consumers' attendance at a cancer charity run and based on consumers' church attendance, and has also offered standard audience segments based on medical decisions and political activities.

The proposed complaint alleges that Respondents could have addressed each of these failures by implementing certain safeguards at a reasonable cost and expenditure of resources. The proposed complaint alleges Respondents' practices caused, or are likely to cause, substantial injury to consumers that is not outweighed by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers themselves. Such practices constitute unfair acts or practices under section 5 of the FTC Act.

The Proposed Order contains injunctive relief designed to prevent Respondents from engaging in the same or similar acts or practices in the future. Part I prohibits Respondents from misrepresenting the extent to which: (1) Respondents review data suppliers' compliance and consent frameworks, consumer disclosures, sample notices, and opt in controls; (2) Respondents collect, maintain, use, disclose, or delete any covered information, and (3) the location data that Respondents collect, use, maintain, or disclose is deidentified.

Part II prohibits Respondents from selling, licensing, transferring, sharing, disclosing, or using sensitive location data in any products or services. Sensitive locations are defined as those locations in the United States associated with (1) medical facilities ( e.g., family planning centers, general medical and surgical hospitals, offices of physicians, offices of mental health physicians and practitioners, residential mental health and substance abuse facilities, outpatient mental health and substance abuse centers, outpatient care centers, psychiatric and substance abuse hospitals, and specialty hospitals); (2) religious organizations; (3) correctional facilities; (4) labor union offices; (5) locations of entities held out to the public as predominantly providing education or childcare services to minors; (6) associations held out to the public as predominantly providing services based on racial or ethnic origin; (7) locations held out to the public as providing temporary shelter or social services to homeless, survivors of domestic violence, refugees, or immigrants; or (8) military installations, offices, or buildings. This prohibition does not apply to sensitive location data used to respond to or prevent data security incidents, for national security purposes conducted by Federal agencies or other Federal entities, or for response by a Federal law enforcement agency to an imminent risk of death or serious bodily harm to a person. Part III requires that Respondents implement and maintain a sensitive location data program to develop a comprehensive list of sensitive locations and to prevent the use, sale, license, transfer, sharing, or disclosure of sensitive location data.

Part IV requires that Respondents establish and implement policies, procedures, and technical measures designed to prevent recipients of Respondents' location data from associating consumers with locations predominantly providing services to LGBTQ+ individuals, locations of public gatherings of individuals during social demonstrations, marches, or protests, or using location data to determine the identity or location of an individual's home. Part V requires that Respondents notify the Commission any time Respondents determine that a third party shared Respondents' location data, in violation of a contractual requirement between Respondents and the third party.

Part VI requires that Respondents must not collect, use, maintain, and disclose location data: (1) when consumers have opted-out, or otherwise declined targeted advertising and (2) without a record documenting the consumer's consent obtained prior to the collection of location data. Part VII requires that Respondents implement a supplier assessment program designed to ensure that consumers have provided consent for the collection and use of all data obtained by Respondents that may reveal a consumer's precise location. Under this program, Respondents must conduct initial assessments of all their data suppliers within 30 days of entering into a data sharing agreement, or within 30 days of the initial date of data collection. The program also requires that Respondents confirm that consumers provided consent and create and maintain records of suppliers' assessment responses. Finally, Respondents must cease from using, selling, or disclosing location data for which consumers have not provided consent.

Part VIII requires that Respondents provide a clear and conspicuous means for consumers to request the identity of any entity, business, or individual to whom Respondents know their location data has been sold, transferred, licensed, or otherwise disclosed or a method to delete the consumers' location data from the databases of Respondents' customers. Respondents must also provide written confirmation to consumers that the deletion requests have been sent to Respondents' customers.

Part IX requires that Respondents provide a simple, easily-located means for consumers to withdraw any consent provided and Part X requires that Respondents cease collecting location data within 15 days after Respondents receive notice that the consumer withdraws their consent. Part XI also ( print page 96989) requires that Respondents provide a simple, easily-located means for consumers to request that Respondents delete location data that Respondents previously collected and to delete the location data within 30 days of receipt of such request unless a shorter period for deletion is required by law.

