<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=5678177&amp;fmt=gif">

    X-Mode Social and its successor Outlogic will be prohibited from sharing or selling any sensitive location data to settle FTC allegations that the company sold precise location data that could be used to track people’s visits to sensitive locations such as medical and reproductive health clinics, places of religious worship and domestic abuse shelters.
    Back to regulations

    UNITED STATES OF AMERICA BEFORE THE FEDERAL TRADE COMMISSION

    COMMISSIONERS: Lina M. Khan, Chair; Rebecca Kelly Slaughter; Alvaro M. Bedoya; Melissa Holyoak; Andrew Ferguson

    In the Matter of X-MODE SOCIAL, INC., a corporation, and OUTLOGIC, LLC, a limited liability company.

    DOCKET NO. C-4802

    COMPLAINT

    The Federal Trade Commission, having reason to believe that X-Mode Social, Inc., a corporation, and Outlogic, LLC, a limited liability company (collectively, “Respondents”), have violated the provisions of the Federal Trade Commission Act, and it appearing to the Commission that this proceeding is in the public interest, alleges:

    • Respondent X-Mode Social, Inc. (“X-Mode”) is a Virginia corporation with its principal office or place of business at 938 Park Ave, Herndon, VA 20170.

    • Respondent Outlogic, LLC (“Outlogic”) is a Virginia Limited Liability Company with its principal office or place of business at 150 Granby St, Norfolk, VA 23510.

    • On approximately May 25, 2021, Respondent X-Mode consummated a joint venture with Digital Envoy, Inc., in which X-Mode transferred its business and substantially all of its assets to its successor, Outlogic, and Outlogic became a wholly-owned subsidiary of Digital Envoy. Throughout this complaint, “X-Mode” is used to refer to the conduct of both X-Mode and Outlogic, as its successor in interest.

    • The acts and practices of Respondents alleged in this complaint have been in or affecting commerce, as “commerce” is defined in Section 4 of the Federal Trade Commission Act.

    RESPONDENTS’ BUSINESS ACTIVITIES

    • X-Mode is a location data broker that sells consumer location data to hundreds of clients in industries ranging from real estate to finance, as well as private government contractors. According to its marketing material, X-Mode is the “2nd largest US location data company.” X-Mode sells access to the location data in two forms.

    • First, X-Mode licenses to third parties raw location data tied to unique persistent identifiers. These third parties can then analyze and use the data for their own purposes, such as advertising or brand analytics, or provide access to the information for their own customers.

    • Typically, such raw location data includes a unique persistent identifier for the mobile device called a Mobile Advertiser ID (“MAID”), the latitude, longitude, and a timestamp of the observation. This raw location data is capable of matching an individual consumer’s mobile device with the locations they visited. Until at least May 2023, X-Mode did not have any policies or procedures in place to remove sensitive locations from the raw location data sets it sold. X-Mode’s data could, therefore, be used to identify the sensitive locations that individual consumers have visited.

    • Second, X-Mode also licenses “X-Mode audience segments” tied to MAIDs for use by third parties. X-Mode analyzes the location data it obtains and, based on the locations and events visited by mobile devices, categorizes MAIDs into “audience segments” based on interests or characteristics purportedly revealed by the locations or events. X-Mode offers audience segments such as “Size Inclusive Clothing Stores,” “Firehouses,” “Military Bases,” and “Veterans of Foreign Wars.”

    • X-Mode predominantly collects consumer location data through third-party apps that incorporate Respondents’ software development kit (“SDK”), which is a collection of app development tools that, among other things, requests access to the location data generated by a mobile device’s operating system. If the device user allows access, the X-Mode SDK receives the device’s precise latitude and longitude, along with a timestamp and other information about the device’s operating system. This information is then passed on to X-Mode. In some circumstances, X-Mode obtains location data from app developers and publishers through other means, such as server-to-server transfers.

    • X-Mode incentivizes app developers to incorporate the X-Mode SDK into their apps by promising the app developers passive revenue for each consumer’s mobile device that allows the SDK to collect their location data. The X-Mode SDK has been integrated into more than 300 apps, including games, fitness trackers, and religious apps.

    • In addition to collecting consumer location data through its SDK, X-Mode also purchases location data associated with MAIDs from data brokers and other aggregators. These third parties transfer data directly to X-Mode daily through various cloud storage structures.

    • X-Mode has also collected consumer location data associated with MAIDs from users of its own mobile apps, Drunk Mode and Walk Against Humanity.

    • X-Mode aggregates the location data—from its SDK, other data brokers, and, in the past, its own apps—and sells it to third parties. These third parties range from advertisers, software as a service (SaaS) companies, analytics firms, consulting firms, commercial and educational research organizations, and private government contractors.

    • Through its own apps, partner apps, and other data brokers, X-Mode daily has ingested over 10 billion location data points from all over the world. X-Mode advertises that this location data is 70% accurate within 20 meters or less.
    • X-Mode does not restrict the collection of location data from sensitive locations such as healthcare facilities, churches, and schools. X-Mode contractually restricts how its customers may use location data. For example, one such restriction is that its customers cannot:

    • However, these contractual restrictions are insufficient to protect consumers from the substantial injury caused by the collection, transfer, and use of the consumers’ location data from visits to sensitive locations.

    X-Mode’s Location Data Could Be Used to Identify People and Track Them to Sensitive Locations

    • X-Mode’s location data associated with MAIDs could be used to track consumers to sensitive locations, including medical facilities, places of religious worship, places that may be used to infer an LGBTQ+ identification, domestic abuse shelters, and welfare and homeless shelters. For example, by plotting the latitude and longitude coordinates included in the X-Mode data stream using publicly available map programs, it is possible to identify which consumers’ mobile devices visited medical facilities. Further, because each set of coordinates in X-Mode’s data is time-stamped, it is also possible to identify when a mobile device visited the location.

    • The raw data provided by X-Mode to its customers is not anonymized. It is possible to use the geolocation data, combined with the mobile device’s MAID, to identify the mobile device’s user or owner. For example, some data brokers advertise services to match MAIDs with “offline” information, such as consumers’ names and physical addresses.

    • Even without such services, location data could be used to identify people. The location data sold by X-Mode typically includes multiple timestamped signals for each MAID. By plotting each of these signals on a map, much can be inferred about the mobile device owners. For example, the location of a mobile device at night likely corresponds to the consumer’s home address. Public or other records may identify the name of the owner or resident of a particular address.

