Notice2024-28738
Gravy Analytics, Inc.; Analysis of Proposed Consent Order to Aid Public Comment
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
December 6, 2024
Issuing agencies
Federal Trade Commission
Abstract
The consent agreement in this matter settles alleged violations of Federal law prohibiting unfair or deceptive acts or practices. The attached Analysis of Proposed Consent Order to Aid Public Comment describes both the allegations in the complaint and the terms of the consent order--embodied in the consent agreement--that would settle these allegations.
Full Text
<html>
<head>
<title>Federal Register, Volume 89 Issue 235 (Friday, December 6, 2024)</title>
</head>
<body><pre>
[Federal Register Volume 89, Number 235 (Friday, December 6, 2024)]
[Notices]
[Pages 96986-96996]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2024-28738]
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 212 3035]
Gravy Analytics, Inc.; Analysis of Proposed Consent Order to Aid
Public Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed consent agreement; request for comment.
-----------------------------------------------------------------------
SUMMARY: The consent agreement in this matter settles alleged
violations of Federal law prohibiting unfair or deceptive acts or
practices. The attached Analysis of Proposed Consent Order to Aid
Public Comment describes both the allegations in the complaint and the
terms of the consent order--embodied in the consent agreement--that
would settle these allegations.
DATES: Comments must be received on or before January 6, 2025.
[[Page 96987]]
ADDRESSES: Interested parties may file comments online or on paper by
following the instructions in the Request for Comment part of the
SUPPLEMENTARY INFORMATION section below. Please write ``Gravy
Analytics; File No. 212 3035'' on your comment and file your comment
online at <a href="https://www.regulations.gov">https://www.regulations.gov</a> by following the instructions on
the web-based form. If you prefer to file your comment on paper, please
mail your comment to the following address: Federal Trade Commission,
Office of the Secretary, 600 Pennsylvania Avenue NW, Mail Stop H-144
(Annex G), Washington, DC 20580.
FOR FURTHER INFORMATION CONTACT: Jennifer Rimm (202-326-2277),
Attorney, Division of Privacy and Identity Protection, Bureau of
Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue
NW, Washington, DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule Sec. 2.34, 16 CFR
2.34, notice is hereby given that the above-captioned consent agreement
containing a consent order to cease and desist, having been filed with
and accepted, subject to final approval, by the Commission, has been
placed on the public record for a period of 30 days. The following
Analysis to Aid Public Comment describes the terms of the consent
agreement and the allegations in the complaint. An electronic copy of
the full text of the consent agreement package can be obtained at
<a href="https://www.ftc.gov/news-events/commission-actions">https://www.ftc.gov/news-events/commission-actions</a>.
You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before January 6, 2025.
Write ``Gravy Analytics; File No. 212 3035'' on your comment. Your
comment--including your name and your State--will be placed on the
public record of this proceeding, including, to the extent practicable,
on the <a href="https://www.regulations.gov">https://www.regulations.gov</a> website.
Because of heightened security screening, postal mail addressed to
the Commission will be subject to delay. We strongly encourage you to
submit your comments online through the <a href="https://www.regulations.gov">https://www.regulations.gov</a>
website. If you prefer to file your comment on paper, write ``Gravy
Analytics; File No. 212 3035'' on your comment and on the envelope, and
mail your comment to the following address: Federal Trade Commission,
Office of the Secretary, 600 Pennsylvania Avenue NW, Mail Stop H-144
(Annex G), Washington, DC 20580.
Because your comment will be placed on the publicly accessible
website at <a href="https://www.regulations.gov">https://www.regulations.gov</a>, you are solely responsible for
making sure your comment does not include any sensitive or confidential
information. In particular, your comment should not include sensitive
personal information, such as your or anyone else's Social Security
number; date of birth; driver's license number or other State
identification number, or foreign country equivalent; passport number;
financial account number; or credit or debit card number. You are also
solely responsible for making sure your comment does not include
sensitive health information, such as medical records or other
individually identifiable health information. In addition, your comment
should not include any ``trade secret or any commercial or financial
information which . . . is privileged or confidential''--as provided by
section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule Sec.
4.10(a)(2), 16 CFR 4.10(a)(2)--including competitively sensitive
information such as costs, sales statistics, inventories, formulas,
patterns, devices, manufacturing processes, or customer names.