Part XII requires that Respondents: (1) document and adhere to a retention schedule for the covered information they collect from consumers, including the purposes for which they collect such information, the specific business needs, and an established timeframe for its deletion, and (2) prior to collecting or using any new type of information related to consumers that was not previously collected, and is not described in its retention schedule, Respondents must update their retention schedules. Part XIII requires that Respondents delete or destroy all historic location data and all data products developed using this data. Respondents have the option to retain historic location data if they have records showing they obtained consent or if they ensure that the historic location data is deidentified or rendered non-sensitive. Respondents must inform all customers that received location data from Respondents within 3 years prior to the issuance date of this Order of the Commission's position that such data should be deleted, deidentified, or rendered non-sensitive. Part XIV requires Respondents to establish and implement, and thereafter maintain, a comprehensive privacy program that protects the privacy of consumers' personal information.

Parts XV-XVIII are reporting and compliance provisions, which include recordkeeping requirements and provisions requiring Respondents to provide information or documents necessary for the Commission to monitor compliance. Part XIX states that the Proposed Order will remain in effect for 20 years, with certain exceptions.

The purpose of this analysis is to facilitate public comment on the Proposed Order, and it is not intended to constitute an official interpretation of the complaint or Proposed Order, or to modify the Proposed Order's terms in any way.

Statement of Commissioner Alvaro M. Bedoya Joined by Chair Lina M. Khan and Commissioner Rebecca Kelly Slaughter in Full and Commissioner Melissa Holyoak in Part I

I. The Porous Line Between Government and Private Surveillance

Any first-year constitutional law student will tell you that the distinction between a government agent and private actor is paramount: the Fourth Amendment corrals the former but not the latter. For the people being watched, that line is porous if not irrelevant.

Governments have long relied on private citizens for work that would be impractical or illegal for law enforcement. Elizabeth I prided herself on seeing and hearing all in her realm, famously sitting for one of her final portraits in a gown embroidered with human eyes and ears.^[1] Her ministers achieved that surveillance through a much-feared system of agents and spies,^[2] as well as a quieter network of local clergy who tracked the weekly church attendance of converted Catholics and the Separatist Puritans we now know as Pilgrims.^[3] Her successor, James I, went further, offering bounties to any of his subjects who reported practicing Catholics.^[4]

The governor of Plymouth Colony, William Bradford, would later recount what forced him and his fellow migrants to travel, first to the Netherlands and then to the New World. They were “hunted & persecuted on every side,” he wrote. While “some were taken & clapt up in prison, others had their houses besett & watctht night and day[.]” ^[5]

Four-hundred years later, those loose networks of citizen-informants have been succeeded by a digitized, automated, and highly profitable industry of commercial data brokers that “artfully dodge[ ] privacy laws.” ^[6] In 2001, the Electronic Privacy Information Center used the Freedom of Information Act to survey Federal law enforcement agencies' reliance on those firms.^[7] They determined that this network of data brokers allows law enforcement to easily and warrantlessly “download comprehensive dossiers on almost any adult.” ^[8] They warned that “[i]f we are ever unfortunate enough to have George Orwell's Big Brother in the United States, it will be made possible by the private sector.” ^[9]

This complaint and proposed settlement concern two contemporary peers of those data brokers, Gravy Analytics, Inc. and its subsidiary, Venntel, Inc. (“Respondents”). The Commission alleges these companies collect, aggregate, and sell precise geolocation data from roughly one billion mobile devices.^[10] According to public reporting, Venntel's customers have included American law enforcement.^[11]

( print page 96990)

II. The Respondents' Privacy Invasions Clearly Violate Section 5 of the FTC Act

You may not know anything about Gravy Analytics, but Gravy Analytics may know quite a bit about you.

Do you eat breakfast at McDonald's? Do you buy CBD oil? Did you recently buy lingerie? Are you pregnant? Are you a stay-at-home parent? Are you a Republican? A Democrat? Are you in the pews every Sunday in Charlotte? Or Atlanta? Have you recently attended an event for breast cancer? Are you a blue-collar Gen X parent and golf-lover who has recently been looking into Medicare?

These are just a few of the 1,100 labels that the Commission alleges that Gravy Analytics appended to individual consumers so as to sell their bundled data to private companies for targeted advertising—or to better understand the “persona” of any given individual whose data a company has requested.^[12] According to our complaint, Respondents actively encouraged their customers to identify individual people using the data they sold.^[13]

In the complaint, the Commission alleges that the Respondents' 1) sale of data tying consumers to sensitive locations, (2) collection and use of geolocation data without verifying that it was obtained with consumers' informed consent, and (3) the sale of sensitive inferences about those consumers' “medical conditions, political activities, and religious beliefs,” among other things, constitute unfair trade practices prohibited by section 5 of the Federal Trade Commission Act.

