InMarket Media LLC; Analysis of Proposed Consent Order To Aid Public Comment, 4301-4304 [2024-01269]

Agencies

• FEDERAL TRADE COMMISSION

[Federal Register Volume 89, Number 15 (Tuesday, January 23, 2024)]
[Notices]
[Pages 4301-4304]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-01269]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File No. 202 3088]


InMarket Media LLC; Analysis of Proposed Consent Order To Aid 
Public Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed consent agreement; request for comment.

-----------------------------------------------------------------------

SUMMARY: The consent agreement in this matter settles alleged 
violations of federal law prohibiting unfair or deceptive acts or 
practices. The attached Analysis of Proposed Consent Order to Aid 
Public Comment describes both the allegations in the complaint and the 
terms of the consent order--embodied in the consent agreement--that 
would settle these allegations.

DATES: Comments must be received on or before February 22, 2024.

ADDRESSES: Interested parties may file comments online or on paper by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Please write ``InMarket Media 
LLC; File No. 202 3088'' on your comment and file your comment online 
at https://www.regulations.gov by following the instructions on the 
web-based form. If you prefer to file your comment on paper, please 
mail your comment to the following address: Federal Trade Commission, 
Office of the Secretary, 600 Pennsylvania Avenue NW, Mail Stop H-144 
(Annex M), Washington, DC 20580.

FOR FURTHER INFORMATION CONTACT: Gorana Neskovic (202-326-2322), 
Attorney, Division of Privacy and Identity Protection, Bureau of 
Consumer Protection, Federal Trade Commission, 600 Pennsylvania Ave. 
NW, Washington, DC 20580.

SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal 
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule Sec.  2.34, 16 CFR 
2.34, notice is hereby given that the above-captioned consent agreement 
containing a consent order to cease and desist, having been filed with 
and accepted, subject to final approval, by the Commission, has been 
placed on the public record for a period of 30 days. The following 
Analysis to Aid Public Comment describes the terms of the consent 
agreement and the allegations in the complaint. An electronic copy of 
the full text of the consent agreement package can be obtained at 
https://www.ftc.gov/news-events/commission-actions.
    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or

[[Page 4302]]

before February 22, 2024. Write ``InMarket Media LLC; File No. 202 
3088'' on your comment. Your comment--including your name and your 
state--will be placed on the public record of this proceeding, 
including, to the extent practicable, on the https://www.regulations.gov website.
    Because of heightened security screening, postal mail addressed to 
the Commission will be subject to delay. We strongly encourage you to 
submit your comments online through the https://www.regulations.gov 
website. If you prefer to file your comment on paper, write ``InMarket 
Media LLC; File No. 202 3088'' on your comment and on the envelope, and 
mail your comment to the following address: Federal Trade Commission, 
Office of the Secretary, 600 Pennsylvania Avenue NW, Mail Stop H-144 
(Annex M), Washington, DC 20580.
    Because your comment will be placed on the publicly accessible 
website at https://www.regulations.gov, you are solely responsible for 
making sure your comment does not include any sensitive or confidential 
information. In particular, your comment should not include sensitive 
personal information, such as your or anyone else's Social Security 
number; date of birth; driver's license number or other state 
identification number, or foreign country equivalent; passport number; 
financial account number; or credit or debit card number. You are also 
solely responsible for making sure your comment does not include 
sensitive health information, such as medical records or other 
individually identifiable health information. In addition, your comment 
should not include any ``trade secret or any commercial or financial 
information which . . . is privileged or confidential''--as provided by 
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule Sec.  
4.10(a)(2), 16 CFR 4.10(a)(2)--including competitively sensitive 
information such as costs, sales statistics, inventories, formulas, 
patterns, devices, manufacturing processes, or customer names.
    Comments containing material for which confidential treatment is 
requested must be filed in paper form, must be clearly labeled 
``Confidential,'' and must comply with FTC Rule Sec.  4.9(copyright). 
In particular, the written request for confidential treatment that 
accompanies the comment must include the factual and legal basis for 
the request and must identify the specific portions of the comment to 
be withheld from the public record. See FTC Rule Sec.  4.9(c). Your 
comment will be kept confidential only if the General Counsel grants 
your request in accordance with the law and the public interest. Once 
your comment has been posted on the https://www.regulations.gov 
website--as legally required by FTC Rule Sec.  4.9(b)--we cannot redact 
or remove your comment from that website, unless you submit a 
confidentiality request that meets the requirements for such treatment 
under FTC Rule Sec.  4.9(c), and the General Counsel grants that 
request.
    Visit the FTC website at https://www.ftc.gov to read this document 
and the news release describing the proposed settlement. The FTC Act 
and other laws the Commission administers permit the collection of 
public comments to consider and use in this proceeding, as appropriate. 
The Commission will consider all timely and responsive public comments 
it receives on or before February 22, 2024. For information on the 
Commission's privacy policy, including routine uses permitted by the 
Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.