    X-Mode Failed to Honor Consumers’ Privacy Choices

    • Since approximately 2013, the Android mobile phone operating system has included a privacy control that permitted users to “Opt out of Ads Personalization.” This privacy control allows consumers to opt out from marketers using their phones’ MAIDs to build profiles about the consumers or show them personalized ads.

    • From approximately 2013 to 2021, when consumers enabled this control on their Android phones, the Android operating system would pass a phone’s MAID to an app when requested by the app, along with other requested information, and would include a “flag” informing the app of the consumers’ choice to opt out from personalized advertising.

    • From at least June 2018 to July 2020, X-Mode ingested the MAIDs, mobile location data, and flags of consumers who had enabled the “Opt out of Ads Personalization” control on their Android mobile phones, and, in many instances and contrary to these consumers’ privacy choices, provided access to this data to marketers and other customers. X-Mode provided access to this data so that its customers could, among other things, build profiles about those consumers and serve them personalized advertising. During this time period, consumers were unaware that their privacy choices were not being honored by X-Mode.

    • From at least June 2018 to July 2020, X-Mode failed to employ the necessary technical safeguards and oversight to ensure that consumers’ privacy choices enabled on their Android phones were honored and that their location data was no longer collected or sold for personalized advertising purposes.

    X-Mode Failed to Notify Users of its Own Apps of the Purposes for which Their Location Data Would be Used

    • Although X-Mode primarily obtains its location data through third parties, X-Mode published two of its own apps (Drunk Mode and Walk Against Humanity) and has collected consumers’ location data from those apps. As required by iOS and Android policies, X-Mode provided consumers with in-app explanations requesting permission to collect the consumers’ location data and purporting to provide the uses for the information. X-Mode also published a privacy notice on its website, purporting to provide consumers with information about the company’s use of their personal information, including location data.

    • However, until at least August 2020, the notices provided by X-Mode directly to consumers failed to fully disclose the purposes for which consumers’ location data would be used. For example, a notice displayed in X-Mode’s “Drunk Mode” app used language suggesting that consumers’ location data would be used solely for “ad personalization and location-based analytics including ad performance, market research, and traffic and health research.”:

    • Likewise, in X-Mode’s privacy policy published on or about May 17, 2020, X-Mode identifies “customers” with which X-Mode shares consumers’ information:


    • X-Mode’s consumer notices disclosed certain commercial uses of consumer location data, but X-Mode failed to inform consumers that it would be selling data to government contractors for national security purposes.
    • These facts would be material to consumers in deciding whether to use or grant location permissions to mobile apps. Consumers have expressed concern about the amount of personal information various entities, like advertisers, employers, or law enforcement, know about them and about how such entities use their personal data. Consumers are increasingly reluctant to share their personal information, such as digital activity, emails, text messages, and phone calls, especially without knowing which entities will receive it. Such collection and use impose an unwarranted invasion into consumers’ privacy.
    • X-Mode is aware that understanding the purposes for which their personal information is being collected is material to consumers. Indeed, when advising app publishers on ways to "prime" users to opt-in to the collection of their location data, X-Mode has informed app publishers, “Users are more likely to allow access when trying to complete a task that clearly needs location access.”
    • By failing to fully inform consumers how their data would be used and that their data would be provided to government contractors for national security purposes, X-Mode failed to provide information material to consumers and did not obtain informed consent from consumers to collect and use their location data.

    X-Mode Has Provided App Publishers with Deceptive Consumer Disclosures

    • X-Mode provides sample consumer notices to third-party app publishers that mislead consumers about the purposes for which their location may be used.

    • In most instances, X-Mode does not communicate directly with consumers. Rather, X-Mode obtains most of its location data from third parties, including app publishers. Android and iOS policies require app publishers to get users’ permission to collect their precise location information.

    • Because X-Mode obtains most of its location data from third-party apps, the company relies on these third parties to obtain informed consumer consent to collect, use, or sell location data. X-Mode has provided third-party app publishers incorporating its SDK with recommended language for consumer disclosures in both apps and privacy policies.

    • For example, one consumer consent notice that X-Mode provided to third-party app publishers stated that consumers’ location data would be shared “with third parties to help them conduct ad personalization and location-based analytics.”:

    • This notice and other notices provided by X-Mode to third-party app publishers fail to fully inform consumers how their data would be used and that their geolocation data would be provided to government contractors for national security purposes.

    X-Mode Fails to Verify that Third-Party Apps Notified Consumers of the Purposes for which Their Location Data Would be Used

    • In addition to providing app publishers and others with incomplete and misleading notices, X-Mode has failed to verify that third-party apps incorporating its SDK obtain informed consumer consent to grant X-Mode access to their sensitive location data.

    • Although X-Mode has tracked the language used by third-party apps in consumer notices, X-Mode, in many cases, has not taken corrective actions based on any review of this language. As a result of this tracking, X-Mode is aware that apps provided consumers with deficient notices that did not adequately inform consumers how their data would be used and that their location would be provided to government contractors for national security purposes. However, X-Mode failed to instruct the third-party apps to correct the notices, failed to suspend or terminate its relationship with the third-party apps, and continued to use the data.

    X-Mode Has Targeted Consumers Based on Sensitive Characteristics

    • As discussed above, X-Mode licenses audience segments, categories of MAIDs based on shared characteristics, for use by third parties. X-Mode has a catalog of audience segments that it provides to the marketplace. The company also created custom audience segments for customers with special requests.

    • X-Mode has created custom audience segments that were based on sensitive characteristics of consumers. X-Mode licensed these custom audience segments to a third party for advertising or marketing purposes. Specifically, X-Mode entered into an agreement with a privately held clinical research company to license custom audience segments of consumers who had visited Cardiology, Endocrinology, or Gastroenterology offices and visited a pharmacy or drugstore in the Columbus, Ohio area, and consumers who had visited a specialty infusion center.