I agree with my colleague Commissioner Holyoak that the specific practices alleged in the complaint meet the threshold for “substantial injury” under section 5.^[14] More than a decade ago, the Commission issued a final report offering guidance to businesses on protecting the privacy of American consumers.^[15] That report classified “precise geolocation” as a type of “sensitive information,” and urged companies to obtain people's affirmative express consent before collecting it.^[16] As the District Court of Idaho affirmed last year, collection and disclosure of precise geolocation is a violation of privacy—itself an injury.^[17] It can further lead to stigma, harassment, and even physical danger.^[18]

This is the fourth recent Commission action and third settlement brought to stop the nonconsensual collection and sale of geolocation data.^[19] In my view, the illegality of this conduct is more than clear.

III. Venntel's Sales of Location Data Undermine Established Fourth Amendment Protections

According to our complaint, Respondent Venntel “markets to its public sector customers that the location data and these enhanced tools can be used for government purposes.” ^[20] Public reporting suggests that these government clients have included Federal law enforcement agencies like the Department of Homeland Security (DHS), the Drug Enforcement Administration (DEA), the Federal Bureau of Investigation (FBI), and the Internal Revenue Service (IRS).^[21] This poses an important question: Can a collection of precise geolocation data that otherwise violates section 5 be cured by a potential future law enforcement use of that data?

I think the answer is “no.” Section 5 makes no mention of such a circumstance, but it does expressly call on the Commission to consider “countervailing benefits to consumers” from the practice in question, and further permits the Commission to weigh “established public policies as evidence to be considered with all other evidence” when declaring a practice unfair.^[22]

In 1928, Justice Louis Brandeis, one of the architects of this Commission, warned against formalistic interpretations of the Fourth Amendment. “Clauses guaranteeing to the individual protection against specific abuses of power must have a . . . capacity of adaptation to a changing world,” he wrote.^[23] For the last 60 years, since the Katz court's declaration that the Fourth Amendment “protects people, not places,” the Supreme Court has more or less heeded that call.^[24]

In Kyllo, the Court found that a thermal imaging device that allowed law enforcement to track activities inside a home constituted a search under the Fourth Amendment—even though it involved no trespass into the home.^[25] In Riley, the Court refused to equate the search of someone's cellphone with searches of their purse or wallet or any other physical items people carry.^[26] Most relevantly, in Carpenter, the Court held that citizens have a reasonable expectation of privacy in extended cell-site location records of their movements, irrespective of the fact that the data accessed by the government was disclosed to and held by a commercial third party, and further held that the government must generally obtain a warrant before acquiring such records.^[27]

Look at the cell-site location data in Carpenter; look at the data in question here. It's basically the same data. In some ways, the Respondents' data is more invasive.

The cell-site records in Carpenter could place an individual “within a wedge-shaped sector ranging from one-eighth to four square miles”; ^[28] Respondents' data locates people down to a meter.^[29] Cellphone carriers maintain location records for five years, and Federal agents obtained a total of 129 days of geolocation data—although the Court held that accessing just seven days of data constitutes a Fourth Amendment search.^[30] The Respondents can draw on three years of data, and Venntel offers its clients the ability to “continuously” track a person's phone for 90 days.^[31] The Carpenter court warned that cell-site geolocation records ( print page 96991) can reveal a person's “familial, political, professional, and sexual associations”—a phrase that might as well be Respondents' marketing slogan.^[32]

To make this plain: Carpenter said that to get this data, you need a warrant; Venntel lets them get it without a warrant. I cannot see how this is a “countervailing benefit to consumers.” It certainly contravenes “established public policy.”

Looking beyond Carpenter, a panoply of statutes sets out a range of safeguards against the government's untrammeled collection of Americans' sensitive data. The Wiretap Act requires warrants to authorize wiretapping and interception of communications.^[33] The Stored Communications Act protects the privacy of subscribers' information held by internet service providers and established procedures for government access by warrant, subpoena, court order, or written consent.^[34]

Both of those laws concern oral or written communications; one may assume that Congress would want to protect this data. Consider that if law enforcement wants YouTube to disclose the name of a single video that I have watched online, Federal statute requires that they get a warrant, grand jury subpoena, or a court order.^[35] Similarly, the Cable Act provides that cable subscribers' personally identifiable information, such as their viewing habits, cannot be disclosed without their consent, except in the case of a court order.^[36]

Admittedly, there is active debate around whether these statutes impose the correct degree of protection in light of the Fourth Amendment. That said, the correct degree is clearly not zero.

