On December 3, 2024, the Federal Trade Commission (FTC) announced two enforcement actions against large data aggregator companies, Mobilewalla, Inc. (“Mobilewalla”) and Gravy Analytics Inc. (“Gravy Analytics”), for alleged misuse and unfair practices relating to the collection and transfer of sensitive consumer data. The actions against Mobilewalla and Gravy Analytics (and its subsidiary, Venntel Inc. (“Venntel”)) continue the agency’s application of Section 5 unfair practices authority to the sale of consumers’ sensitive location data.

The action against location data broker Mobilewalla also featured the agency’s first ever prohibition on the collection of consumer data from real-time bidding (RTB) exchanges. RTB exchanges are a digital mechanism that online publishers use to auction off digital ad space to advertisers. To ensure the advertisement is customized to the targeted consumer, online publishers may share the consumer’s location and personal information with advertisers as part of the bidding process.

While the Mobilewalla action highlights how different technologies are being used to collect consumer data, both the Mobilewalla and Gravy Analytics enforcement actions are just the latest in a series of FTC decisions alleging unfair use of consumers’ sensitive location data by data aggregators.

In this post, we summarize both the complaints and orders from the FTC’s enforcement actions involving Gravy Analytics, Venntel, and Mobilewalla, as well as provide some key takeaways from these decisions. We are happy to answer any questions you might have about your company’s data compliance programs. To keep up to date on the FTC’s latest privacy enforcement activities, be sure to subscribe to the WilmerHale Cybersecurity and Privacy Law Blog.

Summary of the Complaints

Gravy Analytics and Venntel collect and sell precise consumer location data obtained from other data suppliers. This geolocation data is curated from third-party suppliers before being sold to private and public sector customers. According to the FTC, Gravy Analytics and Venntel continued to collect consumers’ geolocation data even upon learning the consumers didn’t provide informed consent and sold sensitive characteristics, like consumers’ religious affiliations and medical decisions, based on the geolocation data. Similar to Gravy Analytics and Venntel, Mobilewalla is a data broker that obtains consumer location data from third-party data suppliers rather than directly from consumers. According to the FTC, Mobilewalla collected and retained consumers’ data from RTB exchanges and sold consumers’ sensitive geolocation data without ensuring that consumers provided informed consent.

Specifically, the Gravy Analytics complaint and the Mobilewalla complaint assert the following data practices as violations of Section 5 of the FTC Act:

Unfair Sale of Sensitive Data 

In both complaints, the FTC claimed that Gravy Analytics and Mobilewalla’s business models of providing consumers’ mobile geolocation data to third parties resulted in the disclosure of sensitive information. The data provided by Gravy Analytics and Mobilewalla included the longitude, latitude, and timestamp of a consumer’s location. As the FTC explained, this type of precise geolocation data can track consumers to sensitive locations, including medical facilities, places of worship, and government assistance agencies.

Unfair Collection and Use of Consumer Location Data without Consent Verification 

Additionally, the FTC alleged that both Gravy Analytics and Mobilewalla collected and used consumers’ geolocation data on numerous occasions without taking reasonable steps to ensure that consumers provided informed consent. While Gravy Analytics requested its data suppliers to provide notice to its consumers, the FTC alleged that Gravy Analytics continued to collect, use, and sell the data obtained by suppliers who failed to provide such notice. Furthermore, the FTC claimed that Venntel did not have an independent process for confirming whether consumers provided informed consent, instead relying on Gravy Analytics to obtain these confirmations. Finally, the FTC alleged that both Gravy Analytics and Venntel continued to use consumers’ geolocation data even after learning that consumers did not provide informed consent. Similarly, Mobilewalla allegedly relied on “vague contractual assurances” that data suppliers were complying with applicable consumer consent laws, stopping short of contractually requiring data suppliers to obtain consumer consent. Moreover, the FTC claimed that Mobilewalla failed to review examples of the consent notices used by the suppliers and rarely followed up to determine whether changes were later made to privacy disclosures.

