The Federal Trade Commission is taking action against Mobilewalla, a data broker that collects and sells sensitive location data.

According to the FTC, Mobilewalla collected data from real-time bidding exchanges, as well as from third-party data aggregators. More often than not, customers had not given consent and had no knowledge—nor any way of knowing—that Mobilewalla had collected their data.

“Persistent tracking by data brokers can put millions of Americans at risk, exposing the precise locations where service members are stationed or which medical treatments someone is seeking,” said FTC Chair Lina Khan. “Mobilewalla exploited vulnerabilities in digital ad markets to harvest this data at a stunning scale. The FTC is cracking down on firms that unlawfully exploit people’s sensitive location data and ensuring that we protect Americans from unchecked surveillance.”

To make matters worse, Mobilewalla retained the raw data without anonymizing it, and had no policy to strip the data of sensitive information. As a result, individual mobile devices could be easily identified by the data, data the company then sold to third parties.

“Mobilewalla collected massive amounts of sensitive consumer data – including visits to health clinics and places of worship – and sold this data in a way that exposed consumers to harm,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is acting today to stop these invasive practices and protect the public from always-on surveillance.”

Under the FTC’s proposed action, Mobilewall would “be banned from collecting consumer data from online advertising auctions for purposes other than participating in those auctions,” and would be banned “from selling sensitive location data, including data that reveals the identity of an individual’s private home.” The ban on collecting data is the first time the FTC has taken such action.

The FTC’s action against Mobilewalla also includes:

• Retention of data from auctions: The company is prohibited from collecting or retaining consumer data while participating in online advertising auctions for any other purpose than participating in the auction;
• Sensitive location data program: The company must create a sensitive location data program that develops a comprehensive list of sensitive locations and that is designed to prevent the use, sale or disclosure sensitive location data or otherwise using sensitive location data in any product or service;
• Data deletion: The company must implement a method for consumers to request deletion of their location data from the company and to delete certain types of older data. The company must also delete historic location data and any work product from this data.
• Mandated privacy program: The company is required to establish a comprehensive privacy program that protects consumers’ personal information; assess the program annually; and train employees and contractors who have access to sensitive data;
• Supplier assessment program: The company is required to set up a supplier assessment program designed to confirm whether consumers have provided consent for the collection and use of location data and will be prohibited from collecting or using location data if it cannot obtain records showing that consumers provided consent; and
• Disclosures to consumers: The company must provide a method for consumers to withdraw consent for the use of their data and must delete and stop collecting that data.

Data collection companies and data brokers have become a scourge of the modern tech industry. Hopefully the FTC’s action against Mobilewalla won’t be the last such action the agency takes against the entire industry.