IV. The Proposed Order

Speaking generally, the proposed order prohibits Respondents from disclosing sensitive location data in any of its products or services.^[37] Sensitive location data includes, inter alia, medical facilities, religious buildings, schools and daycares, domestic violence shelters, and military facilities.^[38] The order also directs Respondents to ensure that their clients do not use their data to track people to political protects, or to locate someone's home.^[39] The order requires that Respondents not collect any data from consumers that have opted out of targeted advertising via their operating system, and will block them from collecting, using, or disclosing geolocation data without proof that people have agreed to that.^[40]

Like the Court in Carpenter, the proposed order recognizes that not all government uses of geolocation data are alike.^[41] It has exceptions for the disclosure of geolocation data for certain bona fide national security and data security purposes, including countering espionage and disrupting cyber threats from foreign “nation states, terrorists, or their agents or proxies.” ^[42] It also has exceptions for Federal law enforcement agencies responding “to an imminent risk of death or serious bodily harm to a person.” ^[43]

Unless one of these special exceptions applies, agencies like DHS, DEA, FBI, and IRS will not be able to use Venntel to warrantlessly track people to church, to the doctor, to school, to protests, or to their homes. And Venntel will soon not be able to trade in any geolocation data without the consent of the people being tracked.

Concurring Statement of Commissioner Melissa Holyoak Joined in Part by Commissioner Alvaro M. Bedoya (Section I Only)

I support today's settlement with two location data broker companies—Respondents Gravy Analytics, Inc. (“Gravy”) and its subsidiary, Venntel, Inc. (“Venntel”)—to resolve allegations that Respondents: packaged and sold consumers' precise geolocation data to third parties, revealing consumers' visits to places of worship, medical facilities, and political gatherings (Count I); failed to employ reasonable procedures to verify that geolocation data obtained from third parties had been collected with appropriate consumer consent (Count II); and created and sold “audience segments” based on consumers' religious beliefs, political leanings, and medical conditions that had been derived from precise geolocation data (Count III).^[1] Staff are to be commended for their efforts and hard work in resolving this matter.

My statement proceeds in two parts: Section I discusses Respondents' collection and sale of consumers' precise geolocation data to third parties and the alleged direct and cognizable harms resulting from that conduct. Section II outlines my views on the necessity, efficacy, and scope of the Proposed Order's injunctive provisions and my interpretation of Count III of the Complaint.

I. The Alleged Harms From Respondents' Conduct

I start by recounting Respondents' alleged conduct here. The Complaint alleges that Respondents collected and purchased vast amounts of consumers' precise geolocation information from third-party data suppliers and mobile applications.^[2] Through these various suppliers and applications, Respondents claimed to collect, process, and curate over 17 billion signals from approximately a billion mobile devices on a daily basis.^[3] Respondents allegedly packaged and sold this geolocation data—in both raw and enriched formats—along with other persistent identifiers to different commercial entities and government clients.^[4] The Complaint also alleges that Gravy separately offered commercial entities curated “audience segments” for targeted advertising, sometimes based on consumers' perceived religious beliefs, political leanings, and medical ( print page 96992) conditions derived from insights about their geolocation data.^[5]

I am gravely concerned about the potential harms stemming from the sale of consumers' geolocation data,^[6] and in certain instances, these harms may constitute a “substantial injury” under section 5 of the FTC Act.^[7] Here, the Complaint alleges that Respondents' sale of consumers' precise geolocation data in certain circumstances enabled their third-party clients to directly track individual consumers' movements at sensitive “geo-fenced” locations, such as places of worship, medical facilities, and political events, with no guardrails or oversight.^[8] The Complaint further alleges that this practice directly revealed consumers' political, religious, and medical activities, and thus, constitutes a “substantial injury” under section 5.^[9] I agree. As I explained in the Kochava action, selling “precise geolocation information revealing political, medical, or religious activities, without consumers' consent to willing purchasers, . . . breaches [consumers'] trust and jeopardizes Americans' freedoms.” ^[10] Thus, under these circumstances, the alleged sale of consumers' precise geolocation information—data obtained from third-party suppliers without consumers' knowledge and appropriate consent—meets the threshold for alleging “substantial injury” under section 5.^[11]

