On July 11, 2022, the Federal Trade Commission (FTC) published “Location, health, and other sensitive information: FTC committed to fully enforcing the law against illegal use and sharing of highly sensitive data,” on its Business Blog. The blog post is likely related to an Executive Order (the “EO”) signed by President Biden in the wake of the Supreme Court’s Dobbs decision. Among other things, the EO directed the FTC to consider taking steps to protect consumers’ privacy when seeking information about and related to the provision of reproductive health care services.
While this latest drumbeat on this issue came from the FTC, we expect to see attention to this issue by other regulators, including, perhaps, the Department of Justice as well as state attorneys general.
Although the FTC post centers on location data and reproductive health services, it is likely that there will be more scrutiny of the collection and use of location data in general. This renewed focus will potentially subject a wide group of digital ecosystem participants to increased attention. The spotlight will likely fall on interactive platforms, app publishers, software development kit (SDK) developers, data brokers and data analytics firms – over practices concerning the collection, sharing and perceived misuse of data generally.
The FTC blog post briefly explains the “opaque” world surrounding the collection of mobile location data (which the FTC asserts is often done without consumers’ full understanding) and the subsequent sharing and sale of information to data aggregators and brokers that then sell data access or data analysis products to marketers, researchers, or other businesses interested in gaining insights from alternative data sources. The post states that the misuse of mobile location and health information, including reproductive health data, “exposes consumers to significant harm.” As such, the FTC announced that it will “vigorously enforce the law if we uncover illegal conduct that exploits Americans’ location, health, or other sensitive data.” More concrete legal requirements covering the collection and use of mobile location data may come with the passage of a bipartisan federal comprehensive privacy bill, but passage of this bill remains uncertain.
The FTC’s blog post closes with a few guidance tips on what companies should be considering when collecting or using sensitive consumer information, including location and health data:
- Sensitive data is protected by various federal and state laws. Such laws include the FTC Act which regulates unfair and deceptive trade practices, the Children’s Online Privacy Protection Act (COPPA) and various state data privacy laws.
- Examine claims that data “has been anonymized.” The FTC states that firms making misleading claims about anonymization in this area may violate the FTC Act, “especially in the context of location data.”
- The agency will bring enforcement actions for misuse of consumer data. The post outlines several recent enforcement actions over misuse of sensitive consumer data, including location data.
The FTC’s blog post is just the latest in an increasing level of attention to the collection of data from mobile devices. As we’ve previously written about, the issue of location data has already garnered attention in Congress, and it would not be surprising to see some state legislatures – a number of which have already passed or considered comprehensive data privacy laws – take up the issue. Companies collecting or using mobile location data should pay close attention to developments in this area.