Company Prohibited From Selling Precise Location Data To Settle FTC Charges
UNITED STATES OF AMERICA BEFORE THE FEDERAL TRADE COMMISSION
COMMISSIONERS: Lina M. Khan, Chair; Rebecca Kelly Slaughter; Alvaro M. Bedoya; Melissa Holyoak; Andrew Ferguson
In the Matter of INMARKET MEDIA, LLC, a limited liability company.
DOCKET NO. C-4803
COMPLAINT
The Federal Trade Commission, having reason to believe that InMarket Media, LLC, a limited liability company (“Respondent”), has violated the provisions of the Federal Trade Commission Act (“FTC Act”), and it appearing to the Commission that this proceeding is in the public interest, alleges:
Respondent InMarket Media, LLC (“InMarket”), is a Delaware limited liability company with its principal office or place of business at 111 Congress Avenue, Suite 500, Austin, TX 78701.
The acts or practices of Respondent alleged in this Complaint have been in or affecting commerce, as “commerce” is defined in Section 4 of the Federal Trade Commission Act.
Respondent’s Business Practices
Respondent InMarket is a digital marketing platform and data aggregator. It collects consumer location data through its software development kit (the "InMarket SDK") and also purchases consumer information from other sources. InMarket obtains large swaths of personal data on consumers including information about their movements over time tracked on their mobile devices, as well as their purchasing history, and demographic and socioeconomic backgrounds and has kept that information for up to five years. Respondent uses the consumer data to facilitate targeted advertising to consumers on their mobile devices for the company's clients, which include brands and advertising agencies. InMarket displays this advertising itself using the InMarket SDK, and also categorizes consumers into groups called "advertising audiences" that enable its clients to target consumers more precisely on third-party advertising platforms. Respondent fails to notify consumers that their location data will be used for targeted advertising and fails to verify that mobile applications ("apps*) incorporating the InMarket SDK have notified consumers of such use.
Respondent collects consumer location data through its SDK.
Respondent created the InMarket SDK, which is a collection of development tools that can be incorporated into a mobile application. Respondent incorporates the InMarket SDK into the two apps that it owns and operates: CheckPoints, which offers shopping rewards for completing tasks such as watching videos and taking online quizzes, and ListEase, which helps consumers create shopping lists (the "InMarket Apps"). The InMarket Apps have been downloaded onto over 30 million unique devices since 2017.Respondent also makes the InMarket SDK available to third party app developers, and it has been incorporated into more than 300 such apps which have been downloaded onto over 390 million unique devices since 2017. App developers are incentivized to incorporate the InMarket SDK into their app because they receive a portion of InMarket's advertising revenue from each ad served through their apps.
One of the primary functions of the InMarket SDK is to transmit a consumer's precise location back to Respondent. Apps that incorporate the InMarket SDK request access to the location data generated by a mobile device's operating system. If the user allows access, the InMarket SDK receives the device's precise latitude and longitude, along with a timestamp and a unique mobile device identifier, as often as the mobile device's operating system provides it ranging from almost no collection when the device is idle, to every few seconds when the device is actively moving and transmits it directly to Respondent's servers. From 2016 to the present, about 100 million unique devices sent Respondent location data each year.
Through the InMarket SDK, Respondent collects sensitive information from consumers, including where they live, work, worship, where their children go to school or receive child care, where they receive medical treatment (potentially revealing medical conditions), where they go to rallies, demonstrations, or protests (potentially revealing political affiliations), and other information gleaned from tracking a person’s daily movements. All of the above information is collected along with several identifiers (including a unique mobile device identifier), and Respondent has retained this information for up to five years.
Respondent uses location data to engage in targeted advertising through its SDK and to create advertising audiences for use on third-party advertising platforms.
Respondent processes the location data it collects to determine how long a particular mobile device (and therefore a particular consumer) stays at a given location. All data collected through the SDK is processed together, meaning InMarket may use data from multiple apps to determine when a particular consumer arrived at a specific location, how long they stayed, and when they left.
Respondent cross-references consumers' location histories with advertising-related points of interest to identify consumers who have visited those locations. Respondent sorts consumers, based on their visits to points of interest, into audience segments to which it can target advertising. Respondent has created or maintains almost two thousand distinct\ advertising audience segments. For example, an InMarket brand client can target shoppers who are likely to be low-income millennials; well-off suburban moms; parents of preschoolers, high-school students, or kids who are home-schooled; Christian church goers; convenience-sensitive or price- sensitive; single parents or empty-nesters; affluent savers or blue collar workers; "healthy and wealthy" or "wealthy and not healthy," to name only a selection of the categories InMarket offers or has offered to its brand clients.
InMarket classifies audiences based on both past behavior and predictions about consumers’ future actions. For example, if a consumer’s location data shows they visited a car dealership, InMarket can combine that information with attributes purchased from other sources (such as age, income, or family structure) and predict they may be in the market for a particular vehicle.