In addition, consumers' precise geolocation data can be easily misused by law enforcement to impinge on basic freedoms under the United States Constitution, including Americans' Fourth Amendment rights against wrongful government surveillance.^[12] I share Commissioner Bedoya's concerns about this practice and the harms it poses to Americans.^[13] The continued misuse of geolocation data by law enforcement is an ongoing and extant threat to Americans' civil liberties.^[14] Moreover, foreign actors can readily purchase precise geolocation data about Americans, including our active-duty military personnel, with no oversight or guardrails, which can pose serious national security and counterintelligence risks.^[15]

Although I firmly believe that a comprehensive solution for the sale and disclosure of consumers' geolocation information requires Congressional action,^[16] the Commission should not shy away from using all available enforcement tools in the interim to address the evolving practices in the location data broker industry. The Commission should also investigate how location data brokers share geolocation data about Americans with foreign or malign actors. And where the facts warrant it, the Commission should consider stronger injunctive remedies in those cases, including restrictions that prevent or impede the sale of geolocation data about Americans, especially our servicemembers and their families, to bad actors overseas.

II. The Proposed Order and Count III of the Complaint

I also write separately today to share my views on the Proposed Order's injunctive provisions and my interpretation of Count III of the Complaint (Unfair Sale of Sensitive Inferences Derived from Consumers' Location Data). To begin with, let me be clear: my vote for today's settlement should not be read as a full-throated endorsement of the Proposed Order in its entirety or every allegation in the Complaint. I have serious concerns about whether the Commission could obtain many of the Proposed Order's injunctive provisions in a contested litigation.^[17] Indeed, while the Federal district court in the Kochava litigation may address the propriety of various types of injunctive relief from the Proposed Order in the coming months, I will continue to reserve judgment here. I also have questions about the necessity and efficacy of the injunctive provisions found in Sections VI, VII, and IX, ^[18] ( print page 96993) which first appeared in the X-Mode Social matter before my arrival at the Commission.^[19] As we turn the page on the last four years, the Commission should comprehensively examine the utility of the type of injunctive relief found in today's Proposed Order in the future and implement changes where warranted.^[20]

A. Proposed Order

While today's settlement is not perfect by any measure, several provisions in the Proposed Order will mitigate the harms resulting from Respondents' allegedly unlawful practices— i.e., the disclosure of consumers' political, religious, and medical activities. Critically, the Proposed Order will prohibit the unauthorized sale or disclosure of “Sensitive Location Data”—geolocation data associated with military installations and buildings, medical facilities, religious organizations, childcare and education services, and many others—to third parties.^[21] It also requires Respondents to implement a “Sensitive Data Location” program, as well as prophylactically avoid associating consumers' precise geolocation data with (1) political demonstrations, marches, and protests and (2) residences for individual consumers.^[22] The Proposed Order further requires Respondents to offer individual consumers the ability to request deletion of their geolocation data in Respondents' datasets.^[23]

I support Sections II, III, IV, and XI of the Proposed Order since they are directly tied to Respondents' alleged conduct, help mitigate the specific harms from disclosing consumers' political, religious, and medical activities, and properly balance the costs and benefits, as required by section 5 of the FTC Act. But today's settlement also has important limits, particularly with the sale and use of “Sensitive Location Data”. In my view, the Proposed Order strikes the proper balance under our unfairness authority. Permitting the use and disclosure of precise geolocation information to third parties for national security or data security purposes,^[24] or to prevent imminent risk of death or serious bodily harm,^[25] presents tangible benefits that appropriately fall within the confines of the Proposed Order's carefully negotiated definitions.

At the same time, the Proposed Order's restrictions on further disclosure of consumers' geolocation data help protect American citizens' constitutional rights under the Fourth Amendment of the United States Constitution. Fourth Amendment rights should not be for sale, under any circumstance. I agree with Commissioner Bedoya on this issue and the importance of the Proposed Order's restrictions here.^[26] Constitutionally appropriate process, such as warrants or subpoenas, exists for law enforcement to obtain information it needs, without resorting to purchasing consumers' precise geolocation data from unscrupulous location data brokers to circumvent judicial oversight.^[27] Nor does the Proposed Order have a deleterious impact on law enforcement efforts. Law enforcement personnel can always avail themselves of the appropriate legal process to obtain such data in a manner that comports with Fourth Amendment requirements.

