The US Federal Trade Commission continued its crackdown on data brokers with a settlement that bars data aggregator InMarket from selling consumers’ precise location data.
Texas-based InMarket, which debuted as CheckPoints at TechCrunch Disrupt 2010, provides a marketing platform that collects sensitive consumer data — including location data, purchase history and demographic information — that brands and advertisers use to facilitate targeted advertising on mobile devices. Based on the data InMarket collects, brands can target shoppers who are likely to be low-income millennials or Christian churchgoers, according to the FTC.
Inside proposed order revealed Thursday, the FTC accused InMarket of failing to obtain users’ consent before using their location data for marketing and advertising purposes. The FTC alleges that InMarket failed to obtain consent from users of its apps — shopping list app ListEase and shopping rewards app CheckPoints — which the regulator said use messages that contain “misleading half-truths” and fail to inform consumers of the applications data collection and use practices.
The federal regulator also alleges that InMarket “does little” to verify that users of third-party apps that integrate InMarket’s tracking code (also known as software development kits, or SDKs) were notified that their location data would be used for targeted advertising.
The FTC said an anonymous photo-editing app that integrates InMarket’s SDK requested location permission with a prompt stating that the data would be used to provide rewards and discounts, according to the FTC’s complaint.
“The consumer would never know that by granting location permission to a photo-editing app, they essentially set in motion a series of data collections that allowed InMarket, a third party they’d probably never heard of, to amass a mountain of sensitive data. for her without her knowledge,” the FTC said
According to the FTC, InMarket’s apps have been downloaded on InMarket on more than 30 million unique devices as of 2017, and the InMarket SDK has been integrated into more than 300 such apps downloaded on more than 390 devices.
The FTC also says the company’s policy of retaining geolocation data for five years was “unnecessary” to accomplish the purposes for which it was collected and “increased the risk that this sensitive data could be disclosed, misused, and linked to consumer.”
Under the terms of the settlement, InMarket will be prohibited from selling, licensing or sharing any product that targets phone owners based on sensitive location data. InMarket will also have to destroy all location data it previously collected — and any products created from that data — unless the company obtains consumer consent and notifies consumers whose location data was collected through its apps about with FTC action and provide users with a way to opt out of any data collection.
In a statement provided to TechCrunch, InMarket’s Chief Legal Officer and Chief Privacy Officer Jason Knapp said that “while we fundamentally disagree with the FTC’s allegations, we are pleased to confirm the steps InMarket is taking to promote our data disclosure and use policies.”
“As a marketing solutions business, we have no interest in selling consumer location data and have confirmed that we will not,” Knapp added. “Additionally, InMarket is expanding existing sensitive location protections for consumers to provide a model for the industry, and we are working closely with our SDK partners to ensure that notification and consent processes are clear.”
The announcement comes a week after the FTC announced a separate settlement that prevented data broker X-Mode, now known as Outlogic, from sharing and selling sensitive user information to others. That order marked the first time the regulator struck a deal to bar a company from selling sensitive location data.
