Millions In Fines & More: A Closer Look at FTC’s Actions Against Mass Data Collectors

Online consumers are more concerned about their data and digital privacy than ever before. This anxiety has, in part, been fueled by organizations escalating their overall collection of data. Almost every app, device, and service relies on collecting user data around the clock.

However, most organizations defend this as necessary to provide users with a truly personalized experience that ensures each user is catered to individually, based on their unique needs, wants, and browsing patterns.

However, there can be instances where organizations may process personal data in a disproportionate and unreasonable manner vis-a-vis the purpose of data processing, and this can lead to regulatory action against such organizations under various federal and state privacy laws.

The Federal Trade Commission (FTC) recently provided greater clarity on this matter in a blog. It delved deep into several reputable organizations that had far exceeded the permissions users had provided them related to personal data processing. Moreover, these organizations benefited from exceeding these permissions by sharing/selling their users’ data to other third parties without the express consent of their users.

Read on to learn more about the transgressions of these organizations as well as the enforcement actions taken by the FTC to mitigate them:

Issues Identified By the FTC

Here are the key issues identified by the FTC related to each of the violators:

Avast

Avast is a renowned software company, with its Antivirus software being used by millions across the world. However, as with any software, Avast relies on information received from its users related to their usage and other diagnostics data to make relevant changes within the software. Users are given a choice to consent to the collection and sharing of this information with Avast, or they may opt out entirely. This is a standard practice shared by most antivirus software.

However, Avast sold this information as well as other re-identifiable data. This data included their browsing history, geolocation data, as well as details related to financial transactions and job applications. More importantly, Avast had explicitly promised its users that any data they share with Avast would be appropriately anonymized and protected.

Not only did it unfairly share this data with third parties, it also failed to take the necessary steps to anonymize the data as it had assured its users.

X-Mode & InMarket

The FTC took similar regulatory action against X-Mode Social and its corporate successor Outlogic (collectively referred to as “X-Mode”), as well as InMarket Media. Both X-Mode and InMarket are location data brokers.

X-Mode collected data from three primary sources: third-party mobile apps, X-Mode’s own apps, and other third-party data aggregators. These sources gave it access to extensive consumer location data, including their location and other identifiers. X-Mode also collected this data from sensitive locations, including healthcare facilities, churches, and schools.

X-Mode sold such data in both raw format as well as “audience segments” where users’ data was broken down into categories based on interests and other characteristics relevant to locations and events.

Furthermore, X-Mode did not disclose its data sharing and selling practices to consumers in its privacy policy and also omitted to let the consumers know that their data was being collected from third parties.

InMarket committed similar violations related to consumers’ location data. Additionally, InMarket cross-referenced their consumers’ geolocation data with advertising points of interest. This helped them identify users who had recently visited these locations and create audience segments based on their geolocation patterns.

InMarket created 2,000 such segment lists, with categorizations such as “parents of preschoolers”, “Christian churchgoers”, “wealthy but not healthy”, etc. These categorizations were then used and sold to third parties.

InMarket did not have proper consent from its users regarding the use of their data. Moreover, similar to X-Mode, InMarket failed to properly inform its users about its data sharing and selling policies and sold their data to third parties while also failing to adequately inform them about data retention policies.

Measures Taken By the FTC

Here are the enforcement actions the FTC took against these companies as well as all the measures these organizations must undertake to mitigate the identified violations:

Avast

• Pay a $16.5 million fine that will be used to provide refresh to consumers;
• Discontinue the sale, transfer, sharing, or disclosure of browsing information to third parties for advertising purposes without consumers’ affirmative consent;
• Provide an accurate description of their data collection, use, and disclosure practices without any misrepresentation, along with measures in place to protect the privacy, security, availability, confidentiality, or integrity of collected data;
• Delete and destroy all collected geolocation data derived from their software;
• Provide notice to users about the FTC’s action against Avast on all its major products;
• Establish, implement, and maintain a comprehensive privacy program that protects the privacy of consumers’ collected information;
• Ensure an independent assessment from a qualified, objective, professional third party to conduct a review of the privacy program;
• Ensure complete cooperation with the third party reviewing their privacy program;
• Provide the FTC with a certification verifying its establishment, implementation, and maintenance of the privacy program;
• Provide the FTC an acknowledgment of its receipt of the relevant actions requested by the FTC order;
• Provide the FTC with timely submissions of compliance reports and other notices;
• Ensure the maintenance of such records for a period of at least five years.