    • The purchase order from the organization explained the categorization and use as follows:

    X-Mode's Business Practices Cause or are Likely to Cause Substantial Injury to Consumers

    • X-Mode’s practices cause or are likely to cause substantial injury to consumers. For example, X-Mode’s licensing agreements do not require their customers to employ reasonable and appropriate data security measures commensurate with the sensitivity of precise consumer location data, which increases the risk that the information will be exposed in a data breach.
    • X-Mode has little or no control over downstream uses of the precise location data that it sells. In at least two known instances, X-Mode sold location data to customers who violated contractual restrictions limiting the resale of such data. In such circumstances, X-Mode does not know the full extent of the exposure, such as the identities of all third parties that received the data, how those third parties used the data, or whether those third parties further distributed the data to other recipients.
    • The data sold by X-Mode may be used to identify individual consumers and their visits to sensitive locations, such as houses of worship and doctors’ offices. The sale of such data poses an unwarranted intrusion into the most private areas of consumers’ lives and causes or is likely to cause substantial injury to consumers.
    • Location data may be used to track consumers to places of worship, revealing their religious beliefs and practices.
    • The location data could be used to track consumers who have visited women’s reproductive health clinics and as a result, may have had or contemplated sensitive medical procedures such as an abortion or in vitro fertilization. Using the data X-Mode has made available, it is possible for third parties to target consumers visiting such healthcare facilities and trace that mobile device to a single-family residence.
    • Identification of sensitive and private characteristics of consumers from the location data sold by X-Mode is an invasion of consumers’ privacy that causes or is likely to cause substantial injury through loss of privacy, exposure to discrimination, physical violence, emotional distress, and other harms.
    • The use of location data to categorize consumers based on sensitive characteristics causes or is likely to cause substantial injury. Such categorizations, particularly by companies that consumers never directly interact with, are far outside the expectations and experience of consumers, and can result in additional injuries to consumers, including exposure to risks of discrimination.
    • The market for mobile location data is complex and typically opaque to consumers. Mobile location data, as electronically stored information, is easily transferable and, as Respondents’ practices demonstrate, may be sold and resold multiple times. Once the information is collected, many consumers lose the ability to control its use, spread, and retention, making the harms described above not reasonably avoidable by consumers.
    • These harms are not outweighed by any countervailing benefits to consumers or competition. X-Mode could implement certain safeguards at a reasonable cost and expenditure of resources. For example, X-Mode could audit the process by which its suppliers obtain consent and cease using location data that was not obtained with appropriate consent. Instead, X-Mode relies primarily on contractual language in supplier agreements requiring its suppliers to obtain appropriate consent from consumers and in data licensing agreements prohibiting misuse of its location data, but such language is insufficient to protect consumers from substantial injury.
    • Even when X-Mode was aware that its suppliers were not obtaining appropriate consent, it continued to use consumers’ location data provided by those suppliers.

    VIOLATIONS OF THE FTC ACT

    • Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), prohibits "unfair or deceptive acts or practices in or affecting commerce."

    • Acts or practices are unfair under Section 5 of the FTC Act if they cause or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition. 15 U.S.C. § 45(n).

    • Misrepresentations or deceptive omissions of material fact constitute deceptive acts or practices prohibited by Section 5(a) of the FTC Act.

    Count I. Unfair Sale of Sensitive Data

    • As described in Paragraphs 15 to 17, Respondents sell, license, or otherwise transfer precise location data associated with unique persistent identifiers that reveal consumers’ visits to sensitive locations, including medical care, reproductive health, religious worship, mental health, temporary shelters (such as shelters for the homeless, domestic violence survivors, or other at-risk populations), and addiction recovery.

    • This practice has caused or is likely to cause substantial injury to consumers that is not outweighed by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers themselves. Consequently, this practice is an unfair act or practice.

    Count II. Unfair Failure to Honor Consumer Privacy Choices

    • As described in Paragraphs 20 to 22, Respondents have collected and sold location data for the purposes of developing consumer profiles, surveilling consumers, and targeting consumers with advertising, even if consumers had opted out of having their location data used for such purposes.

    • This practice caused or is likely to cause substantial injury to consumers that is not outweighed by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers themselves. Consequently, this practice is an unfair act or practice.

    Count III. Unfair Collection and Use of Consumer Location Data

    • Through the means described in Paragraphs 24 to 28, Respondents have collected consumers’ location data from apps that Respondents owned without obtaining consumers’ informed consent to the collection, use, or sale of their data.

    • This practice has caused or is likely to cause substantial injury to consumers in the form of loss of privacy about the day-to-day movements of millions of consumers and an increased risk of disclosure of such sensitive information. This injury is not outweighed by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers themselves. Consequently, this practice is an unfair act or practice.

    Count IV. Unfair Collection and Use of Consumer Location Data Without Consent Verification

    • Through the means described in Paragraphs 29 to 34, Respondents collect consumers’ location data through third-party apps that incorporate Respondents’ SDK without taking reasonable steps to verify that those consumers provide informed consent to the collection, use, or sale of their data.

    • This practice has caused or is likely to cause substantial injury to consumers in the form of loss of privacy about the day-to-day movements of millions of consumers and an increased risk of disclosure of such sensitive information. This injury is not outweighed by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers themselves. Consequently, this practice is an unfair act or practice.

    Count V. Unfair Categorization of Consumers Based on Sensitive Characteristics for Marketing Purposes

    • As described in Paragraphs 38 and 39, Respondents have categorized consumers into audience segments based on sensitive characteristics, such as visits to medical offices derived from location data. They have sold these audience segments to a third party for marketing purposes.

    • This practice has caused or is likely to cause substantial injury to consumers that is not outweighed by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers themselves. Consequently, this practice is an unfair act or practice.

    Count VI. Deceptive Failure to Disclose Use of Location Data

    • As described in Paragraphs 24 to 30, in numerous instances in connection with the collection, transfer, or sale of consumer location data, Respondents have represented, directly or indirectly, expressly or by implication, that Drunk Mode and Walk Against Humanity app users’ location data would be used by third parties for ad personalization and location-based analytics, including ad performance, market research, and traffic and health research purposes.

    • In fact, as set forth in Paragraphs 11 to 13, Respondents have provided location data collected from Drunk Mode and Walk Against Humanity to government contractors for national security purposes. This fact would be material to consumers in deciding whether to use or grant location permissions to Respondents’ apps.

    • Respondents’ failure to disclose the material information described in Paragraph 63, in light of the representation set forth in Paragraph 62, is a deceptive act or practice.

    Count VII. Means and Instrumentalities to Engage in Deception

    • Through the means described in Paragraphs 29 to 34, Respondents have furnished third-party app publishers with language for consumer disclosures in both apps and privacy policies that mislead consumers about the purposes for which their location may be used, such as by failing to disclose that consumers' location data would be provided to government contractors for national security purposes.

    • By furnishing others with such materials, Respondents have provided the means and instrumentalities for the commission of deceptive acts and practices. Consequently, this practice is a deceptive act or practice.