Unfair Sale of Sensitive Inferences Derived from Consumers’ Location Data

Furthermore, the FTC alleged that Gravy Analytics and Mobilewalla sold sensitive data points inferred from consumers’ geolocation data. Based on data such as when consumers attended church, went to the doctor, or participated in political rallies, Gravy Analytics and Mobilewalla created “audience segments” or subsets of consumers who shared interests or values. By categorizing consumers into audience segments based on employment, medical decisions, or political affiliation, customers were able to target advertising to consumers. In addition to developing audience segments for customers, Gravy Analytics also provided “persona” data products that identified every audience segment affiliated with an individual consumer.

Unfair Collection of Consumer Information from RTB Exchanges

The FTC claimed that Mobilewalla collected immense volumes of consumer information from RTB exchanges by saving the consumer information contained within a bid request. Typically, these requests include information such as the consumers’ mobile advertising identifier (MAID), the timestamp, the manufacturer of the consumers’ device, the mobile application in which the consumer will see the advertisement, and the consumers’ geolocation. While the terms of RTB exchanges prohibit companies from retaining consumer information if the company loses the bid, Mobilewalla collected and used consumer information from lost bids. Furthermore, Mobilewalla collected and used the consumer information for non-advertising purposes, which is also against RTB exchange terms. For example, Mobilewalla allegedly used consumers’ information from a bid request to create a geofence around set of health centers and employees’ home addresses so that a customer could these poach these nurses on behalf of a health care competitor.

Unfair Retention of Consumer Location Information

Finally, the FTC also claimed that Mobilewalla’s retention of sensitive consumer location information “indefinitely” allowed the company to infer sensitive information about consumers for years. According to the FTC, a repository of this magnitude makes consumers vulnerable to serious dangers like stalking, targeted scams, and reputational harm. For example, the FTC claimed that a Mobilewalla customer proposed building a geofence around the homes of individuals from a private lawsuit to track those individuals over the span of years and determine whether the individuals visited federal law enforcement offices. Additionally, Mobilewalla has allegedly marketed its ability to identify consumers’ home addresses and whether such consumers attended any political rallies in the past five years.

Summary of the Proposed Orders

The FTC imposed several key requirements on the companies subject to the two enforcement actions, including: 

1. Limit the future use, sale, or disclosure of sensitive information data. The Gravy Analytics and Venntel proposed order prohibits the use, sale or disclosure of sensitive location data with limited exceptions for national security or law enforcement. Similarly, the Mobilewalla proposed order bans the company from disclosing sensitive location data. More specifically, the FTC prohibits Mobilewalla from using, selling, or disclosing sensitive location data from health clinics, religious organizations, correctional facilities, labor union offices, LGBTQ+ related locations, political gatherings, and military installations.
2. Implement a Sensitive Location Data Program. In both orders, the FTC requires the companies to create and maintain a sensitive location data program. The agency notes that the programs should develop a comprehensive list of sensitive locations to ensure these locations are omitted before the disclosure of location data sets. The order for Gravy Analytics and Venntel specifies that the comprehensive list of sensitive locations should include any area affiliated with medical facilities, religious organizations, correctional facilities, labor union offices, schools or childcare facilities, services supporting people based on racial and ethnic backgrounds, services sheltering homeless, domestic abuse, refugee or immigrant populations, and military installations.
3. Maintain a supplier assessment program that verifies consumers’ informed consent. Additionally, the consent orders require the companies to create and maintain supplier assessment programs. According to the FTC, the programs should be designed to verify that consumers provided informed consent to the collection and use of their location data. Additionally, the collection and use of consumer location data is prohibited until suppliers provide the companies with records showing that consumers provided informed consent. 
4. Prohibit the misrepresentation of how data is collected and maintained. The FTC prohibits all three companies from misrepresenting how data is collected, maintained, used, deleted, or disclosed. The proposed orders also require the companies to disclose the extent to which consumers’ location data is de-identified. Additionally, the proposed order for Gravy Analytics and Venntel prohibits the misrepresentation of how the companies review data suppliers’ compliance and consent frameworks, consumer disclosures, sample notices, and opt-in controls.
5. Implement methods for consumers to withdraw consent and request data deletion. In the Mobilewalla proposed order, the FTC requires the company to implement a method for consumers to request the deletion of their location data, as well as the deletion of older data. Additionally, Mobilewalla is required to delete historic location data and any work product that was created from this data. Mobilewalla must also provide a method for consumers to withdraw their consent. Once a consumer withdraws consent, the order mandates that Mobilewalla delete their data and stop collecting more data from that consumer. 
6. Limit the retention of consumer location data from online advertising auctions. Additionally, the FTC has prohibited Mobilewalla from collecting or retaining consumer data from RTB exchanges for any purpose other than participating in the online advertising auction.