B. Count III (Unfair Sale of Sensitive Inferences)

The Complaint alleges that Gravy created and sold custom “audience segments” based on consumers' religious beliefs, political leanings, and medical conditions by geo-fencing sensitive locations, such as breast cancer events, specific churches, and “Republican focused political events.” ^[28] The sale of “audience segments” tied to consumers' religious beliefs, political leanings, and medical conditions qualifies as an unfair practice: it “causes or is likely to cause substantial injury” by revealing consumers' political, religious, and medical activities (as discussed supra in Section I), consumers cannot reasonably avoid the harm (they are not aware of Respondent and did not consent to the use), and it is not outweighed by any countervailing benefits to consumers or competition.^[29] For these reasons, I support Count III.

However, my vote today does not entail broader support for the Majority's continued effort to deem targeted advertising an unfair practice under section 5. Nor should my vote be construed as endorsing the Complaint's theory about secondary harm to consumers.^[30] As I have explained before, we must “tease out the complexity of the privacy debate” and “press for more empirical research” to ground our unfairness analysis.^[31] Our complaints cannot simply rely on politically charged buzzwords. For example, the Complaint here expresses concerns with Gravy's practice of creating general “audience segments” ( print page 96994) for targeted advertising— e.g., “Sports Betting Enthusiast[s],” “Early Risers,” “Healthy Dads,” “New Parents”, or “Parents with Young Kids” ^[32] But the Complaint fails to confront how these audience segments create a “significant risk of concrete harm” and ignores the potential benefits to consumers and competition. Behaviorally targeted advertising may produce more relevant ads to consumers, reducing their search costs and allowing small businesses and new market entrants to connect with a broader consumer base.^[33]

Moreover, my vote should not be construed as support for deeming the use of sensitive data or the categorization of sensitive data as unlawful in every circumstance. Consumers may be deceived or harmed where their sensitive data is used without their knowledge or consent, contrary to their reasonable expectations. But context matters. For example, if a consumer searches online for nearby pediatricians close to their home, then serving ads in other contexts for pediatrician offices and groups based on the consumer's location may be both reasonable and desirable. If a consumer subscribes to a podcast on a certain type of politics, advertisements for other political podcasts may be of interest to that consumer.

We also need to disentangle any objections to the content of an advertisement from the practices of categorization and targeting generally. Take, for example, the practice of categorizing consumers into the ad segment “women over 50 suffering from breast cancer.” An advertiser may use that segment to target ads for well-validated treatments, potentially connecting women with life-saving care. Or an advertiser could use that segment to target ads for bogus treatments. We should not conflate our concern about deceptive advertising (the bogus treatment) with the lawful act of categorizing and targeting based on sensitive data, lest we undermine the ability to connect women with life-saving care. This is just one example of the potentially beneficial or harmful content served to audience segments. Certain types of categorization and targeting may offer similar benefits to consumers and competition, if used properly and in a lawful manner.^[34]

As we consider these types of difficult privacy questions in the future, it is of paramount importance that we challenge only unfair or deceptive conduct, supported by specific facts and empirical research, rather than demonizing the entire digital advertising industry.^[35] And until Congress acts to address privacy directly through legislation, it is vital we recognize and abide by the limited remit of the Commission's statutory authority.

Concurring and Dissenting Statement of Commissioner Andrew N. Ferguson

Today the Commission approves complaints against, and proposed consent orders with, Gravy Analytics ^[1] (“Gravy”) ^[2] and Mobilewalla ^[3] for various practices concerning the collection and dissemination of precise location data allegedly constituting unfair or deceptive acts or practices in violation of section 5 of the Federal Trade Commission Act.^[4] Gravy and Mobilewalla are data brokers that aggregate and sell consumer data, including location data.^[5] Gravy and Mobilewalla do not collect the data from consumers.^[6] Those data are collected from applications that consumers use on their smartphones, and Gravy and Mobilewalla purchase or otherwise acquire those data after they are collected.^[7] Gravy and Mobilewalla then sell those data to private firms for advertising, analytics, and other purposes, as well as to the government.^[8]

Part I

I concur entirely in two of the counts the Commission brings against both firms, and one that we bring against Mobilewalla alone. These counts are sufficient to justify my vote in favor of submitting the complaints and proposed consent orders for public comment. First, the Commission alleges that Gravy and Mobilewalla sell consumers' precise location data without taking sufficient measures to anonymize the information or filter out sensitive locations.^[9] This type of data—records of a person's precise physical locations—is inherently intrusive and revealing of people's most private affairs. The sale of such revealing information that can be linked directly to an individual consumer poses an obvious risk of substantial injury to that consumer.^[10] The theft or accidental dissemination of those data would be catastrophic to the consumer. The consumer cannot avoid the injury. Unless the consumer has consented to the sale of intimate data linked directly to him, the sale of the data happens entirely without his knowledge.^[11] Finally, given that the anonymized data remain valuable to firms for advertising and analytics, the injury that the consumer suffers is not outweighed by any countervailing benefits for the consumer.^[12] The sale of non-anonymized, precise location data without first obtaining the meaningfully informed consent of the consumer is therefore an unfair act or practice in violation of section 5.