    Violations of Section 5

    • The acts and practices of Respondents, as alleged in this complaint, constitute unfair or deceptive acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act.

    THEREFORE, the Federal Trade Commission, this 11th day of April, 2024, has issued this Complaint against Respondents.

    By the Commission,
    Commissioners Holyoak and Ferguson not participating.

    April J. Tabor
    Secretary

    DECISION AND ORDER

    DECISION

    The Federal Trade Commission ("Commission") initiated an investigation of certain acts and practices of Respondents named in the caption. The Commission's Bureau of Consumer Protection ("BCP") prepared and furnished Respondents a draft Complaint. BCP proposed to present the draft Complaint to the Commission for its consideration. If issued by the Commission, the draft Complaint would charge Respondents with violations of the Federal Trade Commission Act.

    Respondents and BCP thereafter executed an Agreement Containing Consent Order ("Consent Agreement"). The Consent Agreement includes:

    • Statements by Respondents that they neither admit nor deny any of the allegations in the Complaint, except as specifically stated in this Decision and Order, and that only for purposes of this action, they admit the facts necessary to establish jurisdiction.
    • Waivers and other provisions as required by the Commission's Rules.

    The Commission considered the matter and determined that it had reason to believe Respondents had violated the Federal Trade Commission Act, and that a Complaint should issue stating its charges in that respect. The Commission accepted the executed Consent Agreement and placed it on the public record for a period of 30 days for the receipt and consideration of public comments. The Commission duly considered any comments received from interested persons pursuant to Section 2.34 of its Rules, 16 C.F.R. § 2.34. Now, in further conformity with the procedure prescribed in Rule 2.34, the Commission issues its Complaint, makes the following Findings, and issues the following Order:

    Findings

    • The Respondents are:

      • X-Mode Social, Inc. ("X-Mode"), a Virginia corporation with its principal office or place of business at 938 Park Ave, Herndon, VA 20170.
      • Outlogic, LLC ("Outlogic"), a Virginia Limited Liability Company with its principal office or place of business at 150 Granby St, Norfolk, VA 23510. Outlogic is the successor in interest of X-Mode.

    • The Commission has jurisdiction over the subject matter of this proceeding and over the Respondents, and the proceeding is in the public interest.

    Definitions

    • Affirmative Express Consent means any freely given, specific, informed, and unambiguous indication of an individual consumer's wishes demonstrating agreement by the individual, such as by an affirmative action, following a Clear and Conspicuous Disclosure to the individual of:

      • The categories of information that will be collected.

      • The purpose(s) for which the information is being collected, used, or disclosed.

      • The hyperlink to a document that describes the types of entities to whom the Covered Information is disclosed.

      • The hyperlink to a simple, easily-located means by which the consumer can withdraw consent and that Clearly and Conspicuously describes any limitations on the consumer's ability to withdraw consent.

      • The Clear and Conspicuous Disclosure must be separate from any "privacy policy," "terms of service," "terms of use," or other similar document.

      • The following does not constitute Affirmative Express Consent:

        • Inferring consent from the hovering over, muting, pausing, or closing of a given piece of content by the consumer.
        • Obtaining consent through a user interface that has the effect of subverting or impairing user autonomy, decision-making, or choice.

    • Clear(ly) and Conspicuous(ly) means that a required disclosure is difficult to miss (i.e., easily noticeable) and easily understandable by ordinary consumers, including in all of the following ways:

      • In any communication that is solely visual or solely audible, the disclosure must be made through the same means through which the communication is presented. In any communication made through both visual and audible means, such as a television advertisement, the disclosure must be presented simultaneously in both the visual and audible portions of the communication even if the representation requiring the disclosure ("triggering representation") is made through only one means.
      • A visual disclosure, by its size, contrast, location, the length of time it appears, and other characteristics, must stand out from any accompanying text or other visual elements so that it is easily noticed, read, and understood.
      • An audible disclosure, including by telephone or streaming video, must be delivered in a volume, speed, and cadence sufficient for ordinary consumers to easily hear and understand it.
      • In any communication using an interactive electronic medium, such as the Internet or software, the disclosure must be unavoidable.
      • The disclosure must use diction and syntax understandable to ordinary consumers and must appear in each language in which the triggering representation appears.
      • The disclosure must comply with these requirements in each medium through which it is received, including all electronic devices and face-to-face communications.
      • The disclosure must not be contradicted or mitigated by, or inconsistent with, anything else in the communication.
      • When the representation or sales practice targets a specific audience, such as children, the elderly, or the terminally ill, "ordinary consumers" includes reasonable members of that group.

    • Covered Information means information from or about an individual consumer including, but not limited to:

      • A first and last name.

      • Location Data.

      • An email address or other online contact information.

      • A telephone number.

      • A Social Security number.

      • A driver’s license or other government-issued identification number.

      • A financial institution account number.

      • Credit or debit card information.

      • A persistent identifier, such as a customer number held in a "cookie," a static Internet Protocol ("IP") address, a mobile device ID, or processor serial number.

      • Socio-economic or demographic data.

      • Note: Deidentified information is not Covered Information.

    • Data Product means any model, algorithm, or derived data, in Respondents' custody or control developed, in whole or part, using Historic Location Data. Data Product includes but is not limited to any derived data produced via inference (manual or automated) or predictions such as audience segments.

    • Deidentified or Deidentifiable means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular person, in that Respondents must, at a minimum:

      • Have implemented technical safeguards that prohibit reidentification of the person to whom the information may pertain.
      • Have implemented business processes that specifically prohibit reidentification of the information, including by buyers, customers, or other entities to whom Respondents provide the information.
      • Have implemented business processes to prevent inadvertent release of Deidentified information.
      • Make no attempt to reidentify the information.

    • Historic Location Data means any Location Data that Respondents collected from consumers without consumers' Affirmative Express Consent.

    • Location Data means any data that may reveal a mobile device's or consumer's precise location, including but not limited to Global Positioning System (GPS) coordinates, cell tower information, or precise location information inferred from basic service set identifiers (BSSIDs), WiFi Service Set Identifiers (SSID) information, or Bluetooth receiver information, and any unique persistent identifier combined with any such data, such as a mobile advertising identifier (MAID) or identifier for advertisers (IDFA).

