Skip to Content
Client Payment

Events In the News

Continuing Scrutiny on Data Brokers

on Friday, 21 February 2025 in Technology & Intellectual Property Update: Arianna C. Goldstein, Editor

Over the last year we have seen increased focus on regulating data brokers – those entities that sell personal information of individuals with whom they do not have a direct business relationship.  The FTC is continuing this push with a recent consent agreement. Last month, the FTC finalized a Consent Order against Gravy Analytics, Inc. (“Gravy”) and Ventel, Inc. (“Ventel”), based on their collection, processing, and use of precise geolocation data of individual consumers.

Gravy and Ventel’s business model was to obtain precise geolocation data on individual’s from other companies, meaning that neither Gravy, nor Ventel had direct interaction with these individuals, and then monetize this information. As described by the FTC in its complaint:

These location signals, gathered from consumers’ mobile phones, identify consumers’ precise geolocation by latitude and longitude coordinates at the time the signal was gathered. Each location signal is also associated with a Mobile Advertising ID (“MAID”) which is an alphanumeric identifier that iOS or Android platforms assign to each mobile device. This unique mobile device identifier is assigned to a consumer’s mobile phone to assist marketers in advertising to consumers. These data signals are collected from a mobile device’s GPS coordinates and may, at times, be augmented by other signals, such as WiFi.

As is clear from this description, this information is precise enough to provide exacting insight into an individual’s movements allowing accurate inferences about an individual’s life.  For example, the locations could be “used to track consumers to sensitive locations, including places of religious worship, places that may be used to infer an LGBTQ+ identification, domestic abuse shelters, medical facilities, political activity, and welfare and homeless shelters.”  Not only did Gravy and Venntel commercialize this data, but Gravy conducted analytics of this data to further package the data for purchase as audience segments. This sensitive data was sold by Gravy to commercial customers and by Venntel to public sector customers.

As noted, Gravy and Venntel did not have direct relationships with individual consumers, rather they purchased this data from other entities, and as such they relied on those entities to obtain proper consent from individuals.  The complaint alleges that this information was purchased from entities even when Gravy and Venntel knew proper consent was not obtained. The FTC alleges that it is an unfair act under § 5 of the FTC Act to collect this information without express affirmative consent, as well as its subsequent use.

Gravy and Venntel entered into a consent order, which requires cessation of these practices and deployment of a compliance framework, including the following:

  • Deletion of all location data collected without affirmative express consent;
  • Prohibiting the sale, license, transfer, share, disclosure, or other use in any products or services precise geolocation data associated with the Sensitive Locations (including medical facilities and religious organizations, among others); and
  • Implementation of a comprehensive framework to comply with § 5 of the FTC Act and the provisions of the Consent Order.

This action underscores the continuing focus of data brokers, as well as additional care companies that collect precise geolocation data should take in providing proper disclosure and obtaining appropriate consent.

The final Complaint and Consent Order may be found here.

AriAnna C. Goldstein
back

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500

Law Firm Website Design