In this post, we summarize and provide key takeaways from the FTC’s enforcement against X-Mode and Monument.

I. The FTC’s Order Against X-Mode for Selling and Sharing Sensitive Location Information

The FTC reached an unprecedented settlement with data broker, X-Mode, prohibiting it from disclosing sensitive geolocation information and requiring it to delete or destroy all precise geolocation data previously collected as well as all products or services created with this data, unless it obtains valid consumer consent.

Background

In its complaint, the FTC alleges X-Mode sold precise geolocation data that could be used to track individuals’ visits to sensitive locations such as reproductive health clinics, shelters, medical clinics, or places of worship, in violation of Section 5 of the FTC Act, which prohibits companies to engage in unfair and deceptive trade practices. The FTC alleges X-Mode surreptitiously collected and sold precise geolocation data from millions of users without their consent, in violation of their privacy rights, and in direct opposition to the company’s own public representations.

In particular, the FTC alleges that X-Mode did not adequately disclose the intended use of users’ geolocation data and did not secure valid informed and affirmative consent from users prior to the data collection and/or sharing. Further, the company did not provide users of its own apps (e.g., Drunk Mode and Walk Against Humanity) with transparent notices that describe the purposes for collecting and processing geolocation information and notify that their information would be sold to government contractors for national security purposes. Additionally, X-Mode allegedly failed to honor Android users’ requests to opt-out of such data collection and provided third parties access to these users’ sensitive personal data in conflict with their privacy choices.

Despite having two of its own apps that collect geolocation information, X-Mode primarily relies on third-party app publishers to amass the location information it collects and sells. The FTC claims the company provided sample consumer notices to these third-party app publishers that misled consumers about the purposes for which their location information was being collected, used, and could otherwise be processed. The company also allegedly failed to verify that the third-party app publishers were, on their own, notifying their consumers of the relevant processing purposes and obtaining valid consent.

Additionally, the FTC alleges the company targeted consumers based on sensitive characteristics and failed to remove sensitive geolocation information from the raw location data it sold to third parties downstream. It also failed to implement reasonable or appropriate safeguards to protect against innocuous downstream uses of the location information it sold.

FTC Order Requirements

The FTC’s decision and order prohibits X-Mode from selling or sharing any sensitive location data and requires the company to:

• delete or destroy all precise geolocation data previously collected as well as all products or services created with this data, unless it obtains valid consumer consent or ensures the data has been de-identified or rendered non-sensitive.
• maintain a comprehensive record of all sensitive location data it collects and maintains, to ensure it is adequately protecting and not unlawfully selling or sharing this information.
• develop a supplier assessment program to ensure that third parties who provide location data to X-Mode:
  • obtain affirmative express consent from consumers for the collection, use, and sale of their data and
  • ensure that data brokers/providers are tracking and honoring individuals’ requests to opt out of the sale/disclosure of their data.
• ensure all recipients of its location data do not associate it with sensitive locations, such as medical facilities, religious institutions, shelters, schools, union offices, and immigrant service offices.
• notify the FTC within thirty (30) days of determining there was a “third-party incident,” defined as a third-party sharing X-Mode’s location data in violation of its contractual limitations.
• establish a data retention schedule and implement a comprehensive privacy program that adequately protects consumers’ personal information.

The order specifies that disclosures requesting consumers’ “affirmative express consent” must be “clear and conspicuous” and separate from any existing terms of service, terms of use, or privacy policy and someone hovering over a piece of content on a website, muting content, pausing content, or closing content will not constitute affirmative express consent.

Likewise, the FTC’s order against Monument for certain alleged disclosures of sensitive health data stipulates similar remedial measures.

II. The FTC’s Order Against Monument regarding Disclosures of Sensitive Health Data to Third Parties for Marketing Purposes

The FTC announced a proposed order, prohibiting alcohol addiction treatment company, Monument, from disclosing individuals’ health information to third-party advertising companies and platforms for purposes of targeted advertising without valid consent.