Analysis of Proposed Consent Order To Aid Public Comment

    The Federal Trade Commission (``Commission'') has accepted, subject 
to final approval, an agreement containing a consent order from 
InMarket Media LLC (``InMarket''). The proposed consent order 
(``Proposed Order'') has been placed on the public record for 30 days 
for receipt of public comments from interested persons. Comments 
received during this period will become part of the public record. 
After 30 days, the Commission will again review the agreement, along 
with the comments received, and will decide whether it should make 
final the Proposed Order or withdraw from the agreement and take 
appropriate action.
    Respondent InMarket is a Delaware company with its headquarters in 
Texas. Respondent is a digital marketing platform and a data 
aggregator. Since approximately May 2010, InMarket has operated an 
advertising service that uses mobile device location data to deliver 
ads to consumers' mobile devices.
    InMarket collects and purchases mobile device location data and 
uses that data to allow advertisers to target particular groups of 
consumers. InMarket collects location data directly from mobile devices 
through its proprietary software development kit (``the InMarket 
SDK''). The InMarket SDK is incorporated into two mobile apps that 
InMarket owns and operates: CheckPoints, which offers shopping rewards 
for completing small tasks, and ListEase, which helps consumers create 
shopping lists. Respondent also makes the InMarket SDK available to 
third-party app developers and it has been incorporated into more than 
300 third-party apps.
    InMarket uses the location data and other personal information it 
collects to group consumers, identified by mobile device identifiers, 
into advertising audiences, and then allows advertisers to target these 
audiences (e.g., ``coffee lover,'' ``pet owner''). Advertisers may 
target audiences directly through InMarket (that is, the advertisements 
will appear on mobile devices through the InMarket SDK). They may also 
purchase ``audiences'' from InMarket and target their advertisements to 
these audiences on real-time bidding platforms.
    When InMarket's proprietary apps request consent to access location 
data, they state that the data will be used for the app's own function 
(e.g., to earn extra shopping points or to receive a reminder about 
items on a shopping list when in the store), and do not disclose that 
they are collecting the data to target advertising, or that the data 
may be retained for up to five years. InMarket also does not monitor or 
keep records of whether the third parties that use the InMarket SDK 
properly disclose to users that location data will be shared with third 
parties to target advertising, or that it will be retained for up to 
five years. InMarket thus fails to obtain informed consumer consent in 
its proprietary apps, CheckPoints and ListEase, and fails to verify 
that the third-party apps that incorporate InMarket's SDK obtain 
informed consumer consent.
    In addition to failing to obtain informed consent, InMarket has 
retained the collected data for up to five years--far longer than 
necessary to accomplish the purpose of collection. This unreasonable 
retention period, combined with InMarket's comprehensive data 
collection practices, significantly increases the risk that the 
sensitive location data would be disclosed or misused, causing harm to 
consumers.
    The Commission's proposed four-count complaint alleges that 
Respondent violated section 5(a) of the FTC Act by (1) unfairly 
collecting and using consumer location data from its own apps, (2) 
unfairly collecting and using consumer location data from third party 
apps, (3) unfairly retaining consumer location data, and (4) 
deceptively failing to disclose use of location data.
    With respect to the first count, the proposed complaint alleges 
that Respondent failed to fully disclose to users of the InMarket apps 
the purposes for which the users' location data would

[[Page 4303]]

be used, such as the creation of consumer profiles and targeting for 
advertising. As a result, the proposed complaint alleges that 
Respondent caused or is likely to cause consumers substantial injury in 
the form of loss of privacy about their day-to-day movements, and a 
related increased risk of disclosure of such sensitive data.
    With respect to the second count, the proposed complaint alleges 
Respondent collected location data from third-party apps that 
incorporate its SDK without taking reasonable steps to verify that the 
consumers were informed that their data would be shared with InMarket 
and used to develop consumer profiles to target them with advertising. 
The proposed complaint alleges that this collection of location data 
without consent verification caused substantial injury to consumers in 
the form of loss of privacy about their day-to-day movements, and a 
related increased risk of disclosure of such sensitive data. InMarket's 
primary mechanism for ensuring that consumers have provided appropriate 
consent is through contractual requirements with its third-party app 
partners. However, contractual provisions, without additional 
safeguards, are insufficient to protect consumers' privacy.
    With respect to the third count, the proposed complaint alleges 
that Respondent retained detailed, sensitive information about 
consumers' movement for up to five years, which is longer than 
reasonably necessary to fulfill the purpose for which that information 
was collected. As a result, the proposed complaint alleges that such 
retention caused or is likely to cause substantial injury in the form 
of loss of privacy about day-to-day movements of consumers, and an 
increased risk of disclosure of such sensitive data.
    With respect to the fourth count, the proposed complaint alleges 
that Respondent failed to inform consumers about its location data use 
practices. Respondent represented that its apps would use the user's 
location information for shopping-related activities such as earning 
extra points when walking into stores. Instead, InMarket has 
supplemented that data with information about users it purchased from 
other sources, shared that information with third parties for 
advertising purposes, and has used that information to develop 
predictions about consumer behavior and characteristics. The proposed 
complaint alleges that these facts would be material to consumers when 
deciding whether to grant location permissions to InMarket's apps, and 
their omission was therefore a deceptive act or practice.

