Dive Brief:
- In a first of its kind settlement, the Federal Trade Commission banned a data broker from sharing or selling sensitive information, following allegations that the company sold raw location data that could be used to track visits to places like medical or reproductive health clinics.
- The FTC alleged that Outlogic, formerly known as X-Mode Social, failed to use safeguards to remove sensitive locations and didn’t fully disclose its practices or receive permission from users.
- The settlement is the latest action by federal regulators to tamp down on the flow of potentially sensitive health data from technology companies and apps.
Dive Insight:
Outlogic, which was known as X-Mode until its sale in 2021, sells and licenses location data that it obtains through its apps, software development kits on third-party apps and by buying information from other aggregators, according to the FTC’s complaint.
The raw data sold was not anonymized, and could be used to match an individual’s phone with places they went, including sensitive locations like domestic violence shelters or medical facilities, the agency said.
The company also created “audience segments” that could be sold to third parties for marketing or advertising.
In one example cited in the FTC’s complaint, a clinical research company licensed custom audience segments of people who had visited cardiology, endocrinology or gastroenterology offices and then pharmacies or infusion clinics in Columbus, Ohio.
“Geolocation data can reveal not just where a person lives and whom they spend time with but also, for example, which medical treatments they seek and where they worship,” FTC Chair Lina Khan said in a statement. “The FTC’s action against X-Mode makes clear that businesses do not have free license to market and sell Americans’ sensitive location data.”
Outlogic will have to delete previously collected location data and provide a simple way for consumers to withdraw consent or request who purchased or accessed their data, among other requrirements.
The data broker disagrees with the implications of the FTC’s release, a company spokesperson told Healthcare Dive.
“Since its inception, X-Mode has imposed strict contractual terms on all data customers prohibiting them from associating its data with sensitive locations such as healthcare facilities,” the spokesperson said in a statement. “Adherence to the FTC’s newly introduced policy will be ensured by implementing additional technical processes and will not require any significant changes to business or products.”
The settlement comes as federal regulators and experts have raised concerns about the availability of sensitive data, particularly in the wake of the Dobbs Supreme Court decision that overturned a constitutional right to an abortion.
In August 2022, the FTC sued data broker Kochava for selling geolocation data that could be used to track users’ locations, including an instance where the agency could identify a user who had visited a reproductive health clinic and link that information to a home address.
A judge dismissed the FTC’s lawsuit against the data broker in spring, but the regulator promptly filed an amended complaint. The case is ongoing.
The agency has also moved to strengthen the Health Breach Notification Rule to crack down on digital health apps that share data with third parties. Fertility app Premom and drug cost transparency company GoodRx were both fined under the rule for disclosing health data to firms like Google.
Editor’s note: This article was updated with comment from Outlogic.