Comments containing material for which confidential treatment is
requested must be filed in paper form, must be clearly labeled
``Confidential,'' and must comply with FTC Rule Sec. 4.9(c). In
particular, the written request for confidential treatment that
accompanies the comment must include the factual and legal basis for
the request and must identify the specific portions of the comment to
be withheld from the public record. See FTC Rule Sec. 4.9(c). Your
comment will be kept confidential only if the General Counsel grants
your request in accordance with the law and the public interest. Once
your comment has been posted on the <a href="https://www.regulations.gov">https://www.regulations.gov</a>
website--as legally required by FTC Rule Sec. 4.9(b)--we cannot redact
or remove your comment from that website, unless you submit a
confidentiality request that meets the requirements for such treatment
under FTC Rule Sec. 4.9(c), and the General Counsel grants that
request.
Visit the FTC website at <a href="https://www.ftc.gov">https://www.ftc.gov</a> to read this document
and the news release describing the proposed settlement. The FTC Act
and other laws the Commission administers permit the collection of
public comments to consider and use in this proceeding, as appropriate.
The Commission will consider all timely and responsive public comments
it receives on or before January 6, 2025. For information on the
Commission's privacy policy, including routine uses permitted by the
Privacy Act, see <a href="https://www.ftc.gov/site-information/privacy-policy">https://www.ftc.gov/site-information/privacy-policy</a>.
Analysis of Proposed Consent Order To Aid Public Comment
The Federal Trade Commission (``Commission'') has accepted, subject
to final approval, an agreement containing a consent order from Gravy
Analytics, Inc. (``Gravy Analytics'') and Venntel, Inc. (``Venntel,''
and collectively with Gravy Analytics, ``Respondents''). The proposed
consent order (``Proposed Order'') has been placed on the public record
for 30 days for receipt of public comments from interested persons.
Comments received during this period will become part of the public
record. After 30 days, the Commission will again review the agreement,
along with the comments received, and will decide whether it should
make final the Proposed Order or withdraw from the agreement and take
appropriate action.
Gravy Analytics and Venntel are Delaware corporations with their
headquarters in Virginia. Respondent Venntel is a subsidiary of Gravy
Analytics. Gravy Analytics and Venntel are data brokers that collect
and sell precise geolocation data about consumers' mobile devices.
Gravy Analytics does not collect data directly from consumers.
Rather, it purchases precise geolocation data and other personal data
for its products from other data suppliers, including other data
aggregators. Gravy Analytics offers several data products to its
customers. These products include transfers of batch location data,
consisting of a unique persistent identifier for the mobile device
called a Mobile Advertiser ID (``MAID'') and timestamped latitude and
longitude coordinates; audience segments, which are groupings of MAIDs
that purportedly share similar traits based on the locations or events
the mobile devices and MAIDs have visited; and an online application
programming interface that, among other things, enables Gravy
Analytics' customers to geofence locations. Gravy Analytics makes its
data products available to commercial customers, such as marketers,
other data brokers, stores, and other commercial entities.
Venntel obtains mobile location data from Gravy Analytics
exclusively. Venntel offers batch transfers of location data and allows
customers to geofence specific locations. Venntel also offers its
customers access to an online application programming interface through
which its customers may search for devices that visited specific
[[Page 96988]]
locations, obtain device information about a particular mobile phone,
or obtain location data for individual devices. Venntel sells its data
products only to public sector customers, such as government
contractors.
The Commission's proposed three-count complaint alleges Respondents
violated section 5(a) of the FTC Act by (1) unfairly selling sensitive
location data and (2) unfairly collecting, using, and transferring
consumer location data without consent verification; and that Gravy
Analytics violated section 5 of the FTC Act by (3) unfairly selling
inferences about consumers' sensitive characteristics derived from
location data.
With respect to the first count, the proposed complaint alleges
Respondents sold location data associated with persistent identifiers,
such as MAIDs, that could be used to track consumers to sensitive
locations, such as medical facilities, places of religious worship,
places that may be used to infer an LGBTQ+ identification, domestic
abuse shelters, and welfare and homeless shelters. For example, by
plotting timestamped latitude and longitude coordinates associated with
mobile devices using publicly available map programs, it is possible to
identify which consumers' mobile devices visited medical facilities and
when.
With respect to the second count, the proposed complaint alleges
Respondents failed to verify that their data suppliers obtained
informed consent from consumers to have the consumers' location data
collected, used, and sold. Respondents' primary mechanism for ensuring
that consumers have provided appropriate consent is through contractual
requirements with their suppliers. However, contractual provisions,
without additional safeguards, are insufficient to protect consumers'
privacy.
