Gravy Analytics and Mobilewalla Ordered to Strengthen Consent Protocols Amid FTC Scrutiny
In a recent enforcement action, the U.S. Federal Trade Commission (FTC) has directed data brokers Gravy Analytics and its parent company Venntel to enhance their consent measures regarding the acquisition and distribution of geolocation data. This move follows allegations that these companies were unlawfully selling consumers’ location information without proper consent, providing advertisers with deep insights into individuals’ daily lives.
The FTC’s complaint reveals that Venntel, based in Virginia, utilized significant amounts of location data, collected from billions of mobile devices, to help online advertisers target consumers. The agency underscores that Gravy Analytics even labeled its consumers into highly specific categories, such as "Early Risers" or "Restaurant Visitors during COVID Quarantine," all derived from location patterns.
Moreover, the FTC accused Georgia-based Mobilewalla of accumulating smartphone location data through real-time bidding for online advertising, despite industry rules forbidding the retention of such data in these transactions. According to the FTC, Mobilewalla’s retention of this information raises substantial privacy concerns, as it stands in direct violation of consumer trust and regulatory norms.
Sam Levine, director of the FTC’s Bureau of Consumer Protection, commented on the implications of this surveillance on civil liberties, stressing the urgent need for the data broker industry to prioritize consumer privacy. The FTC’s allegations are particularly concerning as they detail how Gravy Analytics and Venntel’s practices could enable invasive tracking by law enforcement agencies, potentially jeopardizing the safety of marginalized communities, including survivors of domestic violence and immigrants.
The FTC’s disclosure indicates that these data brokers sold detailed location information to law enforcement, including agencies like Immigration and Customs Enforcement and Customs and Border Protection. Such data trails, which are not anonymized, could easily link back to individuals and raise ethical concerns about the government’s use of commercial data for surveillance purposes.
Under the terms of a recently proposed consent order, Gravy Analytics and Venntel are mandated to either delete or anonymize sensitive location data collected over the past three years. Additionally, they must implement a supplier assessment program that ensures consumers provide explicit consent for the collection and use of their precise location data.
For Mobilewalla, a settlement will restrict the company from collecting consumer data unrelated to online ad auctions and prevent it from selling identifiable location data for private residences. The Electronic Privacy Information Center (EPIC) has highlighted the broader implications of such data collection practices, advocating for stringent regulations that would govern data brokers under existing consumer protection laws.
This enforcement action illustrates the FTC’s increasing vigilance over data privacy and the responsibilities held by data brokers in safeguarding consumer information. The need for businesses to conduct thorough assessments of their data collection practices aligns closely with the principles outlined in the MITRE ATT&CK framework, particularly concerning adversary tactics like initial access and persistence that can arise when data is mishandled or inadequately protected. As these regulations evolve, it will be imperative for business owners to stay informed and ensure compliance to mitigate potential cybersecurity risks.