Background

In its complaint, the FTC alleges that Monument used online tracking technologies such as cookies, pixels, APIs, and other similar technologies, to collect personal data about individuals who visited and interacted with Monument’s websites and other online and subscription services. The relevant data includes name, email address, address, phone number, date of birth, IP address, government issued ID, information about alcohol consumption and medical history, device identifiers, and other relevant information about the 84,000 impacted individuals. Once collected, Monument allegedly categorized this information into ‘Custom Events’ and provided the Custom Event information along with email addresses, IP addresses, and other unique identifiers to the third-party advertisers for re-targeting and custom audience purposes, allowing advertisers to identify specific individuals for targeted advertising. The complaint further alleges that Monuments’ contracts with these third-party advertisers did not limit the third parties’ downstream use of the disclosed personal data for their own commercial purposes.

The FTC documented that Monument publicly claimed, in its privacy policy that it was fully compliant with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and that any information provided by individuals would be kept “100% confidential, secure and HIPAA compliant.” In addition, the policy stated that Monument would not disclose any personal data, including health information, to third parties without the individual’s written consent.  Nonetheless, the privacy policy simultaneously stated that Monument would disclose personal data, including health information, to third parties including for marketing purposes. 

The FTC claims that these disclosures and representations violate Section 5 of the FTC Act for misrepresentations and deceptive omissions of material facts constituting deceptive practices, and the Opioid Addiction Recovery Fraud Prevention Act of 2018 (“OARFPA”) for unfair or deceptive acts or practices related to information regarding a substance use disorder treatment service and/or product.

FTC Order Requirements

Under the order, along with imposing a (suspended) $2.5 million civil penalty and amongst other things, Monument must:

• identify all health information the company shared with relevant third parties for unlawful purposes and instruct the third-party recipients to delete such data;
• provide notice to all impacted individuals about the unlawful disclosure of their personal data, including their health information;
• not disclose any health information to third parties for advertising purposes;
• obtain an individual’s affirmative express consent prior to disclosing health information for any purpose other than advertising (which is prohibited under the order); and
• not make deceptive or misleading statements to promote its services, such as about its HIPAA compliance and its data practices.

Monument is also ordered to implement a comprehensive privacy program to protect the privacy and security of the personal data it collects, retains, and discloses. The privacy program must include:

• a privacy officer who is a designated and qualified employee that reports to a senior executive and who is responsible for the privacy program;
• regular assessments of the company’s privacy operations concerning personal data;
• adequate technical, administrative, and organizational safeguards to protect personal data, including reviews of its relevant contracts with third parties;
• a data retention policy that limits retention of personal data to the shortest time necessary to fulfill the purposes for which it was collected and the retention schedule must be made publicly available; and
• processes to maintain records of processing activities that capture the personal data that is collected on behalf of and/or disclosed to a third party.

III. Takeaways

In line with its other recent enforcement actions, these orders underscore the FTC’s commitment to restraining the collection, sale, or disclosure of consumers’ sensitive personal information. Businesses that collect, sell, or otherwise process sensitive personal information, and particularly precise geolocation information and health information, should:

• Establish and implement a comprehensive privacy program that adequately maps the company’s collection and processing of personal information and protects consumers’ personal information;
• Conduct due diligence of downstream third-party businesses and service providers to whom it discloses personal information and ensure that adequate contractual terms are in place;
• Obtain affirmative and informed prior consent from individuals for the collection, use, disclosure and/or sale of their sensitive personal data;
• Avoid sharing, selling, or otherwise disclosing sensitive geolocation data and health information;
• Ensure data providers/data brokers who supply the company with personal information are collecting informed, affirmative and valid consent from individuals and honoring opt-outs as necessary; and
• Review their data retention schedules and practices.

These orders highlight the growing importance of implementing and maintaining a comprehensive, well-rounded privacy program that goes beyond providing a cookie-cutter privacy policy, and the FTC’s willingness to increase oversight and institute significant consequences against those who don’t.

For more information about these developments and FTC enforcement in general, contact your DLA relationship Partner, the authors of this post, or any member of our Data, Privacy and Cyber security team.

Regulated Entities

The Act applies to entities that conduct business in New Jersey or produce products or services that are targeted to New Jersey residents, and that during a calendar year meet one of the following criteria:

• control or process the personal data of at least 100,000 New Jersey consumers; or
• control or process the personal data of at least 25,000 New Jersey consumers and derive revenue, or receive a discount on the price of any goods or services, from the “sale” of personal data.