With respect to the third count, the proposed complaint alleges it
was an unfair practice for Gravy Analytics to sell inferences about
consumers' sensitive characteristics derived from their location data.
Gravy Analytics created custom audience segments for customers based,
for example, on consumers' attendance at a cancer charity run and based
on consumers' church attendance, and has also offered standard audience
segments based on medical decisions and political activities.
The proposed complaint alleges that Respondents could have
addressed each of these failures by implementing certain safeguards at
a reasonable cost and expenditure of resources. The proposed complaint
alleges Respondents' practices caused, or are likely to cause,
substantial injury to consumers that is not outweighed by
countervailing benefits to consumers or competition and is not
reasonably avoidable by consumers themselves. Such practices constitute
unfair acts or practices under section 5 of the FTC Act.
The Proposed Order contains injunctive relief designed to prevent
Respondents from engaging in the same or similar acts or practices in
the future. Part I prohibits Respondents from misrepresenting the
extent to which: (1) Respondents review data suppliers' compliance and
consent frameworks, consumer disclosures, sample notices, and opt in
controls; (2) Respondents collect, maintain, use, disclose, or delete
any covered information, and (3) the location data that Respondents
collect, use, maintain, or disclose is deidentified.
Part II prohibits Respondents from selling, licensing,
transferring, sharing, disclosing, or using sensitive location data in
any products or services. Sensitive locations are defined as those
locations in the United States associated with (1) medical facilities
(e.g., family planning centers, general medical and surgical hospitals,
offices of physicians, offices of mental health physicians and
practitioners, residential mental health and substance abuse
facilities, outpatient mental health and substance abuse centers,
outpatient care centers, psychiatric and substance abuse hospitals, and
specialty hospitals); (2) religious organizations; (3) correctional
facilities; (4) labor union offices; (5) locations of entities held out
to the public as predominantly providing education or childcare
services to minors; (6) associations held out to the public as
predominantly providing services based on racial or ethnic origin; (7)
locations held out to the public as providing temporary shelter or
social services to homeless, survivors of domestic violence, refugees,
or immigrants; or (8) military installations, offices, or buildings.
This prohibition does not apply to sensitive location data used to
respond to or prevent data security incidents, for national security
purposes conducted by Federal agencies or other Federal entities, or
for response by a Federal law enforcement agency to an imminent risk of
death or serious bodily harm to a person. Part III requires that
Respondents implement and maintain a sensitive location data program to
develop a comprehensive list of sensitive locations and to prevent the
use, sale, license, transfer, sharing, or disclosure of sensitive
location data.
Part IV requires that Respondents establish and implement policies,
procedures, and technical measures designed to prevent recipients of
Respondents' location data from associating consumers with locations
predominantly providing services to LGBTQ+ individuals, locations of
public gatherings of individuals during social demonstrations, marches,
or protests, or using location data to determine the identity or
location of an individual's home. Part V requires that Respondents
notify the Commission any time Respondents determine that a third party
shared Respondents' location data, in violation of a contractual
requirement between Respondents and the third party.
Part VI requires that Respondents must not collect, use, maintain,
and disclose location data: (1) when consumers have opted-out, or
otherwise declined targeted advertising and (2) without a record
documenting the consumer's consent obtained prior to the collection of
location data. Part VII requires that Respondents implement a supplier
assessment program designed to ensure that consumers have provided
consent for the collection and use of all data obtained by Respondents
that may reveal a consumer's precise location. Under this program,
Respondents must conduct initial assessments of all their data
suppliers within 30 days of entering into a data sharing agreement, or
within 30 days of the initial date of data collection. The program also
requires that Respondents confirm that consumers provided consent and
create and maintain records of suppliers' assessment responses.
Finally, Respondents must cease from using, selling, or disclosing
location data for which consumers have not provided consent.
Part VIII requires that Respondents provide a clear and conspicuous
means for consumers to request the identity of any entity, business, or
individual to whom Respondents know their location data has been sold,
transferred, licensed, or otherwise disclosed or a method to delete the
consumers' location data from the databases of Respondents' customers.
Respondents must also provide written confirmation to consumers that
the deletion requests have been sent to Respondents' customers.
