FTC takes action against location data companies accused of unlawfully using consumer info

The Federal Trade Commission announced that it is taking action against two location data companies after it said that they unlawfully tracked and sold private consumer information.

Venntel and Gravy Analytics, Inc., Venntel's parent company, are banned from “selling, disclosing, or using sensitive location data in any product or service,” a proposed order from the FTC states. The companies must also establish a sensitive data location program.

Some of Venntel’s customers include federal law enforcement agencies like the Department of Homeland Security, the Drug Enforcement Administration, the Federal Bureau of Investigation, and the Internal Revenue Service, according to the FTC. 

A complaint alleges that Venntel and Gravy Analytics violated the FTC Act by collecting and selling consumer data without proper consent. Gravy Analytics allegedly created a virtual geographical boundary to “identify and sell lists of consumers who attended certain events related to medical conditions and places of worship,” the FTC said in a news release. The Virginia-based company also allegedly sold additional lists that linked consumers to other sensitive characteristics, the release states.

“Surreptitious surveillance by data brokers undermines our civil liberties and puts servicemembers, union workers, religious minorities, and others at risk,” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection said in a statement. “This is the FTC’s fourth action taken this year challenging the sale of sensitive location data, and it’s past time for the industry to get serious about protecting Americans’ privacy.”

FTC Commissioner Alvaro Bedoya said the “illegality of this conduct is more than clear.”

The FTC said that Venntel’s and Gravy Analytics’ actions exposed consumers to “potential privacy harms” and put them at risk “of stigma, discrimination, violence, and other harms.”

NBC News reached out to Venntel and Gravy Analytics for comment on Tuesday and did not immediately receive a response. 

The FTC said sensitive location data the companies are banned from using include those pertaining to medical facilities, correctional facilities, religious organizations, military installations, schools and day care centers, and shelters that serve domestic abuse survivors, the homeless, or refugees.

The companies also must ensure that their clients do not use their data to locate someone’s home or track people to political events and are banned from collecting data from consumers who have opted out of targeted advertising, the FTC said. The companies must also delete all sensitive data it has already collected if it is not compliant with the FTC's proposed order.

Each violation of a consent order could result in a $51,744 fine, according to the FTC. The final consent order could be approved after a 30 day public comment period.

The proposed consent order came the same day that the Consumer Financial Protection Bureau, the US agency tasked with financial consumer protection, announced a proposed rule that "would limit the sale of personal identifiers like Social Security Numbers and phone numbers collected by certain companies and make sure that people’s financial data such as income is only shared for legitimate purposes," according to a press release from the agency.