The InMarket SDK displays the ads and determines which ads appear in which apps incorporating the SDK. Respondent additionally offers advertisers a product that sends push notifications based on a consumer's location and "geofencing," the creation of a virtual fence around a particular point of interest. When the InMarket SDK transmits a location that is inside a virtual fence, the app will send a push notification for a particular ad. For example, a consumer who is within 200 meters of a pharmacy might see an ad for toothpaste, cold medicine, or some other product sold at that location.
Respondent also makes its advertising audience segments available on real-time bidding platforms. An advertiser using one of these platforms can select an advertising audience, and identify the amount that it is willing to pay (that is, its bid) each time its ad appears on a mobile device that is a part of that audience. The advertiser's ad will appear on a particular device if it has the highest bid for that device. Respondent receives some revenue each time an advertiser uses one of its audiences in this process.
Respondent fails to notify users of its own apps that their location data will be used for targeted advertising.
Before an app can access a mobile device's location data, the mobile device user must grant access in a system prompt generated by the device's operating system. Despite collecting vast amounts of consumer location and other data for consumer advertising and targeting purposes, InMarket does not fully disclose such collection and use in the system prompts seeking a user's consent to location collection or in-app screens that precede the prompt. InMarket fails to obtain informed consent in its proprietary apps, CheckPoints and ListEase, and also fails to verify the third-party apps that incorporate InMarket's SDK obtain informed consumer consent.
Since 2010, InMarket has offered the CheckPoints app on both the iOS and Android platforms. InMarket's CheckPoints app is marketed as a "rewards app," and promises users "easy money earn as you shop." It tells consumers to "join the millions earning free gift cards and more every day." Users of the app collect points by performing various tasks (checking into retail locations, watching videos, scanning certain products while in store, taking surveys and quizzes), and then exchange those points for rewards, such as gift cards. The app is free to download and includes in-app advertising.
From at least 2017 through 2020, as required by iOS and Android, CheckPoints requested users' permission to collect their precise location information. For iOS users, CheckPoints stated: "Allow CheckPoints to access your location? This allows us to award you extra points for walking into stores." CheckPoints consent screen inquired of Android users: "CheckPoints finds nearby earning opportunities by using your device's location," and then asks users to "Enable Location Services."
Since 2012, InMarket has offered the ListEase app on both the iOS and Android platforms. The ListEase app markets itself as an electronic shopping list app. The app is free to download and includes in-app advertising.
From at least 2017 through 2020, as required by iOS and Android, ListEase has requested users’ permission to collect their precise location information. ListEase’s iOS consent screen stated: “Allow ListEase to use your location? Uses location so you don’t forget items on your list when you are at the store.” For Android devices, ListEase stated: “Allow Location Permissions to unlock reminders. Get a reminder when you’re in the store so you never forget to grab the items you need!”
The consent screens used for both the CheckPoints and ListEase apps tell consumers that their location will be used for the app’s functionality (earning points and keeping lists), which are misleading half-truths. At no point during the consent process for either the CheckPoints or ListEase apps did InMarket also disclose that it was collecting users’ precise location, often multiple times per hour, along with data collected from multiple other sources—including through other apps using the InMarket SDK—to build extensive profiles on users to be used to precisely target them with advertising.
Although InMarket discloses in its privacy policy that it uses consumer data for targeted advertising, its consent screen does not link to the privacy policy language, and the misleading prompts do not inform consumers of the apps’ data collection and use practices.
Representations related to the use of consumers’ location information for advertising and tracking are material to consumers.
Respondent fails to verify that users of third-party apps incorporating InMarket’s SDK have been notified that their location data will be used to target advertising.
In addition to not disclosing its data collection practices in its proprietary apps, InMarket also does little to verify that third-party apps incorporating its SDK obtain informed consumer consent before granting InMarket access to their sensitive location data.InMarket additionally neither collects nor retains records of the disclosures that third-party apps incorporating the InMarket SDK provide to consumers before accessing their location data.
In fact, InMarket does not require the third-party apps that incorporate its SDK to obtain informed consumer consent. Aside from general guidelines requiring the app developers to “comply with all applicable laws” and to maintain a “privacy policy in line with legal requirements,” InMarket’s contract with the developers requires nothing more from them in terms of privacy.
Even if these third-party app developers wanted to provide adequate disclosure to their users about InMarket’s use of their location data, InMarket does not provide the developers with sufficient information to provide that notice. Specifically, InMarket’s contract with third-party app developers merely states that InMarket will serve ads on the developer’s apps in return for developers passing user information to InMarket, including precise location and advertising identifiers. InMarket does not disclose that information collected from these third-party users will be supplemented and cross-referenced with purchased data and analyzed to draw inferences about those users for marketing purposes. Nor does it disclose to these app developers that it retained their users’ location information for up to five years. Moreover, although InMarket’s privacy policy generally describes its use of consumer data for advertising purposes, InMarket does not even reference this privacy policy in its third-party developer agreements.