Unlike many other comprehensive state privacy laws, the Act does not contain an exemption for nonprofits.[1] It does, however, exempt “financial institutions” that are subject to the Gramm-Leach-Bliley Act.  On the other hand, the Act (similar to the CCPA) only exempts “protected health information collected by a covered entity or business associate” subject to HIPAA but does not exempt covered entities (or business associates) in their entirety.  Like most state comprehensive privacy laws, the Act also contains some limited exemptions for personal data subject to certain federal privacy laws and regulations, including (1) personal data sold pursuant to the Drivers’ Privacy Protection Act of 1994, (2) personal data collected, processed, sold, or disclosed by a consumer reporting agency in compliance with the Fair Credit Reporting Act, and (3) personal data collected, processed, or disclosed as part of clinical research conducted in accordance with U.S. federal policy (45 C.F.R. Part 46) or FDA regulations (21 C.F.R. Parts 50 and 56) for the protection of human subjects in clinical research.

Key Definitions

For the most part, the definitions under the Act align to those of existing state comprehensive privacy laws.

Consumer: A “consumer” is “an identified person who is a resident of [New Jersey] acting only in an individual or household context.” As with majority of the other state comprehensive privacy laws (not including the California Consumer Privacy Act or “CCPA”), the Act expressly excludes “a person acting in a commercial or employment context.”

Personal Data: Under the Act“personal data” includes “any information that is linked or reasonably linkable to an identified or identifiable person. . . not [including] de-identified data or publicly available data.”

Profiling: Under the Act, “profiling” means “automated processing” of personal data “to evaluate, analyze or predict. . . an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location or movements. The Act imposes varying obligations and restrictions on certain (automated) profiling activities that could impact consumers in a legal or similarly significant way or that pose a heightened risk of certain types of harm or negative impacts on consumers.

Sale: In line with the CCPA and the majority of state comprehensive privacy laws, the Act broadly defines “sale” to include “sharing, disclosing or transferring of personal data for monetary or other valuable consideration.”  However, in addition to carving out transfers to processors and transfers to provide a service requested by a consumer, the Act also specifically carves out from “sale” transfers to affiliates and transfers of personal data that a “consumer intentionally made available to the general public through a mass media channel and did not restrict to a specific audience.”

Sensitive Data: Similar to most comprehensive state privacy laws, under the Act,  “sensitive data” includes personal data revealing racial or ethnic origin, religious belief, mental or physical health condition, treatment or diagnosis, sex life or sexual orientation, citizenship or immigration status, genetic or biometric data that may be processed for the purpose of uniquely identifying an individual, personal data collected from a known child, and precise geolocation data. More broadly than most other state privacy laws, “sensitive data” also includes “financial information which shall include a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account” and “status as transgender or non-binary.” 

Targeted Advertising: The term “targeted advertising” means advertising to a consumer “based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated Internet web sites or online applications.”

Consumer Rights

In line with other state privacy laws in effect, the Act provides consumers with the following rights:

• Right to access personal data;
• Right to correct personal data;
• Right to delete personal data;
• Right to obtain a copy of personal data;
• Right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that product legal or similarly significant effects concerning the consumer; and
• Right to appeal a controller’s denial of a request to exercise one of the rights above.

Under the Act, consumers can designate an authorized agent to submit opt out requests on their behalf, but not requests to correct, delete, or access information about, or obtain a copy of, their personal data processed by the controller.

Consumers are entitled to at least one free request per year, after which the controller can charge a “reasonable fee” to cover that administrative cost of responding to requests that are “manifestly unfounded, excessive, or repetitive.”  Controllers are not required to respond to requests that they cannot authenticate, except for opt out requests, which do not have to be authenticated.

Key Obligations Under the Act

While most of the obligations apply to controllers, the Act also imposes some direct obligations on processors, including the requirement to assist the controller in meeting its obligations under the Act and to only process personal data in accordance with the controller’s instructions. A processor that processes personal data beyond the controller’s processing instructions will be deemed a controller under the Act (and subject to all of the controller obligations).