Key Takeaways

• The FTC continues to target alleged collection, use, and transfer of sensitive data. The enforcement actions against Gravy Analytics, Venntel, and Mobilewalla are just the latest in a series of FTC decisions challenging data aggregators’ alleged unfair handling of consumers’ sensitive location data. Previous actions include the 2022 action against Kochava for selling consumer location data linked to reproductive health clinics, among other sensitive locations, and the 2024 actions against X-Mode for selling raw location data and In-Market for selling consumers’ precise location data. Companies should be aware of the FTC’s continued focus on the potential consumer harm resulting from the collection, disclosure, and retention of consumers’ sensitive location data.
• Some geolocation data is more sensitive than others. At this point, we’ve seen regulators and legislators (at the state level) establish extra protections over geolocation data related to sensitive locations such as medical facilities and religious institutions. Through its consent orders, the FTC continues to expand its definition of what location data is considered sensitive. The definition of “sensitive location” in both orders lists locations such as “locations held out to the public as predominantly providing services to LGBTQ+ individuals such as service organizations, bars and nightlife;” “locations held out to the public as predominantly providing services based on racial or ethnic origin;” and “locations of public gatherings of individuals during political or social demonstrations, marches, and protests” that arguably have broad interpretation and application. On top of this definition, the orders also mandate each company develop and maintain its own comprehensive list of sensitive locations (via the Sensitive Location Data Program), further expanding the scope of “sensitive location data.”
• Companies are responsible for the sensitive data practices in their supply chain when dealing with consumer consent. These enforcement actions are not the first time (see, e.g., the X-Mode and InMarket enforcement actions) the FTC has asserted that companies, like data brokers, engaging in the transfer and/or sale of sensitive data must ensure that the previous data collectors and third parties have obtained adequate consent from the consumer regarding the specific use. The proposed orders contain some concrete steps, policies, and procedures—like establishing a sensitive location data program and appointing a privacy officer to oversee of these practices—around how companies can identify and address mishandling of sensitive location data or inadequate consent channels by third parties.
• The collection and use of consumer information from RTB exchanges for non-advertising purposes might violate the FTC Act. The Mobilewalla enforcement action marks the first time the FTC has alleged that collecting consumer data from RTB exchanges for non-advertising purposes is an unfair act or practice. Additionally, the Mobilewalla proposed consent order contains the FTC’s first provisions limiting the collection and use of consumer data made accessible to companies during ad exchanges. Accordingly, companies should assess their data use related to their participation in RTB exchanges or auctions and consider refraining from collecting, using, or retaining consumer data for any purpose beyond participation in the exchange. As the FTC summarized in a recent blog post on the Mobilewalla enforcement action, “[t]ackling the privacy concerns involved with real-time bidding might be a new frontier, but that will not stop the agency’s track record of enforcing the law against companies that collect, use, and share consumers’ sensitive data without their consent.”
• The FTC is raising constitutional concerns associated with the data broker industry. Commissioner Alvaro Bedoya’s concurrence for Gravy Analytics, which was joined in full by the two other Democratic-appointed commissioners and in part by Republican commissioner Melissa Holyoak, runs through the data privacy canon of Supreme Court decisions such as Katz v. United States and Carpenter v. United States in its argument that these detailed consumer profiles sold by data brokers on the open market may run afoul of Fourth Amendment protections if made available to the government. Bedoya writes, “[t]o make this [point] plain: Carpenter said that to get this data, you need a warrant; Venntel lets them get it without a warrant.” Although these concurring statements do not hold authoritative weight, they provide helpful insight into how FTC leadership is thinking about these issues and informing their enforcement priorities.