InMarket therefore does not know whether users of hundreds of third-party apps that incorporate the InMarket SDK were informed of their data being collected and used for targeted advertising. In fact, several of these third-party apps seek users’ location using incomplete and misleading disclosures that are similar to those that InMarket uses. For example, one photo-editing app that incorporates InMarket’s SDK seeks location permission with the prompt: “Your location is used to provide you with rewards and discounts when you visit retail partners.” Based on this disclosure, a consumer may believe that her location data will be used for this one purpose and used solely by the photo-editing app itself. The consumer would never know, based on the above disclosure, that her location will be collected multiple times per day (whether or not she was near the app’s retail partner) and that her movements will be shared with third parties like InMarket, who will then purchase additional data about her in order to create her detailed consumer profile. The consumer would never know that, by granting location permission to a photo-editing app, she actually set into motion a string of data collections that enabled InMarket, a third-party she likely never heard of, to amass a mountain of sensitive data about her without her knowledge.
Because InMarket readily combined the location data of those users into its databases and systems without confirming user consent, InMarket obtained and used that data without informed user consent, resulting in likely consumer injury, as discussed below.
Respondent retains consumer data longer than reasonably necessary for its business purposes leading to likely consumer injury.
After collecting sensitive precise location data about consumers’ daily movements, InMarket retains that information longer than reasonably necessary to accomplish the purpose for which that information was collected, thereby exposing consumers to significant unnecessary risk. Specifically, InMarket has retained consumer location data for five years prior to deletion.
This unreasonably long retention period—far longer than is necessary to accomplish InMarket’s stated purpose for collection (to allow a consumer to earn shopping points or make shopping lists)—significantly increases the risk that this sensitive data could be disclosed, misused, and linked back to the consumer, thereby exposing sensitive information about that consumer’s life.
InMarket’s comprehensive collection and long-term retention of location data subjects consumers to a likelihood of substantial injury through the exposure of their re-identified location.
Violations of the FTC Act
Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), prohibits “unfair or deceptive acts or practices in or affecting commerce.”
Misrepresentations or deceptive failures to disclose a material fact constitute deceptive or unfair practices prohibited by Section 5(a) of the FTC Act.
Acts or practices are unfair under Section 5 of the FTC Act if they cause or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that are not outweighed by countervailing benefits to consumers or competition. 15 U.S.C. § 45(n).
Count I Unfair Collection and Use of Consumer Location Data
As described in Paragraphs 4-6, 12-19, Respondent collects consumers’ location data through apps that it owns and operates while failing to notify consumers that it uses the data to develop consumer profiles and target them with advertising.
Respondent’s collection of location data without disclosure of intended uses results in substantial injury in the form of a loss of privacy about the day-to-day movements of millions of consumers and an increased risk of disclosure of such sensitive information. This injury is not reasonably avoidable by consumers themselves, as they are not aware of the scope of these practices. This injury is also not outweighed by countervailing benefits to consumers or competition. Consequently, Respondent’s collection of consumers’ location data through apps that it owns is an unfair act or practice.
Count II. Unfair Collection and Use of Consumer Location Data from Third Party Apps
As described in Paragraphs 4-6, 20-24, Respondent collects consumers’ location data through third-party apps that incorporate its SDK without taking reasonable steps to verify that consumers are notified that it uses the data to develop consumer profiles and target them with advertising.
Respondent’s collection of location data without verification of notification results in substantial injury in the form of a loss of privacy about the day-to-day movements of millions of consumers and an increased risk of disclosure of such sensitive information. This injury is not reasonably avoidable by consumers themselves, as they are not aware of the scope of these practices. This injury is also not outweighed by countervailing benefits to consumers or competition. Consequently, Respondent’s collection of consumers’ location data through third-party apps is an unfair act or practice.
Count III. Unfair Retention of Consumer Location Data
As described in Paragraphs 25-27, Respondent has retained detailed, sensitive information about consumers’ movements for five years, which is longer than reasonably necessary to effectuate its business purpose.
Respondent’s retention of detailed location data for such an extended period has caused or is likely to cause substantial injury in the form of a loss of privacy about the day-to-day movements of millions of consumers and an increased risk of disclosure of such sensitive information. This injury is not reasonably avoidable by consumers themselves, as they are not aware of the scope of these practices. This injury is also not outweighed by countervailing benefits to consumers or competition. Consequently, Respondent’s retention of consumers’ detailed location data for longer than is reasonably necessary to effectuate its business purpose is an unfair act or practice.
Count IV. Deceptive Failure to Disclose InMarket’s Use of Consumer Location Data
As described in Paragraphs 12-18, Respondent represented, directly or indirectly, expressly or by implication, that CheckPoints and ListEase app users’ location information would be used for awarding extra points for walking into stores or list reminders.
In fact, as set forth in Paragraphs 4-11, since at least 2017, InMarket has been using location data collected from CheckPoints and ListEase users for targeted advertising, has supplemented that information with additional data purchased about those users, has shared that information with third parties for the purpose of advertising, and has used that information to develop predictions about consumer behavior and characteristics. These facts would be material to consumers in deciding whether to use or grant location permissions to InMarket’s apps.
