The Federal Trade Commission (FTC) has taken decisive action against Gravy Analytics and its subsidiary Venntel for unlawfully collecting and selling sensitive location data, which could reveal consumers' visits to highly sensitive sites. The FTC's
proposed settlement bars the companies from using or selling such data and mandates the deletion of past location records.
Gravy Analytics and Venntel, based in Virginia, were found to have accumulated location data from billions of mobile devices via third-party suppliers and then sold it without obtaining proper user consent. Their operations relied on precise geolocation signals tied to mobile advertising identifiers (MAIDs), allowing them to infer sensitive information such as medical conditions, political affiliations, and religious practices.
According to the FTC
complaint, the companies marketed these insights to commercial entities and public-sector clients, offering tools to track individuals to medical clinics, religious institutions, and even union offices.
Key violations included:
- Continuing to collect and sell data after becoming aware users had not provided informed consent.
- Geofencing techniques were employed to identify visitors to sensitive locations, and this data was used to generate audience segments categorized by health, religious, and political attributes.
- Failing to ensure data anonymization, enabling the identification of individuals through patterns of life and persistent device identifiers.
The FTC emphasized the significant risks posed by these practices, including privacy violations, potential stigmatization, and threats to physical safety. This comes in the context of growing concerns about the misuse of location data in sensitive contexts, such as reproductive health and political activities. Gravy Analytics' own promotional materials reportedly claimed, “Where we go is who we are,” highlighting the intrusive nature of its offerings.
Gravy Analytics and Venntel's business model also extended to creating custom audience segments, such as “New Parents/Expecting” or “Likely Republican Voter,” based on consumers' location data. Venntel marketed similar services to government clients, leveraging its access to location information for purported intelligence and surveillance purposes.
FTC's enforcement and measures
The
proposed FTC order seeks to eliminate these invasive practices:
- Banning sensitive data use and sales: The companies are barred from using or disclosing data associated with sensitive locations, including medical facilities, religious sites, schools, and military installations.
- Mandated data deletion: Gravy Analytics and Venntel must delete all historical location data collected without user consent and notify customers to similarly delete or de-identify data obtained within the last three years.
- Transparency and consent enforcement: The firms are required to implement a Supplier Assessment Program to verify data sources and ensure affirmative user consent moving forward. They must also maintain a consumer-facing mechanism for data deletion requests and provide updates on compliance.
Samuel Levine, Director of the Bureau of Consumer Protection, noted, “This is a wake-up call for data brokers: surveilling consumers without their consent, especially around sensitive locations, is unacceptable.”
Consumers concerned about the misuse of their location data are advised to regularly check app permissions on mobile devices and revoke them as needed to limit unneeded access to location data, and use VPN tools and OS-level privacy features to minimize tracking.