Second, the Commission accuses both companies of collecting, using, and selling precise location information without sufficiently verifying that the consumers who generated the data consented to the collection of those data by the applications that collected it.^[13] Given that the failure to obtain meaningful consent to the collection of precise location data is widespread, data brokers that purchase sensitive information cannot avoid liability by turning a blind eye to the strong possibility that consumers did not consent to its collection and sale. The sale of precise location data collected without the consumer's consent poses a similarly unavoidable and substantial risk of injury to the consumer as does the sale of the non-anonymized data. I therefore concur in these counts against Gravy and Mobilewalla.^[14]

( print page 96995)

I further concur in one additional count charged against Mobilewalla alone. The Commission accuses it of having committed an unfair act or practice for its conduct on real-time bidding exchanges (RTBs).^[15] An RTB is a marketplace where advertisers bid in real time on the opportunity to show an advertisement to a user as the user is visiting a website or using an application.^[16] The auctions take place in the blink of an eye, and the listings on which advertisers bid include information such as the user's mobile advertising ID (MAIDs) and current precise location.^[17] Advertisers crave these data because it allows them to maximize the value of each ad impression by displaying the ads only to the users most likely to find the advertisement useful. The Commission accuses Mobilewalla of sitting on the RTBs, submitting bids, collecting the MAIDs and location data for the bids, retaining those data even when it did not win the auction, and combining those data with data acquired from other sources to identify the user represented by the MAID.^[18] It aggregated and sold this combined identity and location information to its clients.^[19] This alleged practice violated Mobilewalla's legal contracts with the exchanges.^[20]

The violation of a private contract alone is not enough to establish a violation of section 5.^[21] But these agreements protected more than just Mobilewalla's contractual counterparties. They also protected large numbers of consumers from the risk of having their private data aggregated, linked to their identity, and sold without their consent, as Mobilewalla did. Mobilewalla's breach of its contractual obligations therefore exposed consumers to the same substantial risk of injury as collection of their data without consent, was not reasonably avoidable by consumers (as this conduct was far removed from their knowledge and control), and was not outweighed by any countervailing benefits to consumers. It is therefore in the public interest to hold Mobilewalla liable for this conduct under section 5, as it would be even if no contract governed Mobilewalla's obligations regarding the unconsented collection and retention of these precise location data.^[22]

Part II

I dissent from the Commission's counts against both firms accusing them of unfairly categorizing consumers based on sensitive characteristics, and of selling those categorizations to third parties.^[23] The FTC Act prohibits the collection and subsequent sale of precise location data for which the consumer has not consented to the collection or sale. It further requires data brokers to take reasonable steps to ensure that consumers originally consented to the collection of the data that the data brokers subsequently use and sell. If a company aggregates and categorizes data that were collected without the consumer's consent, and subsequently sells those categorizations, it violates section 5. But it does so only because the data were collected without consent for such use, not because the categories into which it divided the data might be on an indeterminate naughty categories list. The FTC Act imposes consent requirements in certain circumstances. It does not limit how someone who lawfully acquired those data might choose to analyze those data, or the conclusions that one might draw from them.^[24]

Consider an analogous context: the collection of data by private investigators. Private investigators do not violate the law if they follow someone on the public streets to his place of employment, observe him entering a church, observe him attending the meeting of a political party, or watch him enter a hospital. These are all public acts that people carry out in the sight of their fellow citizens every day. Nor do private investigators violate the law by concluding from their lawful observations that the person works for that company, practices that religion, belongs to that political party, or suffers from an illness. Nor would the law prohibit the private investigator from selling his conclusions to a client. But the law would forbid private investigators from trespassing on the employer's property; from surreptitiously planting cameras inside the church sanctuary to observe the rites; from recording the proceedings of the political meeting without consent; or from extorting hospital staff for information about the person's condition. The law prohibits collecting data in unlawful ways; it does not prohibit drawing whatever conclusions one wants, or selling those conclusions to someone else, so long as the data from which the conclusions were drawn were lawfully obtained.