InMarket’s failure to disclose material information described in Paragraph 38, in light of the representations set forth in Paragraph 37, is a deceptive act or practice.
Violations of Section 5
The acts and practices of Respondent as alleged in this complaint constitute unfair or deceptive acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act.THEREFORE, the Federal Trade Commission this 29th day of April, 2024, has issued this Complaint against Respondent.
By the Commission, Commissioners Holyoak and Ferguson not participating.
April J. Tabor Secretary |
DECISION AND ORDER
DECISION
The Federal Trade Commission (“Commission”) initiated an investigation of certain acts and practices of Respondent named in the caption. The Commission’s Bureau of Consumer Protection (“BCP”) prepared and furnished Respondent a draft Complaint. BCP proposed to present the draft Complaint to the Commission for its consideration. If issued by the Commission, the draft Complaint would charge Respondent with violations of the Federal Trade Commission Act.
Respondent and BCP thereafter executed an Agreement Containing Consent Order ("Consent Agreement"). The Consent Agreement includes: 1) a statement by Respondent that it neither admits nor denies any of the allegations in the Complaint, except as specifically stated in this Decision and Order, and that only for purposes of this action, it admits the facts necessary to establish jurisdiction; and 2) waivers and other provisions as required by the Commission's Rules.
The Commission considered the matter and determined that it had reason to believe Respondent has violated the Federal Trade Commission Act, and that a Complaint should issue stating its charges in that respect. The Commission accepted the executed Consent Agreement and placed it on the public record for a period of 30 days for the receipt and consideration of public comments. The Commission duly considered any comments received from interested persons pursuant to Section 2.34 of its Rules, 16 C.F.R. § 2.34. Now, in further conformity with the procedure prescribed in Rule 2.34, the Commission issues its Complaint, makes the following Findings, and issues the following Order:
FINDINGS
The Respondent is InMarket Media, LLC, a Delaware limited liability company with its principal place of business at 111 Congress Ave., Suite 500, Austin, TX 78701.
The Commission has jurisdiction over the subject matter of this proceeding and over the Respondent, and the proceeding is in the public interest.
ORDER
Definitions
For the purpose of this Order, the following definitions apply:
- "Affirmative Express Consent" means any freely given, specific, informed, and unambiguous indication of an individual consumer's wishes demonstrating agreement by the individual, such as by an affirmative action, following a Clear and Conspicuous disclosure to the individual of: (1) the categories of Covered Information that will be collected; (2) the purpose(s) for which the Covered Information is being collected, used, or disclosed; (3) a simple, descriptive URL (or hyperlink if technically possible) to a document that describes the types of entities collecting the Covered Information or to whom the Covered Information is disclosed; and (4) a simple, descriptive URL (or hyperlink if technically possible to a simple, easily- located means by which the consumer can withdraw consent and that describes any limitations on the consumer's ability to withdraw consent. The Clear and Conspicuous disclosure must be separate from any "privacy policy," "terms of service," "terms of use," or other similar document.
The following do not constitute Affirmative Express Consent:
- Inferring consent from the hovering over, muting, pausing, or closing of a given piece of content by the consumer
- Obtaining consent through a user interface that has the substantial effect of subverting or impairing user autonomy, decision-making, or choice
-
“Clear(ly) and Conspicuous(ly)” means that a required disclosure is difficult to miss (i.e., easily noticeable) and easily understandable by ordinary consumers, including in all of the following ways:
- In any communication that is solely visual or solely audible, the disclosure must be made through the same means through which the communication is presented. In any communication made through both visual and audible means, such as a television advertisement, the disclosure must be presented simultaneously in both the visual and audible portions of the communication even if the representation requiring the disclosure (“triggering representation”) is made through only one means
- A visual disclosure, by its size, contrast, location, the length of time it appears, and other characteristics, must stand out from any accompanying text or other visual elements so that it is easily noticed, read, and understood
- An audible disclosure, including by telephone or streaming video, must be delivered in a volume, speed, and cadence sufficient for ordinary consumers to easily hear and understand it
- In any communication using an interactive electronic medium, such as the Internet or software, the disclosure must be unavoidable
- The disclosure must use diction and syntax understandable to ordinary consumers and must appear in each language in which the triggering representation appears
- The disclosure must comply with these requirements in each medium through which it is received, including all electronic devices and face-to-face communications
- The disclosure must not be contradicted or mitigated by, or inconsistent with, anything else in the communication
- When the representation or sales practice targets a specific audience, such as children, the elderly, or the terminally ill, “ordinary consumers” includes reasonable members of that group
- "Covered Information" means information from or about an individual consumer including, but not limited to: (1) a first and last name; (2) Location Data; (3) an email address or other online contact information; (4) a telephone number; (5) a Social Security number; (6) a driver's license or other unique government-issued identification number; (7) a financial institution account number; (8) credit or debit card information; (9) a persistent identifier, such as a customer number held in a "cookie," a static Internet Protocol ("IP") address, a mobile device ID, or processor serial number; or (10) socio-economic or demographic data Deidentified information is not Covered Information.
