Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
USA: FTC finalizes order against InMarket regarding sale of location data
On May 1, 2024, the Federal Trade Commission (FTC) finalized an order with InMarket Media, LLC, for violation of the Federal Trade Commission Act (the FTC Act) following a previous settlement resulting from the sale of location data.
Background to the order
The FTC initiated an investigation into InMarket as it has reason to believe that InMarket had violated provisions of the FTC Act.
Findings of the FTC
The FTC determined that the acts and practices of InMarket constituted unfair or deceptive acts or practices affecting commerce, in violation of Section 5(a) of the FTC Act. Specifically, the FTC found InMarket to have:
- not fully disclosed the collection and use of consumer location data, alongside failing to collect user consent to location collection or in-app screens that precede consent prompts;
- not informed users that location data was collected to build extensive profiles which were then used for targeted advertising; and
- retained the data for an unreasonably long period, longer than necessary to accomplish the stated purpose of collection, and thereby increasing the risk that sensitive data may be disclosed, misused, and linked back to the consumer.
Outcomes
According to the FTC's order, InMarket is prohibited from selling, sharing, or licensing any precise location data and any product or service that categorizes or targets consumers based on sensitive location data. Notably, the order also requires InMarket to implement and maintain an SDK Supplier Assessment Program to ensure that consumers have provided consent for the collection and use of location data obtained by InMarket through their SDK.
In addition, the order requires InMarket to:
- provide a simple, easily located means for consumers to withdraw any affirmative express consent provided in connection with location data;
- implement and maintain a simple, easily located means for consumers to request InMarket delete location data;
- make publicly available a retention schedule for covered information;
- provide notice to each consumer whose location data is collected and used through any InMarket app; and
- establish, implement, and maintain a comprehensive privacy program, including:
- a designated employee responsible for the program;
- provide privacy and data security training programs for all employees and independent contractors; and
- assess and document every 12 months internal and external risks to the privacy of covered information.