The same principle should apply to section 5. The added wrinkle is that in the information economy, private data are usually collected in the context of a commercial relationship between the user and the developer of an application or website. Just as we expect a merchant to disclose the material terms of a transaction before collecting payment, we expect that the user of an app or website be informed of how their private information—part, and often all, of the consideration they give in exchange for use of the app or website—will be collected and used, and given a chance to decline the transaction. Commercial fairness might also require more than vague hidden disclosures, especially when the loss of privacy is substantial, as is the case with collection of precise location data and its sale to third parties.

Rather than faulting these companies for disclosing data about users without adequate consent, these counts in the complaints focus instead on the inherent impropriety of categorizing users according to so-called “sensitive characteristics.” Perhaps my colleagues are worried that advertisements targeted on the basis of these categories can cause emotional distress—the theory they advanced in the Commission's Social Media 6(b) Report earlier this year.^[25] But as I argued then, it is folly ( print page 96996) to try to identify which characteristics are sensitive and which are not. “[T]he list of things that can trigger each unique individual's trauma is endless and would cover every imaginable” advertisement based on every possible categorization, so whatever lines we end up drawing will be “either arbitrary or highly politicized.” ^[26]

We can already see this dysfunction in these complaints, which mention as sensitive characteristics race, ethnicity, gender, gender identity, sexual orientation, pregnancy, parenthood, health conditions, religion, and attendance of a political protest, among others.^[27] While some of these characteristics often entail private facts, others are not usually considered private information. Attending a political protest, for example, is a public act. The public expression of dissatisfaction or support is the point of a protest. Treating attendance at a political protest as uniquely private and sensitive is an oxymoron. Moreover, there are no objective criteria on which to base this list.^[28] The statute provides no guidance. The list is therefore a purely subjective creation of Commission bureaucrats. And it excludes categories that many would consider deeply private and sensitive.^[29] And if we did a full accounting of characteristics that someone, somewhere might consider sensitive, no useful categorizations would remain. If what we are worried about is that the generation and sale of these categorizations will be a substitute for the sale of the user data from which they are derived, the correct approach is to treat conclusions derived from user data as no different than the underlying data. In either case, adequate consent is required for their collection, use, and sale.

Finally, I have doubts about the viability of a final charge levied against Mobilewalla for indefinitely retaining consumer location information.^[30] It is a truism that data stored indefinitely is at a greater risk of compromise than data stored for a short period of time. But nothing in section 5 forms the basis of standards for data retention. The difficulty is illustrated perfectly by the proposed order we approve today. Rather than impose any particular retention schedule, it merely requires that Mobilewalla:

. . . document, adhere to, and make publicly available . . . a retention schedule . . . setting forth: (1) the purpose or purposes for which each type of Covered Information is collected or used; (2) the specific business needs for retaining each type of Covered Information; and (3) an established timeframe for deletion of each type of Covered Information limited to the time reasonably necessary to fulfill the purpose for which the Covered Information was collected, and in no instance providing for the indefinite retention of any Covered Information . . .^[31]

Given that Mobilewalla is in the business of selling user information, and that the marginal cost of data storage is low, the “specific business need” can be nothing more than the possible existence in the future of some buyer willing to pay more than the low cost of storage to acquire the data. I see no reason why Mobilewalla could not set a retention period of many decades based on this reasoning. In fact, while two-year-old location data is intuitively less valuable than one-year-old location data, it is quite plausible that twenty- or thirty-year-old location data is more valuable than location data that is only a few years old, as it may allow advertisers to tap into nostalgic sentiments.

The trouble with both the sensitive-categories count and the data-retention count is that the text of section 5 cannot bear the tremendous weight my colleagues place on it. My colleagues want the FTC Act to be a comprehensive privacy law. But it is not. Comprehensive privacy regulation involves difficult choices and expensive tradeoffs. Congress alone can make those choices and tradeoffs. It did not do so when it adopted the general prohibitions of section 5 nearly nine decades ago. And it has not adopted comprehensive privacy legislation since then. We must respect that choice.

Until Congress acts, we should vigorously protect Americans' privacy by enforcing the laws Congress has actually passed. But we must not stray from the bounds of the law. If we do, we will sow uncertainty among legitimate businesses, potentially disrupt the ongoing negotiations in Congress on privacy legislation, and risk damaging losses for the Commission in court.