      • Data that reveals only a mobile device or consumer's coarse location (e.g., zip code or census block location with a radius of at least 1,850 feet) or that is collected outside the United States and used for (a) Security Purposes or (b) National Security purposes conducted by federal agencies or other federal entities is not Location Data.

    • National Security means the national defense, foreign intelligence and counterintelligence, international and internal security, and foreign relations. This includes countering terrorism, combating espionage and economic espionage conducted for the benefit of any foreign government, foreign instrumentality, or foreign agent, enforcing export controls and sanctions, and disrupting cyber threats that are perpetrated by nation states, terrorists, or their agents or proxies.

    • Raw Format means the format in which Location Data is originally supplied, prior to any form of processing, extraction, or analysis taking place.

    • Respondents means X-Mode, Inc. ("X-Mode") and Outlogic, LLC ("Outlogic"), and their successors and assigns.

    • Respondents App means a mobile application Respondents own and operate.

    • Security Purposes means preventing, detecting, protecting against, or responding to security incidents, including cybersecurity incidents, identity theft, fraud, phishing, harassment, malicious or deceptive activities, or preserving the integrity or security of systems.

    • Sensitive Locations means locations within the United States associated with:

      • Medical facilities (e.g., family planning centers, general medical and surgical hospitals, offices of physicians, offices of mental health physicians and practitioners, residential mental health and substance abuse facilities, outpatient mental health and substance abuse centers, outpatient care centers, psychiatric and substance abuse hospitals, and specialty hospitals).
      • Religious organizations.
      • Correctional facilities.
      • Labor union offices.
      • Locations of entities held out to the public as predominantly providing education or childcare services to minors.
      • Associations held out to the public as predominantly providing services based on racial or ethnic origin.
      • Locations held out to the public as providing temporary shelter or social services to homeless, survivors of domestic violence, refugees, or immigrants.

    • Sensitive Location Data means any consumer Location Data associated with a Sensitive Location.

    • Software development kit or SDK means the code necessary to integrate Respondents' advertisements or Location Data collection tools in a mobile application ("app").

    • Third-Party Incident means the sharing by a third party of Respondents' Location Data, in violation of a contractual requirement between Respondents and the third party.

    Provisions

    I. Prohibition Against Misrepresentations

    IT IS ORDERED that Respondents and Respondents' officers, agents, employees, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with the advertising, promotion, offering for sale, sale, or distribution of any product or service, must not misrepresent, in any manner, expressly or by implication:

    • The extent to which Respondents collect, use, maintain, disclose, or delete any Covered Information.
    • The extent to which the Location Data that Respondents collect, use, maintain, or disclose is Deidentified.

    II. Prohibitions on the Use, Sale, or Disclosure of Sensitive Location Data

    IT IS FURTHER ORDERED that Respondents and Respondents' officers, agents, employees, whether acting directly or indirectly, must not sell, license, transfer, share, disclose, or otherwise use in any products or services Sensitive Location Data associated with the Sensitive Locations that Respondents have identified within 180 days of the issuance of this Order as part of the Sensitive Locations Data Program established and maintained pursuant to Provision III below.

    • Provided, however, that the prohibitions in this Provision II do not apply if Respondents:
      • Use Sensitive Location Data to convert such data into data that:
        • Is not Sensitive Location Data.
        • Is not Location Data.
      • Have a direct relationship with the consumer related to the Sensitive Location Data, the consumer has provided Affirmative Express Consent, and the Sensitive Location Data is used to provide a service directly requested by the consumer.

    III. Sensitive Location Data Program

    IT IS FURTHER ORDERED that Respondents, within 180 days of the issuance of this Order, must establish and implement, and thereafter maintain, a Sensitive Location Data Program to develop a comprehensive list of Sensitive Locations and to prevent the use, sale, licensing, transfer, or disclosure of Sensitive Location Data as provided in Provision II above. To satisfy this requirement, Respondents must, at a minimum:

    • Document in writing the components of the Sensitive Location Data Program as well as the plan for implementing and maintaining the Sensitive Location Data Program.
    • Identify a senior officer, such as a Chief Privacy Officer or Chief Compliance Officer, to be responsible for the Sensitive Location Data Program. The senior officer will be approved by and report directly to the board of directors or a committee thereof or, if no such board or equivalent body exists, to the principal executive officer of Respondents.
    • Provide the written program and any evaluations thereof or updates thereto to Respondents' board of directors or governing body or, if no such board or equivalent body exists, to the principal executive officer of Respondents at least every twelve months.
    • Develop and implement procedures to identify Sensitive Locations to be used by Respondent in preventing the sale, license, transfer, use, or other sharing or disclosure of Sensitive Location Data as provided in Provision II above. If a building or place is identified as including both a Sensitive Location and a non-Sensitive Location, Respondent may associate Location Data with the non-Sensitive Location only.
    • Assess, update and document, at least once every six months, the accuracy and completeness of Respondents' list of Sensitive Locations. Respondents' assessments must include:
      • Verifying that Respondents' list includes Sensitive Locations known to Respondent.
      • Identifying and assessing methods, sources, products, and services developed by Respondents or offered by third parties that identify Sensitive Locations.
      • Updating its list of Sensitive Locations by selecting and using the methods, sources, products, or services developed by Respondents or offered by third parties that are accurate and comprehensive in identifying Sensitive Locations.
      • Considering new categories of Sensitive Locations, not enumerated in the definition of Sensitive Locations, such as those based on an announcement by a self-regulatory association. Respondents must determine whether to add the newly identified categories to Respondents' list of Sensitive Locations and, as applicable, complete these additions within the time frames specified in Section III.G.
      • Documenting each step of this assessment, including the reasons Respondents selected the methods, sources, products, or services used in updating Respondents' list of Sensitive Locations.
    • Implement policies, procedures, and technical measures designed to prevent Respondents from using, selling, licensing, transferring, or otherwise sharing or disclosing Sensitive Location Data as provided in Provision II above, and monitor and test the effectiveness of these policies, procedures, and technical measures at least once every six months. Such testing must be designed to verify that Respondents are not using, selling, licensing, transferring, or otherwise sharing or disclosing Sensitive Location Data.
    • Initiate the process of deleting or rendering non-sensitive, Sensitive Location Data associated with locations included in the list developed pursuant to Subparts D and E, within 5 days of adding the location to the list of Sensitive Locations, and complete the process within 90 days of initiation, except where retention is needed to fulfill an allowed purpose as provided in Provision II above. The time period to complete this process may be extended by additional 45-day periods (not to exceed 180 total days) when reasonably necessary, provided the Respondents document at each interval the reasons for the extension and the progress made, and Respondents must not use, provide access to, or disclose Sensitive Location Data during the process of deleting or rendering non-sensitive, for any other purpose.
    • Evaluate and adjust the Sensitive Location Data Program in light of any changes to Respondents' operations or business arrangements, or any other circumstance that Respondents know or have reason to know may have an impact on the Sensitive Location Data Program's effectiveness. At a minimum, Respondents must evaluate the Sensitive Location Data Program every twelve months and implement modifications based on the results.