-
“Deidentified” or “Deidentify” means information that cannot reasonably identify, be associated with, or be linked, directly or indirectly, to a particular consumer, provided that Respondent:
- Has implemented technical safeguards to prohibit reidentification of the consumer to whom the information pertains
- Has implemented business processes that specifically prohibit reidentification of the information
- Has implemented business processes to prevent inadvertent release of Deidentified information
- Makes no attempt to reidentify the information
- Data that is linked to a mobile advertising identifier or an individual’s home is not Deidentified
-
“Historic Location Data” means Location Data that Respondent collected from consumers without consumers’ Affirmative Express Consent.
- "Location Data" means any data that reveals a mobile device's or consumer's precise location, including but not limited to Global Positioning System (GPS) coordinates, fine location data, cell tower information, or precise location information inferred from basic service set identifiers (BSSIDs), WiFi Service Set Identifiers (SSID) information, or Bluetooth receiver information, or any unique persistent identifier combined with such data, such as a mobile advertising identifier or identifier for advertisers (IDFA). Data that reveals only a mobile device or consumer's coarse location (e.g., zip code or census block location with a radius of at least 1,850 feet), or that is used solely for the purpose of generating such coarse location and then deleted within 48 hours of collection, is not Location Data.
-
“Respondent” means InMarket Media, LLC (“InMarket”), and its successors and assigns.
-
“Respondent App” means a mobile application that Respondent owns and operates.
- "Sensitive Location" means: (1) sexual and reproductive health care providers, offices of mental health physicians and practitioners, residential mental health and substance abuse facilities, outpatient mental health and substance abuse centers, psychiatric and substance abuse hospitals, offices of oncologists, and offices of pediatricians; (2) religious organizations; (3) correctional facilities; (4) labor union offices; (5) locations held out to the public as predominantly providing education or childcare services to minors; (6) locations held out to the public as predominantly providing services to LGBTQ+ individuals such as service organizations, bars and nightlife; (7) locations held out to the public as predominantly providing services based on racial or ethnic origin; (8) locations held out to the public as predominantly providing temporary shelter or social services to homeless, survivors of domestic violence, refugees, or immigrants; or (9) locations of public gatherings of individuals during political or social demonstrations, marches, and protests.
- “Sensitive Location Data” means any consumer Location Data associated with a Sensitive Location.
- “Software development kit” or “SDK” means the code necessary to integrate Respondent’s advertisements or Location Data collection tools in a mobile application (“app”).
Provisions
I. Prohibition Against Misrepresentations
IT IS ORDERED that Respondent and Respondent’s officers, agents, employees, attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with any product or service, must not materially misrepresent, in any manner, expressly or by implication:
- The extent to which Respondent collects, uses, maintains, discloses, or deletes any Location Data.
- The extent to which Location Data that Respondent collects, uses, maintains, or discloses is Deidentified.
II. Prohibition on the Sale or Licensing of Location Data
IT IS FURTHER ORDERED that Respondent and Respondent’s officers, agents, employees, attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, must not sell or license Location Data in exchange for any valuable consideration.
III. Prohibition on Products or Services Categorizing or Targeting Consumers Based on Sensitive Location Data
IT IS FURTHER ORDERED that Respondent and Respondent’s officers, agents, employees, attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, must not use, sell, license, transfer, or otherwise share any products or services that categorize or target consumers based on Sensitive Location Data associated with locations Respondent has identified pursuant to Subpart IV.D., provided however, Respondent may use such data as necessary to comply with Provision IV.
IV. Sensitive Location Data Program
IT IS FURTHER ORDERED that Respondent, within 90 days of the issuance of this Order, must establish and implement, and thereafter maintain, a Sensitive Location Data Program to prevent the Respondent from using, selling, licensing, transferring, or otherwise sharing any products or services that categorize or target consumers based on Sensitive Location Data (“Sensitive Location Data Program”). To satisfy this requirement, Respondent must, at a minimum:
- Document in writing the components of the Sensitive Location Data Program as well as the plan for implementing and maintaining the Sensitive Location Data Program.
- Identify a qualified employee or employees, who report(s) directly to an executive, such as the Chief Executive Officer, Chief Compliance Officer, or Chief Legal Officer, to coordinate and be responsible for the Sensitive Location Data Program, and keep the executive and the Board of Directors informed of the Sensitive Location Data Program, including all actions and procedures implemented to comply with the requirements of this order, and any actions and procedures to be implemented to ensure continued compliance with this Order.
- Provide the written program and any evaluations thereof or updates thereto to Respondent’s board of directors or governing body or, if no such board or equivalent body exists, to the principal executive officer of Respondent at least every twelve months.