X-Mode

• All collected location data must be appropriately deleted and destroyed unless customer consent can be collected or collected data is appropriately deidentified and anonymized;
• Ensure the development of a vendor/supplier assessment mechanism that verifies whether such third parties are taking appropriate steps related to obtaining consent from consumers before using their data;
• Appropriate measures to ensure third-party recipients of consumer data cannot associate the data with locations of public gatherings of individuals at political or social demonstrations or protests or any other location that may disclose the identity of an individual;
• A clear, easy-to-use, and simple mechanism for users to withdraw their consent related to the collection and use of their location data as well as requests related to the deletion of such data;
• Provide a clear and easy-to-use mechanism for users to request the identity of entities that have had access to their personal data as well as a means to request discontinuation of such access;
• Ensure the development and implementation of a comprehensive privacy program that protects the privacy of their consumers’ personal data with a definite data retention schedule.

InMarket

In addition to all the aforementioned requirements, InMarket is banned from further selling or licensing precise location data. Moreover, it must also take the following steps:

• Develop a sensitive location data program that prevents InMarket from using, selling, licensing, transferring, or otherwise sharing any products or services that categorize or target consumers based on sensitive location data;
• Inform users whose location data was collected about the FTC’s action against InMarket with an option to request deletion of their data.

Lessons For Others

Based on the FTC's identification of violations and measures levied against Avast, X-Mode, and InMarket, organizations would be well-advised to derive the following lessons from this whole affair:

Consent Above All

If there were any lingering doubts, the FTC’s set of actions against these three organizations should be ample enough reason for businesses to prioritize obtaining users’ consent before using personal or sensitive data for any purpose. Moreover, any consent gained must be explicit, affirmative, and completely voluntary in nature. Users must be appropriately educated on how the organization plans to collect, use, maintain, secure, and potentially share or sell their data.

If data is to be shared and sold, users must be informed of all the mechanisms and ways to revoke their consent. Misleading users or coercing them via deceptive "Pay or Okay" techniques are short-term solutions. As the FTC's actions show, they can often cause severe repercussions for organizations in the long run.

Transparency is Paramount

Transparency, and by extension, accountability, should be at the forefront of an organization’s overall data management strategy. In its official blogs detailing the alleged violations, the FTC provided meticulous details on how these three organizations had not only violated data security and protection obligations but had purposefully kept their customers in the dark.

Similarly, these organizations deliberately kept their privacy policy pages ambiguous regarding their data sharing and selling practices and the nature of their relationships with third parties.

Users must always be aware and updated on what data is being collected, why, and who can potentially have access to it. Once they have knowledge of these necessary facts, they can only make informed decisions about whether to allow the organization to continue to have access to their data.

Genuinely Ethical Data Practices

It may seem simple and fairly straightforward but organizations often need help with adopting and implementing a reliable data management plan that is truly ethical and responsible in nature. Most organizations have such plans in place merely as a legal compliance measure rather than an operational and functional strategy.

Organizations must take proactive measures to develop and implement practices that ensure respect for user privacy while cultivating their trust. The steps involved in this, such as taking appropriate data security measures, hiring appropriate personnel, and other data management processes, are simple but effective.

How Securiti Can Help

Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. It provides unified data intelligence, controls, and orchestration across hybrid multicloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.

The DCC is an easy-to-deploy and easy-to-use platform that provides access to various modules and solutions designed to ensure compliance with various regulatory obligations an organization may be subject to.

These solutions range from consent management, which streamlines all consent collection and dynamically syncs consent records across all systems within the organization, to data mapping, which enables the collection and maintenance of an inventory of data assets and data processing activities within a Sensitive Data Catalog. Various other solutions provide similar functionalities vital for an organization to continue its operations without violating compliance requirements.

Request a demo today to learn more about how Securiti can help you ensure that your data and consent-related operations comply with the relevant regulatory obligations.