    IV. Other Location Data Obligations

    IT IS FURTHER ORDERED that Respondents, within 180 days of the issuance of this Order, must establish and implement, and thereafter maintain policies, procedures, and technical measures designed to prevent recipients of Respondents' Location Data, for any such Location Data received after the issuance of this Order, from:

    • Associating such data with locations held out to the public as predominantly providing services to LGBTQ+ individuals, such as service organizations, bars, and nightlife.
    • Associating such data with locations of public gatherings of individuals during political or social demonstrations, marches, and protests.
    • Using such Location Data to determine the identity or the location of an individual's home, i.e., the location of any individual's private residences (e.g., single-family homes, apartments, condominiums, townhomes) (together, "Prohibited Uses").

    Respondents must identify a senior officer, such as a Chief Privacy Officer or Chief Compliance Officer, to be responsible for these policies, procedures, and technical measures. Such policies, procedures, and technical measures shall include:

    • Contractual prohibitions against recipients of Respondents' Location Data from:
      • Reselling, transferring, or disclosing Respondents' Location Data in its Raw Format to a third party ("Reselling").
      • Using Respondents' Location Data in whole or in part to associate a specific individual with the locations identified above.
    • Provided, however, Reselling does not include a recipient receiving Location Data on behalf of a designated end user, for which end user Respondents have implemented policies, procedures, and technical measures required by this Provision IV, and the end user has:
      • Contractually agreed to the prohibitions against Reselling.
      • Contractually agreed not to engage in Prohibited Uses.
    • Marking techniques, such as seeding or salting, designed to detect recipients' non-compliance with contractual prohibitions against resale or re-license of Respondents' Location Data.
    • Assessing and documenting recipients' compliance at least once every twelve months.
    • Terminating relationships with recipients for non-compliance.

    V. Third-Party Incident Reports

    IT IS FURTHER ORDERED that within 30 days of Respondents' determination that a Third-Party Incident has occurred, Respondents must submit a report to the Commission. The report must include, to the extent possible:

    • The estimated date range when the Third-Party Incident occurred.
    • A description of the facts relating to the Third-Party Incident, including the causes of the Third-Party Incident, if known, and participants.
    • A description of each type of information that was affected by the Third-Party Incident.
    • The number of consumers whose information was affected by the Third-Party Incident.
    • The acts Respondents have taken to date to remediate the Third-Party Incident and protect Covered Information from further exposure or access.

    Unless otherwise directed by a Commission representative in writing, Respondents must submit all Third-Party Incident reports to the Commission under penalty of perjury as specified in the Section of this Order titled "Compliance Report and Notices."

    VI. Limitations on Collection, Use, Maintenance, and Disclosure of Location Data

    IT IS FURTHER ORDERED that Respondents and Respondents' officers, agents, employees, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, must not:

    • Collect, use, maintain, or disclose Location Data from devices where a consumer has enabled the mobile operating system privacy settings to opt out of, limit, or otherwise decline targeted advertising or tracking, without a record satisfying the requirements in Provision VII.B, documenting the consumer's consent.
    • Within 90 days of the effective date of this Order, collect, use, maintain, or disclose an individual's Location Data without a record satisfying the requirements in Provision VII.B, documenting the consumer's consent obtained prior to Respondents' collection or use of Location Data.
    • In connection with any Respondents' App, collect, use, maintain, or disclose a consumer's Location Data, unless the consumer receives a Clear and Conspicuous reminder, at least quarterly, that the consumer's Location Data is being collected and, if applicable, disclosed, along with instructions for a simple control to turn off Location Data collection. Any such reminder must be done through a consumer-enabled push notification or to an e-mail address provided by the consumer or, if the consumer has not opted into push notifications and an email address is unavailable, through a notice in the application.

    Provided, however, that reminders mandated by Provision VI.C are not required when Respondents confirm that a consumer's device is utilizing an operating system version that reminds consumers that their Location Data is being collected or that limits Location Data collection by default for infrequently used apps.

    VII. Supplier Assessment Program

    IT IS FURTHER ORDERED that Respondents, within 90 days of the effective date of this Order, must implement a program designed to ensure that consumers have provided consent for the collection and use of Location Data obtained by Respondents, including by implementing and maintaining a "Supplier Assessment Program." In connection with the Supplier Assessment Program, Respondents must, at a minimum:

    • Document in writing the content, implementation, and maintenance of the Supplier Assessment Program.
    • Conduct an initial assessment either within 30 days of a third party entering into data-sharing agreements with Respondents (or, for parties with existing data-sharing agreements, within 30 days of the effective date of this Order) or within 30 days of the initial date of data collection from such a third party, and thereafter annually, designed to confirm that consumers provide Affirmative Express Consent if feasible, or to confirm that consumers specifically consent to the collection, use, and sale of their Location Data.
    • Create and maintain records of the suppliers' responses obtained by Respondents under the Supplier Assessment Program.
    • Cease from using, selling, licensing, transferring, or otherwise sharing or disclosing Location Data for which consumers have not provided consent, as provided in Provision VII.B above.

    VIII. Disclosures to Consumers

    IT IS FURTHER ORDERED that Respondents and Respondents' officers, agents, employees, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, must provide a Clear and Conspicuous means for consumers to request the identity of any entity, business, or individual to whom their Location Data has been sold, transferred, licensed, or otherwise disclosed.

    Provided, however, that the disclosure requirements in this Provision VIII do not apply if Respondents provide consumers with a Clear and Conspicuous method to delete their Location Data from the commercial databases of all recipients of such Location Data, expressly instruct (or contractually require) such recipients to honor such requests sent or made available to them by Respondents, expressly request (or contractually demand) written confirmation of deletion of the identified Location Data, and provide consumers with written confirmation of such deletion requests or instructions sent to recipients and written confirmation of deletion from recipients (where confirmed), no later than 90 days of the receipt of consumers' requests.