- Develop procedures to identify, using methods, sources, products and services developed by Respondent or offered commercially by third parties, Sensitive Locations in each geographic region in which Respondent collects or otherwise obtains Location Data. If a building or place is identified as including both a Sensitive Location and a non-Sensitive Location, Respondent may associate Location Data with the non-Sensitive Location only.
- Assess, at least once every six months, the accuracy and completeness of Respondent’s list of Sensitive Locations. Such assessments must include:
- Verifying that Respondent’s list includes Sensitive Locations known to Respondent.
- Identifying and assessing methods, sources, products, and services developed by Respondent or offered by third parties that identify Sensitive Locations.
- Updating its list of Sensitive Locations by selecting and using the methods, sources, products, or services developed by Respondent or offered by third parties that are accurate and comprehensive in identifying Sensitive Locations.
- Documenting each step of this assessment, including the reasons Respondent selected the methods, sources, products, or services used in updating Respondent’s list of Sensitive Locations.
- Implement policies, procedures, and technical measures to prevent Respondent from using, selling, licensing, transferring, or otherwise sharing any products or services that categorize or target consumers based on Sensitive Location Data.
- Monitor and test the effectiveness of the policies, procedures, and technical measures at least annually.
- Evaluate and adjust the Sensitive Location Data Program in light of any changes to Respondent’s operations or business arrangements, or any other circumstance that Respondent knows or has reason to know may have an impact on the Sensitive Location Data Program’s effectiveness. At a minimum, Respondent must evaluate the Sensitive Location Data Program every twelve months and implement modifications based on the results.
V. Other Limitations on Collection, Use, Maintenance, and Disclosure of Location Data Absent Affirmative Express Consent
IT IS FURTHER ORDERED that Respondent and Respondent’s officers, agents, employees, attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, must not:
- In connection with any Respondent App, collect, use, maintain, or disclose a consumer’s Location Data without a record satisfying the requirements in Subpart XVI.F documenting the consumer’s Affirmative Express Consent obtained prior to Respondent’s collection or use of Location Data.
- In connection with any Respondent App, collect, use, maintain, or disclose a consumer’s Location Data, unless the consumer receives a Clear and Conspicuous reminder, at least every six months, that the consumer’s Location Data is being collected and, if applicable, disclosed, along with instructions for a simple control to turn off Location Data collection. Any such reminder must be done through a consumer-enabled push notification or to an e-mail address provided by the consumer or, if the consumer has not opted into push notifications and an email address is unavailable, through a notice in the app.
Provided, however, that reminders mandated by Subpart V.B are not required when Respondent confirms that a consumer’s device is utilizing an operating system version that reminds consumers that their Location Data is being collected or that limits Location Data collection by default for infrequently used apps.
VI. SDK Supplier Assessment Program
IT IS FURTHER ORDERED that Respondent, within 90 days of the effective date of this Order, must implement and maintain an “SDK Supplier Assessment Program” designed to ensure that consumers have provided consent for the collection and use of Location Data obtained by Respondent through Respondent’s SDK. In connection with the SDK Supplier Assessment Program, the Respondent must, at a minimum:
- Document in writing the content, implementation, and maintenance of the SDK Supplier Assessment Program.
- Conduct an assessment of each third party providing Location Data to Respondent through Respondent’s SDK within thirty (30) days of such third party entering into a data-sharing agreement with Respondent (or, for parties with existing data-sharing agreements, within thirty (30) days of the implementation of the SDK Supplier Assessment Program), and thereafter annually, designed to confirm that consumers provide Affirmative Express Consent if available, or to confirm that consumers specifically consent to the collection, use, and sale of their Location Data.
- Create and maintain records of the third parties’ responses obtained by Respondents under the SDK Supplier Assessment Program.
- Refrain from using, selling, licensing, transferring, or otherwise sharing or disclosing any Location Data provided to Respondent through Respondent’s SDK after implementation of the SDK Supplier Assessment Program for which Respondent was unable to confirm that consumers have provided consent, as provided in Subpart VI.B above.
VII. Withholding and Withdrawing Affirmative Express Consent
IT IS FURTHER ORDERED that Respondent and Respondent’s officers, agents, employees, attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with any Respondent App, must:
- Provide a simple, easily-located means for consumers to withdraw any Affirmative Express Consent provided to Respondent in connection with Location Data that is no more burdensome than the means by which the consumer provided consent. Such means may include a prominent notice with instructions, link to a webpage that sets out instructions, or link to an applicable operating system, device or app permission or setting.
- Not unreasonably limit a consumer’s ability to withhold or withdraw Affirmative Express Consent, such as by degrading the quality or functionality of a product or service as a penalty for withholding or withdrawing such Affirmative Express Consent, unless the collection and use of Location Data is technically necessary to provide the quality or functionality of the product or service without such degradation.
