On January 19, 2024, the Federal Trade Commission (FTC) announced that it had filed a proposed order against InMarket Media, LLC (InMarket), for violation of the Federal Trade Commission Act (FTC Act), following an investigation.

Background to the case

In particular, the FTC explained that InMarket is a digital marketing platform and data aggregator, that collects consumer data through software development kits (SDKs), including personal information about consumer movements, purchasing history, and demographic or socioeconomic backgrounds. The FTC also noted that such information is kept for up to five years. InMarket categorized consumers into 'advertising audiences' enabling clients to target consumers more precisely and on third-party advertising platforms, with consumers failing to be notified of the use of targeted advertising.

More specifically, the FTC highlighted that InMarket's SDK is capable of transmitting a consumer's precise location back to a respondent, allowing respondents to collect sensitive information from consumers such as where they live, work, worship, children go to school, receive medical treatment, and any other information determinable from a person's movements.

Findings of the FTC

Following its investigation, the FTC found that InMarket did not fully disclose the collection and use of consumer location data, alongside failing to collect user consent to location collection or in-app screens that precede consent prompts. Further, the FTC provided that InMarket failed to verify whether third-party apps that incorporated InMarket's SDK obtained informed consumer consent.

In addition, the FTC alleged that the consent screens for InMarket's proprietary apps, CheckPoints and ListEase, though telling consumers that their location data will be used for the app's functionality, did not disclose that such location data was collected to also build extensive profiles which were then used for targeted advertising. Notably, the FTC clarified that the consent screen did not link to the privacy policy language which outlined that consumer data is used for targeted advertising.

Regarding the retention of consumer data, the FTC determined that InMarket retained such data for an unreasonably long period, longer than necessary to accomplish InMarket's stated purpose of collection, nominally to allow consumers to earn shopping points or make shopping lists. Therefore, InMarket significantly increased the risk that consumer-sensitive data may be disclosed, misused, and linked back to the consumer, exposing sensitive information about them.

Accordingly, the FTC held that InMarket violated Section 5(a) of the FTC Act for misrepresentations or deceptive failures to disclose a material fact, constituting prohibited deceptive or unfair practices.

Outcomes

In light of the above, the FTC's proposed order provides that InMarket must not sell or license location data in exchange for any valuable consideration. The FTC noted that such an order is the first to be issued by the FTC. In addition, the FTC's proposed order stipulates that InMarket must:

• delete or destroy all location data previously collected and any products produced unless it obtains consumer consent or ensures that the data has been de-identified or rendered non-sensitive;
• notify consumers whose location data was collected from InMarket apps unless it obtains consumer consent to the collection of their location data;
• provide an easy-to-find way for consumers to withdraw their consent for the collection and use of their location data for InMarket apps and a mechanism to request the deletion of any location data previously collected;
• create a sensitive location data program to prevent the company from using, selling, licensing, transferring, or otherwise sharing any products or services that categorize or target consumers based on sensitive location data;
• implement and maintain an SDK supplier assessment program to ensure consumers have provided consent for the collection and use of location data obtained through SDKs;
• document, adhere to, and make available a data retention schedule for covered information; and
• establish and implement a comprehensive privacy program that protects the privacy of consumers' personal information.

You can read the press release here, the complaint here, and the proposed order here.