The key requirements under the Act include:

• Privacy Notice: The Act requires controllers to provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes (1) the categories of personal data the controller processes; (2) the purpose for processing; (3) the categories of third parties to which the controller may disclose personal data; (4) the categories of personal data the controller shares with third parties; (5) how a consumer can exercise their privacy rights; (6) the process by which the controller will notify consumers of material changes to the privacy policy; and (7) an active email address or other online mechanism the consumer can use to contact the controller. 

In addition, controllers that sell personal data or process personal data for purposes of targeted advertising, sales, or automated profiling “in furtherance of decisions that produces legal or similarly significant effects concerning a consumer,” must “clearly and conspicuously disclose” such sales and processing and inform consumers of the manner in which they may opt out.

• Data Protection Assessments: Like majority of existing state comprehensive privacy laws, the Act will require controllers to conduct and document a data protection assessment prior to processing personal data that presents a “heightened risk of harm” to consumers. The definition of heightened risk of harm includes, for example, processing personal data for targeted advertising purposes, selling personal data, processing sensitive data, and processing personal data for the purposes of profiling that presents a reasonably foreseeable risk of certain types of harm (e.g., unlawful disparate impact on consumers, or financial or physical injury).  Processors are required to provide information to the controller as necessary to enable the controller to conduct and document data protection assessments.
• Consumer Privacy Requests: Under the Act, controllers have 45 days to respond to consumer rights requests, which may be extended for an additional 45 days where “reasonably necessary.”  Processors are required to implement appropriate technical and organizational measures to enable the controller to meet its obligations to respond to consumer privacy requests.
• Consumer Consent: Under the Act, controllers must obtain consumer consent to process: (1) sensitive data; (2) personal data for purposes that are not reasonably necessary to or compatible with the purposes of collection and processing, as initially disclosed to the consumer; and (3) personal data of individuals between 13 and 17 years old for the purpose of selling the data, serving targeted advertising, or profiling the individual.  Controllers must also provide consumers a mechanism for revoking consent that is as easy as the mechanism for providing consent.
• Universal Opt-Out Mechanism: Six months from the effective date, the Act requires controllers engaged in targeted advertising or the “sale” of personal data to allow consumers to exercise the right to opt out of such processing through a user-selected universal opt-out mechanism. Further details will be provided in the forthcoming rules and regulations.
• Collection Limitation: Controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the purposes disclosed to the consumer and may not process personal data for incompatible purposes without first obtaining consent.
• Security and Confidentiality: The Act imposes security obligations on both controllers and processors.Controllers are required to establish and maintain administrative, technical, and physical data security measures “appropriate to the volume and nature of the personal data,” including measures to protect the confidentiality, integrity and accessibility of personal data and secure it from unauthorized acquisition “during both storage and use.”  Processors are required to ensure that persons that process personal data are subject to confidentiality obligations and to help controllers meet their obligations to provide data breach notices and maintain reasonable security.

In addition, the Act imposes a joint obligation on both controllers and processors to implement “technical and organizational security measures to ensure a level of security that is appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures. 

• Processor and Subcontractor Contracts: Controllers and processors are required to enter into a written contract that sets forth the processing instructions, identifies the type of personal data and duration of processing, requires the return or deletion of personal data at the end of the engagement, imposes obligations on the processor to demonstrate compliance to the controller and allow for and contribute to reasonable assessments by the controller, and includes other required terms.  Processors are also required to enter into written contracts with subcontractors binding them to comply with the obligations applicable to the processor.
• Discrimination: Controllers are prohibited from discriminating against consumers for exercising their rights under the Act or from increasing the cost for, or decreasing the availability of, a product or service based “solely on the exercise of a right and unrelated to feasibility or the value” of the service.”

Enforcement

The Act will be enforced solely by the New Jersey Attorney General who may seek penalties of up to $10,000 for the first violation and up to $20,000 for the second and subsequent violations. There is no private right of action available under the Act.

For the first 18 months following the effective date of the Act (January 15^th, 2025), there will be a 30-day cure period for violations.  During this time, the Division of Consumer Affairs must issue a notice of a violation to the controller “if a cure is deemed possible,” prior to bringing an enforcement action.  If the violation is not cured within 30 days, the Division of Consumer Affairs can then bring an enforcement action.   The right to cure only applies to violations by controllers—not processors. 

[1] While an earlier version of the bill included a definition for “business” that excluded non-profit entities this definition and exclusion were struck and are not included in the final version.