VIII. Obligations When Affirmative Express Consent is Withdrawn
IT IS FURTHER ORDERED that Respondent and Respondent’s officers, agents, employees, attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, must cease collecting all Location Data associated with a specific Respondent App on a device within 7 days after Respondent receives notice that the consumer has withdrawn their Affirmative Express Consent for such collection from that app and device using the means that Respondent provided under Subpart VII.A.
IX. Location Data Deletion Requests
IT IS FURTHER ORDERED that Respondent and Respondents' officers, agents, employees, and attorneys, and all other persons in active concert or participation with any ofthem, who receive actual notice of this Order, whether acting directly or indirectly, must implement and maintain a simple, easily-located means for consumers to request that Respondent delete Location Data that Respondent previously collected from a specific mobile device, and delete Location Data within 30 days of receipt of such request unless a shorter period for deletion is required by law. Respondent may require consumers to provide Respondent with information necessary to complete such requests, but must not use, provide access to, or disclose any information collected for a deletion request for any other purpose. Respondent may implement such deletion requests by Deidentifying the Location Data.
X. Data Retention Limits
IT IS FURTHER ORDERED that Respondent, in connection with the collection, maintenance, use, or disclosure of, or provision of access to, Covered Information, must:
- Within 60 days of the effective date of this Order, document, adhere to, and make publicly available from a link on the Respondent Apps or the home page of its website(s), a retention schedule for Covered Information, setting forth: (1) the business purpose(s) for which each type of Covered Information is collected and used; (2) the specific business purpose(s) for retaining each type of Covered Information; (3) an established timeframe for deletion of each type of Covered Information, limited to the shortest time reasonably necessary to fulfill the purpose for which the Covered Information was collected, and in no instance providing for the indefinite retention of any Covered Information.
- Within 60 days of the effective date of this Order, provide a written statement to the Commission, pursuant to the Provision entitled Compliance Report and Notices, describing the retention schedule for Covered Information made publicly available on its website(s) and app(s).
- Prior to collecting any new type of Covered Information that was not being collected as of the issuance date of this Order and is not described in retention schedules published in accordance with Subpart A of this Provision, update its retention schedule setting forth: (1) the purpose or purposes for which the new information is collected and used; (2) the specific business needs for retaining the new information; (3) a set timeframe for deletion of the new information that precludes indefinite retention.
XI. Notice to Consumers
IT IS FURTHER ORDERED that, within 45 days of the effective date of this Order, Respondent must provide a notice to each consumer whose Location Data it collected and used through any Respondent App, where the Respondent does not have a record of the consumer’s Affirmative Express Consent.
- The notice must be delivered through: (1) an email notice (if Respondent previously collected an email address from the user); and (2) a notice in the app itself.
- Email notices sent by Respondent must contain the information set forth in Attachment A.
- Notices in the app itself must contain the following: “InMarket has settled with the Federal Trade Commission, the nation’s consumer protection agency, to resolve their allegations that we collected, used and stored your location data without disclosing our marketing and analytics uses. As part of the settlement, we have changed our practices to improve transparency and control for consumers. To learn more— [Link to text of Attachment A posted on www.inmarket.com].”
XII. Deletion
IT IS FURTHER ORDERED that Respondent and Respondent’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, must, unless prohibited by law:- Within 90 days after the effective date of this Order, delete or destroy all Historic Location Data that Respondent collected through Respondent Apps, and provide a written statement to the Commission, confirming that all such information has been deleted or destroyed. Provided, however, Respondent shall have the option to request Affirmative Express Consent from the relevant consumer for the retention of Historic Location Data from a specific device. Within 30 days of Respondent’s request, Respondent will delete such Historic Location Data for any device where a consumer does not provide Affirmative Express Consent, or does not respond to the request within 30 days after the request is provided.
- Within 120 days after the effective date of this Order, delete, Deidentify or render non-sensitive (by, for example, ensuring that the Location Data is not associated with any Sensitive Location identified through the Sensitive Location Data Program under Subpart IV.D) all Historic Location Data that Respondent collected from a third party, and provide a written statement to the Commission, confirming that all such information has been deleted, Deidentified or rendered non-sensitive.
- Within 120 days after the effective date of this Order, delete or destroy all audience segments created using Historic Location Data, and provide a written statement to the Commission, confirming such deletion or destruction.
XIII. Mandated Privacy Program
IT IS FURTHER ORDERED that Respondent, and any business that Respondent controls directly or indirectly, in connection with the collection, maintenance, use, disclosure of, or provision of access to Covered Information, must, within 60 days of issuance of this Order, establish and implement, and thereafter maintain, a comprehensive privacy program (the “Program”) that protects the privacy of such Covered Information. To satisfy this requirement, Respondent must at a minimum:- Document in writing the content, implementation, and maintenance of the Program.
- Provide the written program, and any evaluations thereof or updates thereto to Respondent’s board of directors or governing body or, if no such board or equivalent governing body exists, to a senior officer of Respondent responsible for the Program at least once every 12 months.
- Designate a qualified employee or employees to coordinate and be responsible for the Program.
