The U.S. Federal Trade Commission has continued its crackdown on data brokers with a settlement banning data aggregation company InMarket from selling consumers’ precise location data.
Texas-based InMarket, which debuted as CheckPoints at TechCrunch Disrupt 2010, provides a marketing platform that collects sensitive consumer data — including location data, purchasing history, and demographic information — which brands and advertising agencies use to facilitate targeted advertising on mobile devices. Based on the data that InMarket collects, brands can target shoppers who are likely to be low-income millennials or Christian churchgoers, according to the FTC.
In its proposed order unveiled Thursday, the FTC accused InMarket of failing to obtain users’ consent before using their location data for marketing and advertising purposes. The FTC claims InMarket failed to obtain consent from users of its own apps — shopping list app ListEase and shopping rewards app CheckPoints — which the regulator said use prompts that contain "misleading half-truths" and do not inform consumers of the apps’ data collection and use practices.
The federal regulator also alleges InMarket “does little” to verify that users of third-party apps incorporating InMarket's tracking code (also known as a software development kit, or SDK) were notified that their location data will be used for targeted advertising.
The FTC said that one unnamed photo-editing app incorporating InMarket’s SDK sought location permission with a prompt stating that the data would be used to provide rewards and discounts, according to the FTC's complaint.
“The consumer would never know that, by granting location permission to a photo-editing app, she actually set into motion a string of data collections that enabled InMarket, a third-party she likely never heard of, to amass a mountain of sensitive data about her without her knowledge," the FTC said
According to the FTC, InMarket’s own apps have been downloaded InMarket onto more than 30 million unique devices since 2017, while InMarket's SDK has been incorporated into more than 300 such apps that have been downloaded onto over 390 devices.
The FTC also says that the company’s policy of retaining geolocation data for five years was “unnecessary” to carry out the purposes for which it was collected, and "increased the risk that this sensitive data could be disclosed, misused, and linked back to the consumer."
Under the terms of the settlement, InMarket will be prohibited from selling, licensing, or sharing any product that targets phone owners based on sensitive location data. InMarket will also be required to destroy all the location data it previously collected — and any products created from this data — unless the company obtains consumer consent, and to notify consumers whose location data was collected through its apps about the FTC’s action and provide users with a way to opt out of any data collection.
In a statement given to TechCrunch, InMarket's chief legal officer and chief privacy officer Jason Knapp said that “while we fundamentally disagree with the FTC’s allegations, we are happy to reaffirm the steps InMarket is taking to further our policies around data disclosure and use.”
“As a business that provides marketing solutions, we have no interest in selling consumer location data, and we have confirmed we will not do so,” added Knapp. “In addition, InMarket is expanding our existing sensitive location protections for consumers to provide a model for the industry, and we are working closely with our SDK partners to ensure their notice and consent processes are clear.”
The announcement comes a week after the FTC announced a separate agreement that blocked data broker X-Mode, now known as Outlogic, from sharing and selling users’ sensitive information to others. That order marked the first time the regulator struck a deal to prohibit a company from selling sensitive location data.