    IX. Withholding and Withdrawing Consent

    IT IS FURTHER ORDERED that Respondents and Respondents' officers, agents, employees, and all other persons in active concert or participation with any of them who receive actual notice of this Order, whether acting directly or indirectly, must:

    • Provide a simple, easily-located means for consumers to withdraw any consent provided in accordance with Provision VII.B (including Affirmative Express Consent) in connection with Location Data. Such means may include a Clear and Conspicuous notice or link to an applicable operating system, device, app permission or setting, or a consumer app made publicly available (including through the app stores, where permissible) that automatically opts out mobile device information from use, but Respondents must not use, provide access to, or disclose any information collected for such a request for any other purpose.

    Provided, however, that Respondent may retain such Location Data to prevent, detect, or investigate data security incidents, or to protect against malicious, deceptive, fraudulent, or illegal activity directed at the Respondents, for the shortest time reasonably necessary to fulfill this purpose. However, Respondents must not use, provide access to, or disclose such Location Data retained for security and anti-fraud purposes, for any other purpose.

    • As to Respondents' App, not unreasonably limit a consumer's ability to withhold or withdraw Affirmative Express Consent, such as by degrading the quality or functionality of a product or service as a penalty for withholding or withdrawing consent provided in accordance with Provision VII.B (including Affirmative Express Consent), unless the collection and use of Location Data is technically necessary to provide the quality or functionality of the product or service without such degradation.

    X. Obligations When Consent is Withdrawn

    IT IS FURTHER ORDERED that Respondents, and Respondents' officers, agents, employees, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, must cease collecting all Location Data associated with a specific app and device within 15 days after Respondents receive notice that the consumer withdraws their consent provided in accordance with Provision VII.B (including Affirmative Express Consent) for such collection from that app and device.

    XI. Location Data Deletion Requests

    IT IS FURTHER ORDERED that Respondents and Respondents' officers, agents, employees, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, must implement and maintain a simple, easily-located means for consumers to request that Respondents delete Location Data that Respondents previously collected from a specific mobile device, and delete Location Data within 30 days of receipt of such request unless a shorter period for deletion is required by law. Respondents may require consumers to provide Respondents with information necessary to complete such requests, but must not use, provide access to, or disclose any information collected for a deletion request for any other purpose.

    Provided however, that such Location Data may be retained to prevent, detect, or investigate data security incidents, or to protect against malicious, deceptive, fraudulent, or illegal activity directed at the Respondents, for the shortest time reasonably necessary to fulfill this purpose, but Respondents must not use, provide access to, or disclose such Location Data retained for security and anti-fraud purposes, for any other purpose.

    XII. Data Retention Limits

    IT IS FURTHER ORDERED that Respondents, in connection with the collection, maintenance, use, or disclosure of, or provision of access to, Covered Information, must:

    • Within 60 days of the effective date of this Order, document, adhere to, and make publicly available through a link on the home page of their website(s), in a manner that is Clear and Conspicuous, a retention schedule for Covered Information, setting forth:

      • the purpose or purposes for which each type of Covered Information is collected or used;
      • the specific business needs for retaining each type of Covered Information; and
      • an established timeframe for deletion of each type of Covered Information limited to the time reasonably necessary to fulfill the purpose for which the Covered Information was collected, and in no instance providing for the indefinite retention of any Covered Information.

    • Within 60 days of the effective date of this Order, Respondents shall provide a written statement to the Commission, pursuant to the Provision entitled Compliance Report and Notices, describing the retention schedule for Covered Information made publicly available on its website(s).

    • Prior to collecting or using any new type of information related to consumers that was not being collected as of the issuance date of this Order, and is not described in retention schedules published in accordance with sub-Provision A of this Provision entitled Limitation on Retention of Location Data, Respondents must update its retention schedule setting forth:

      • the purpose or purposes for which the new information is collected;
      • the specific business needs for retaining the new information; and
      • a set timeframe for deletion of the new information that precludes indefinite retention.

    XIII. Deletion

    IT IS FURTHER ORDERED that Respondents and Respondents' officers, agents, employees, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, must, unless prohibited by law:

    • Within 60 days after the effective date of this Order, delete or destroy all Historic Location Data that Respondents collected through apps that it operates or collected through Respondents' SDK, and provide a written statement to the Commission, pursuant to Provision XVII, confirming that all such information has been deleted or destroyed.
      provided however, Respondents shall have the option to retain Historic Location Data if it has obtained Affirmative Express Consent from the relevant consumer for the retention of Historic Location Data within 90 days after the effective date of this Order, or if within such time period it ensures such Historic Location Data is Deidentified or rendered non-sensitive in accordance with Provision III above, and provided that the Historic Location Data is subject to the obligations in Provision IV above.
      Provided further, that such Historic Location Data may be retained to prevent, detect, or investigate data security incidents, or to protect against malicious, deceptive, fraudulent, or illegal activity directed at the Respondents, for the shortest time reasonably necessary to fulfill this purpose, but Respondents must not use, provide access to, or disclose such Historic Location Data retained for security and anti-fraud purposes, for any other purpose. Respondents will in any event delete such Historic Location Data for any consumer who selects the deletion option.

    • Within 90 days after the effective date of this Order, (i) inform Respondents' customers that received Historic Location Data within 3 years prior to the issuance date of this Order, of the FTC's requirement in Provision XIII.A that the FTC requires such data to be deleted, Deidentified, or rendered non-sensitive, and (ii) Respondents shall promptly submit, within 10 days of sending to its customers, all such notices to the Commission under penalty of perjury as specified in the Section of this Order titled "Compliance Report and Notices."

    • Within 90 days after the effective date of this Order, delete or destroy all Data Products, and provide a written statement to the Commission, pursuant to Provision XVII, confirming such deletion or destruction.

    XIV. Mandated Privacy Program

    IT IS FURTHER ORDERED that Respondents, and any business that Respondents control directly or indirectly, in connection with the collection, maintenance, use, disclosure of, or provision of access to Covered Information, must, within 60 days of the effective date of this Order, establish and implement, and thereafter maintain, a comprehensive privacy program (the "Program") that protects the privacy of such Covered Information. To satisfy this requirement, Respondents must at a minimum do the following:

    • Document in writing the content, implementation, and maintenance of the Program.

    • Provide the written program, and any evaluations thereof or updates thereto to Respondents' board of directors or governing body or, if no such board or equivalent governing body exists, to a senior officer of Respondents responsible for the Program at least once every 12 months.

