On December 3, 2024, the Federal Trade Commission (FTC) published a proposed order for Gravy Analytics, Inc. and its subsidiary Venntel, Inc. for the alleged violation of Section 5(a) of the Federal Trade Commission Act (the FTC Act).

Background to the settlement

The FTC outlined that Gravy Analytics collected and sold raw location data that track consumers' movements, using location data to identify consumers based on attributes and behaviors that location data reveals, and then selling such data to third parties.

Findings of the FTC

Following its investigation, the FTC highlighted that Gravy Analytics continued to use consumers' location data after learning that consumers did not provide informed consent, failing to take reasonable steps to confirm consumers consented to their collection, use, and sale of location data. Gravy Analytics continued to use and sell location data even when suppliers refused to provide information on consumer consent. Venntell did not have any processes in place to confirm that consumers appropriately consented to the collection, use, or sale of their location data for government purposes.

In addition, the FTC held that owing to the sensitive information location data reveals, Gravy Analytics and Ventell's unauthorized collection, use, and sale of precise geolocation data was an unwarranted intrusion into consumers' privacy and caused substantial injury to consumers.

The FTC further found that Gravy Analytics sold tools allowing geo-fencing of a location. Data was then transferred to Venntell which sold location data and associated data such as persistent identifiers, timestamps, IP address, and the name of apps from where location data was collected to third parties.

Enhanced tools used by Venntell included:

• the geofencing of specific locations, alongside associated information;
• continuously tracking single devices;
• obtaining device information about a mobile device; and
• searching location signals associated with a specific IP address.

Accordingly, the FTC found Gravy Analytics and Venntell to have violated Section 5(a) of the FTC Act for deceptive acts or practices in or affecting commerce.

Outcomes

In light of the above, the FTC prohibited Gravy Analytics and Venntell from, among other things:

• directly or indirectly selling, licensing, sharing, disclosing, transferring, or otherwise using sensitive location data except in limited circumstances involving national security or law enforcement;
• misrepresenting the extent to which they review data suppliers' compliance and consent frameworks, consumer disclosures, sample notices, and opt-in controls; or
• mispresenting the extent to which the location data is de-identified.

In addition, the FTC ordered Gravy Analytics and Venntell to:

• implement a sensitive location data program that develops a list of comprehensive locations, and prevents the use, sale, license, transfer, or disclosure of sensitive location data, including locations associated with, among others:
  • medical facilities;
  • religious organizations;
  • schools or childcare facilities;
  • military installations;
• make publicly available a retention schedule for information, setting out the purpose, business needs, and deletion timeframe for collected data;
• delete all historic location data and any data products developed using this data, informing customers that received historic location data within the last three years of the FTC's requirement that such data should be deleted, de-identified, or rendered non-sensitive; and
• establish, implement, and maintain a comprehensive privacy program.

You can read the press release here, the complaint here, and the proposed order here.