I have commented before that I do not enable location-based services unless I use an app that requires it, like a ride-sharing app or directions. One of the reasons is to prevent data brokers and others from using precise geolocation data without my consent. Many people do not understand how geolocation data can be collected and used about them, and don’t understand the massive amount of precise location data that is collected from our devices.

The Federal Trade Commission (FTC) recently filed a complaint against Mobilewalla, Inc., alleging that it violated Section 5 of the FTC Act by selling consumers’ sensitive location information and targeting consumers based on sensitive characteristics without their consent. It further alleged that Mobilewalla conducted an unfair practice by collecting consumer information from real-time bidding (RTB) exchanges and indefinitely retained consumer location information.

According to the complaint, Mobilewalla is a data broker “that collects and aggregates huge quantities of consumer information, including precise location information tied to individual consumers that reveals sensitive information about those consumers. Mobilewalla touts its ability, among other things, to ‘create a comprehensive, cross channel view of the customer, understanding online and offline behavior.'” Mobilewalla collects this data from data suppliers, and consumers have no idea that their location information is being collected.

In addition, Mobilewalla has “collected large swaths of consumers’ personal information, including location data from multiple sources such as real-time bidding exchanges and data brokers. These sources may themselves obtain consumer data from other data suppliers, the mobile or online advertising marketplace, or mobile applications.” Most of the data is collected from RTB exchanges: I had never even heard of an RTB exchange until I read the complaint. The complaint explains:

The primary purpose of RTB exchanges is to enable instantaneous delivery of advertisements and other content to consumers’ mobile devices, such as when scrolling through a webpage or using an app. An app or website implements a software development kit, cookie, or similar technology that collects the consumer’s personal information from their device and passes it along to the RTB exchange in the form of a bid request. In an auction that occurs in a fraction of a second and without consumers’ involvement, advertisers participating in the RTB exchange bid to place advertisements based on the consumer information contained in the bid request. Advertisers can see and collect the consumer information contained in the bid request (even when they do not have a winning bid) and successfully place the advertisement.

The FTC alleges that Mobilewalla collected and retained information contained in a bid request in an RTB exchange even when it did not win the bid, including the consumer’s device mobile advertising identifier (MAID) and precise geolocation information if location-based services were turned on. Mobilewalla then used this information and paired it with other purchased consumer data (e.g., telephone numbers) to build profiles of individual consumers. Mobilewalla then sells access to this data, including raw location data, which is not anonymized. The FTC alleges that MAIDs can be used “to identify a mobile device’s user or owner.”

The FTC’s concern about this practice is that “Mobilewalla’s location data associated with MAIDs can be used to track consumers to sensitive locations, including medical facilities, places of religious worship, places that offer services to the LGBTQ+ community, domestic abuse shelters, and welfare and homeless shelters. It can also be used to infer sensitive information about those consumers.” In addition, “Mobilewalla’s collection and sale of consumers’ precise geolocation data to its clients to identify and target consumers based on sensitive characteristics causes or is likely to cause substantial injury in the form of stigma, discrimination, physical violence, emotional distress, and other harms.”

Similarly, the FTC recently issued a decision and consent order against Gravy Analytics, Inc. and Venntel, Inc. following an investigation of their collection and sale of precise consumer location and sensitive data. Take a look at the complaint if you want to learn more about how your precise location and other data can be collected when the location-based services feature is enabled on your device, and consider only keeping it on when you are using an app that requires it.