Summary of Proposed Order With Respondent

    The Proposed Order contains injunctive relief designed to prevent 
Respondent from engaging in the same or similar acts or practices in 
the future.
    Geolocation data can vary significantly in its precision. The 
privacy concerns posed by the proposed complaint relate to more precise 
location data--that is, location data that could be used to identify 
specific locations a consumer visits. As a result, the Proposed Order 
is limited to location data that identifies consumers' locations in a 
geographic area that is equal to or less than the area of a circle with 
a radius of 1,850 feet.
    Provision I prohibits Respondent from misrepresenting (1) the 
extent to which it collects, maintains, uses, discloses, or deletes 
location data, and (2) the extent to which such data is deidentified. 
Provision II prohibits Respondent from selling or licensing precise 
location data in exchange for any valuable consideration.
    Provision III prohibits Respondent from selling, licensing, 
transferring, or sharing, any product or service that categorizes or 
targets consumers based on sensitive location data. Sensitive locations 
are defined as those locations associated with: (1) sexual and 
reproductive health providers, offices of mental health practitioners 
and related mental health and substance abuse facilities, offices of 
oncologists and pediatricians; (2) religious organizations; (3) 
correctional facilities; (4) labor union offices; (5) locations held 
out to the public as predominantly providing education or childcare 
services to minors; (6) locations held out to the public as 
predominantly providing services to LGBTQ+ individuals; (7) locations 
held out to the public as predominantly providing services based on 
racial or ethnic origin; (8) locations held out to the public as 
providing temporary shelter or social services to homeless, survivors 
of domestic violence, refugees, or immigrants; or (9) locations of 
public gatherings of individuals during political or social 
demonstrations, marches and protests.
    Provision IV requires that Respondent implement and maintain a 
sensitive location data program to develop a comprehensive list of 
sensitive locations and to prevent the use, sale, license, transfer, or 
disclosure of sensitive location data.
    Provision V prohibits Respondent from collecting, using, and 
disclosing location data from its apps (1) without a record documenting 
the consumer's affirmative express consent obtained prior to the 
collection or use of location data, and (2) unless consumers receive a 
clear and conspicuous reminder every six months about location data 
being collected.
    Provision VI requires that Respondent design and implement an SDK 
supplier assessment program to help ensure that consumers have provided 
consent for the collection and use of location data obtained by 
Respondent through its SDK. Under this program, Respondent must conduct 
initial assessments of all their SDK data suppliers within 30 days of 
entering into a data sharing agreement, or within 30 days of the 
initial date of data collection. The program also requires that 
Respondent confirm that consumers provide consent and create and 
maintain records of SDK suppliers' assessment responses. Finally, 
Respondent must cease from using, selling, or disclosing location data 
for which consumers do not provide consent.
    Provision VII requires that Respondent provide a simple, easily-
located means for consumers to withdraw any consent provided and 
Provision VIII requires that Respondent cease collecting location data 
within 7 days after Respondent receives notice that the consumer has 
withdrawn their consent. Provision IX also requires Respondent to 
provide a simple, easily-located means for consumers to request that 
Respondent deletes location data that Respondent previously collected 
and to delete the location data within 30 days of receipt of such 
request unless a shorter period for deletion is required by law.
    Provision X requires that Respondent (1) document and adhere to a 
retention schedule for the covered information it collects from 
consumers, including the purposes for which it collects such 
information, the specific business needs, and an established timeframe 
for its deletion, and (2) prior to collecting or using new type of 
information related to consumers that was not previously collected, and 
is not described in its retention schedule, update its retention 
schedule.
    Provision XI requires Respondent to provide a notice to each 
consumer whose location data was collected through the Respondent's 
apps without Affirmative Express Consent, either via email or in the 
app itself, notifying the consumer about InMarket's settlement with the 
Commission.
    Provision XII requires that Respondent delete or destroy all 
historic location data. Respondent has the

[[Page 4304]]

option to retain historic location data if it has obtained affirmative 
express consent or it ensures that the historic location data is 
deidentified or rendered non-sensitive. Provision XIII requires 
Respondent to establish and implement, and thereafter maintain, a 
comprehensive privacy program that protects the privacy of consumers' 
personal information.
    Provisions XIV-XVII are reporting and compliance provisions, which 
include recordkeeping requirements and provisions requiring Respondent 
to provide information or documents necessary for the Commission to 
monitor compliance.
    Provision XVIII states that the Proposed Order will remain in 
effect for 20 years, with certain exceptions.
    The purpose of this analysis is to facilitate public comment on the 
Proposed Order, and it is not intended to constitute an official 
interpretation of the complaint or Proposed Order, or to modify the 
Proposed Order's terms in any way.
    By direction of the Commission.

April J. Tabor,
Secretary.
[FR Doc. 2024-01269 Filed 1-22-24; 8:45 am]
BILLING CODE 6750-01-P