    • Designate a qualified employee or employees to coordinate and be responsible for the Program.

    • Assess and document, at least once every 12 months, internal and external risks to the privacy of Covered Information that could result in the unauthorized collection, maintenance, use, disclosure of, or provision of access to, Covered Information.

    • Design, implement, maintain, and document safeguards that control for the material internal and external risks Respondents identify to the privacy of Covered Information identified in response to Provision XIV.D. Each safeguard must be based on the volume and sensitivity of Covered Information that is at risk, and the likelihood that the risk could be realized and result in the unauthorized collection, maintenance, use, disclosure of, or provision of access to Covered Information.

    • On at least an annual basis, provide privacy training programs for all employees and independent contractors responsible for handling or who have access to Covered Information, updated to address any identified material internal or external risks and safeguards implemented pursuant to this Order.

    • Test and monitor the effectiveness of the safeguards at least once every 12 months, and modify the Program based on the results.

    • Evaluate and adjust the Program in light of any changes to Respondents' operations or business arrangements, new or more efficient technological or operational methods to control for the risks identified in Provision XIV.D of this Order, or any other circumstances that Respondents know or have reason to believe may have an impact on the effectiveness of the Program or any of their individual safeguards. At a minimum, Respondents must evaluate the Program at least once every 12 months and modify the Program based on the results.

    XV. Acknowledgments of the Order

    IT IS FURTHER ORDERED that Respondents obtain acknowledgments of receipt of this Order:

    • Respondents, within 10 days after the effective date of this Order, must submit to the Commission acknowledgments of receipt of this Order sworn under penalty of perjury.

    • For 5 years after the issuance date of this Order, Respondents must deliver a copy of this Order to:

      • all principals, officers, directors, and LLC managers and members;
      • all employees having managerial responsibilities for conduct related to the subject matter of this Order, and all agents and representatives having managerial responsibilities for the conduct related to the subject matter of this Order; and
      • any business entity resulting from any change in structure as set forth in Provision XVI titled Compliance Report and Notices. Delivery must occur within 10 days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.

    • From each individual or entity to which Respondents delivered a copy of this Order, Respondents must obtain, within 30 days, a signed and dated acknowledgment of receipt of this Order.

    XVI. Compliance Report and Notices

    IT IS FURTHER ORDERED that Respondents make timely submissions to the Commission:

    • One year after the issuance date of this Order, each of the Respondents must submit a compliance report, sworn under penalty of perjury, in which the Respondents must:

      • identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission may use to communicate with Respondents;
      • identify all of the Respondents' businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses;
      • describe the activities of each business, including the goods and services offered, the means of advertising, marketing, and sales;
      • describe in detail whether and how the Respondents are in compliance with each Provision of this Order, including a discussion of all of the changes the Respondents made to comply with the Order; and
      • provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.

    • The Respondents must submit a compliance notice, sworn under penalty of perjury, within 14 days of any change in the following:

      • any designated point of contact; or
      • the structure of the Respondents or any entity that Respondents have any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.

    • The Respondents must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against either Respondent within 14 days of its filing.

    • Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding:
      “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: __” and supplying the date, signatory's full name, title (if applicable), and signature.

    • Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to:Associate Director for Enforcement, Bureau of Consumer Protection,Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580.The subject line must begin: In re X-Mode Social, Inc. & Outlogic, LLC., FTC File No. 212-3038.

    XVII. Recordkeeping

    IT IS FURTHER ORDERED that Respondents must create certain records for 5 years after the issuance date of the Order, and retain each such record for 5 years. Specifically, Respondents must create and retain the following records:

    • Accounting records showing the revenues from all goods or services sold, the costs incurred in generating those revenues, and resulting net profit or loss.

    • Personnel records showing, for each person providing services, whether as an employee or otherwise, that person's:

      • name;
      • addresses;
      • telephone numbers;
      • job title or position;
      • dates of service; and
      • (if applicable) the reason for termination.

    • Copies of all consumer complaints that relate to the collection, use, maintenance, or disclosure of Covered Information, whether received directly or indirectly, such as through a third party, and any response.

    • For 5 years from the date received, copies of communications from law enforcement, if such communications request information or documents relating to Respondents' compliance with this Order.

    • A copy of each widely disseminated representation by either of the Respondents that describes the extent to which Respondents:

      • review data suppliers' compliance and consent frameworks, consumer disclosures, sample notices, and opt-in controls;
      • collect, use, maintain, disclose, or delete any Covered Information; and
      • the extent to which the Location Data that Respondents collect, use, maintain, or disclose is Deidentified.

    • Records showing Affirmative Express Consent for any individual consumers or device from which Respondents have collected Location Data through a Respondent App, the specific notice that individual consumers viewed and consented to, and the time and date of consent.

    • Records showing the content and verifying the distribution of Clear and Conspicuous reminders to individual consumers under Provision VI.C.

    • Records showing the Respondents' implementation of the Supplier Assessment Program required by Provision VII.

    • Records showing Respondents' implementation of the Sensitive Location Data Program required by Provision III.

    • Records showing Respondents' processing of consumer deletion requests as provided in Provision VIII.

    • All records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission.

    XVIII. Compliance Monitoring

    IT IS FURTHER ORDERED that, for the purpose of monitoring Respondents' compliance with this Order:

    • Within 14 days of receipt of a written request from a representative of the Commission, the Respondents must submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.

    • For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondents. Respondents must permit representatives of the Commission to interview anyone affiliated with Respondents who has agreed to such an interview. The interviewee may have counsel present.

    • The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondents or any individual or entity affiliated with Respondents, without the necessity of identification or prior notice. Nothing in this Order limits the Commission's lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.

    XIX. Order Effective Dates

    IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission's website (ftc.gov) as a final order. This Order will terminate 20 years from the date of its issuance (which date may be stated at the end of this Order, near the Commission's seal), or 20 years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of this Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of:

    • Any provision in this Order that terminates in less than 20 years.

    • This Order's application to any Respondents that are not named as a defendant in such complaint.

    • This Order if such complaint is filed after the Order has terminated pursuant to this provision.

    Provided, further, that if such complaint is dismissed or a federal court rules that the Respondents did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.

    By the Commission, Commissioners Holyoak and Ferguson not participating.

    April J. Tabor
    Secretary
    ISSUED: April 11, 2024

    Table of contents
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you..

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596