- Assess and document, at least once every 12 months, internal and external risks to the privacy of Covered Information that could result in the unauthorized collection, maintenance, use, disclosure of, or provision of access to such Covered Information.
- Design, implement, maintain, and document safeguards that control for the material internal and external risks Respondent identifies to the privacy of Covered Information identified in response to Subpart XIII.D. Each safeguard must be based on the volume and sensitivity of Covered Information that is at risk, and the likelihood that the risk could be realized and result in the unauthorized collection, maintenance, use, disclosure of, or provision of access to Covered Information.
- On at least an annual basis, provide privacy and data security training programs for all employees and independent contractors responsible for handling or who have access to Covered Information, updated to address any identified material internal or external risks and safeguards implemented pursuant to this Order.
- Test and monitor the effectiveness of the safeguards at least once every 12 months, and modify the Program based on the results.
- Evaluate and adjust the Program in light of any changes to Respondent’s operations or business arrangements, new or more efficient technological or operational methods to control for the risks identified in Subpart XIII.D of this Order, or any other circumstances that Respondent knows or has reason to believe may have an impact on the effectiveness of the Program or any of its individual safeguards. At a minimum, Respondent must evaluate the Program at least once every 12 months and modify the Program if needed based on the results.
XIV. Acknowledgments of the Order
IT IS FURTHER ORDERED that Respondent obtain acknowledgments of receipt of this Order:- Respondent, within 10 days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.
- For 20 years after the issuance date of this Order, Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees having managerial responsibilities for conduct related to the subject matter of this Order; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Report and Notices. Delivery must occur within 10 days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.
- From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within 30 days, a signed and dated acknowledgment of receipt of this Order.
XV. Compliance Report and Notices
IT IS FURTHER ORDERED that Respondent make timely submissions to the Commission:- One year after the issuance date of this Order, the Respondent must submit a compliance report, sworn under penalty of perjury, in which the Respondent must: (1) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Respondent; (2) identify all of the Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (3) describe the activities of each business, including the goods and services offered, the means of advertising, marketing, and sales; (4) describe in detail whether and how Respondent is in compliance with each Provision of this Order, including a discussion of all of the changes the Respondent made to comply with the Order; and (5) provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.
- The Respondent must submit a compliance notice, sworn under penalty of perjury, within 14 days of any change in the following: (1) any designated point of contact; or (2) the structure of the Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.
- The Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against it within 14 days of its filing.
- Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on:” and supplying the date, signatory’s full name, title (if applicable), and signature.
- Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: In re InMarket Media, LLC, FTC File No. 202-3088.
XVI. Recordkeeping
IT IS FURTHER ORDERED that Respondent must create certain records for 20 years after the issuance date of the Order, and retain each such record for 5 years. Specifically, Respondent must create and retain the following records:- Accounting records showing the revenues from all goods or services sold, the costs incurred in generating those revenues, and resulting net profit or loss;
- Personnel records showing, for each person providing services in relation to any aspect of the Order, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;
- Copies of all consumer complaints that relate to the collection, use, maintenance, or disclosure of Covered Information, whether received directly or indirectly, such as through a third party, and any response;
- For 5 years from the date received, copies of all subpoenas and other communications with law enforcement, if such communications relate to Respondent’s compliance with this Order;
- A copy of each widely disseminated representation by Respondent that describes the extent to which Respondent maintains or protects the privacy, security and confidentiality of any Covered Information, including any representation concerning a material change in any website or other service controlled by Respondent that relates to the privacy, security, and confidentiality of Covered Information;
- Records showing Affirmative Express Consent for any individual consumer or device from which Respondent has collected Location Data through a Respondent App, the specific notice that individual consumers viewed and consented to, and the time and date of consent;
- Records showing the content and verifying the distribution of the Clear and Conspicuous reminders to individual consumers under Subpart V.B; records showing Respondent’s implementation of the SDK Supplier Assessment Program required by Provision VI; records showing Respondent’s implementation of the Sensitive Location Data Program required by Provision IV; and
- All other records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission.
XVII. Compliance Monitoring
IT IS FURTHER ORDERED that, for the purpose of monitoring Respondent’s compliance with this Order:- Within 10 days of receipt of a written request from a representative of the Commission, the Respondent must submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.
- For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with Respondent who has agreed to such an interview. The interviewee may have counsel present.
- The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.
XVIII. Order Effective Dates
IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate 20 years from the date of its issuance (which date may be stated at the end of this Order, near the Commission’s seal), or 20 years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of this Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of:
- Any Provision in this Order that terminates in less than 20 years;
- This Order’s application to any Respondent that is not named as a defendant in such complaint; and
- This Order if such complaint is filed after the Order has terminated pursuant to this Provision.
Provided, further, that if such complaint is dismissed or a federal court rules that the Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.
By the Commission, Commissioners Holyoak and Ferguson not participating.
April J. Tabor Secretary |
ISSUED: April 29, 2024
Table of contents
Questions?
If you would like to learn more, our compliance experts are happy to support you..
Leave us a Message