Part IX requires that Respondents provide a simple, easily-located
means for consumers to withdraw any consent provided and Part X
requires that Respondents cease collecting location data within 15 days
after Respondents receive notice that the consumer withdraws their
consent. Part XI also
[[Page 96989]]
requires that Respondents provide a simple, easily-located means for
consumers to request that Respondents delete location data that
Respondents previously collected and to delete the location data within
30 days of receipt of such request unless a shorter period for deletion
is required by law.
Part XII requires that Respondents: (1) document and adhere to a
retention schedule for the covered information they collect from
consumers, including the purposes for which they collect such
information, the specific business needs, and an established timeframe
for its deletion, and (2) prior to collecting or using any new type of
information related to consumers that was not previously collected, and
is not described in its retention schedule, Respondents must update
their retention schedules. Part XIII requires that Respondents delete
or destroy all historic location data and all data products developed
using this data. Respondents have the option to retain historic
location data if they have records showing they obtained consent or if
they ensure that the historic location data is deidentified or rendered
non-sensitive. Respondents must inform all customers that received
location data from Respondents within 3 years prior to the issuance
date of this Order of the Commission's position that such data should
be deleted, deidentified, or rendered non-sensitive. Part XIV requires
Respondents to establish and implement, and thereafter maintain, a
comprehensive privacy program that protects the privacy of consumers'
personal information.
Parts XV-XVIII are reporting and compliance provisions, which
include recordkeeping requirements and provisions requiring Respondents
to provide information or documents necessary for the Commission to
monitor compliance. Part XIX states that the Proposed Order will remain
in effect for 20 years, with certain exceptions.
The purpose of this analysis is to facilitate public comment on the
Proposed Order, and it is not intended to constitute an official
interpretation of the complaint or Proposed Order, or to modify the
Proposed Order's terms in any way.
By direction of the Commission, Commissioner Ferguson
dissenting.
April J. Tabor,
Secretary.
Statement of Commissioner Alvaro M. Bedoya Joined by Chair Lina M. Khan
and Commissioner Rebecca Kelly Slaughter in Full and Commissioner
Melissa Holyoak in Part I
I. The Porous Line Between Government and Private Surveillance
Any first-year constitutional law student will tell you that the
distinction between a government agent and private actor is paramount:
the Fourth Amendment corrals the former but not the latter. For the
people being watched, that line is porous if not irrelevant.
Governments have long relied on private citizens for work that
would be impractical or illegal for law enforcement. Elizabeth I prided
herself on seeing and hearing all in her realm, famously sitting for
one of her final portraits in a gown embroidered with human eyes and
ears.\1\ Her ministers achieved that surveillance through a much-feared
system of agents and spies,\2\ as well as a quieter network of local
clergy who tracked the weekly church attendance of converted Catholics
and the Separatist Puritans we now know as Pilgrims.\3\ Her successor,
James I, went further, offering bounties to any of his subjects who
reported practicing Catholics.\4\
---------------------------------------------------------------------------
\1\ See generally Daniel Fischlin, Political Allegory,
Absolutist Ideology, and the ``Rainbow Portrait'' of Queen Elizabeth
I, 50 Renaissance Q. 170, 175-83 (1997) (reflecting the view that
the portrait was intended to convey that ``[t]he Queen watches and
listens vigilantly, seeing in all perspectives, hearing in all
directions'').
\2\ See generally John Coffey, Persecution and Toleration in
Protestant England, 1558-1689 (2000). See also id at 95-96
(describing government agents loitering in St. Paul's courtyard
``pretending to be
sympathetic'' to the Puritans' cause); Stephen Budiansky, Sir
Francis Walsingham, Brittanica, available at <a href="https://www.britannica.com/biography/Francis-Walsingham">https://www.britannica.com/biography/Francis-Walsingham</a> (last accessed Nov.
29, 2024).
\3\ See Act of Uniformity, 1 Eliz. 1, c. 2 (1559) (instituting a
12 shilling fine for absences, ``to be levied by the churchwardens
of the parish where such offence shall be done''); An Act to retain
the Queen's Majesty's Subjects in their due Obedience, 23 Eliz. 1,
c. 1 (1580) (raising the fine to 20 pounds); Act Against Puritans,
35 Eliz. 1, c. 1 (1593) (instituting penalties for Puritans who
profess allegiance to the Church of England, only to subsequently
fail to attend church services).
\4\ See An Act to Prevent and Avoid Dangers which Grow by Popish
Recusants, 3 Jas. 1, c. 5 (1605) (immunizing informants and
providing them one-third of the money seized from the offending
individual).
---------------------------------------------------------------------------
The governor of Plymouth Colony, William Bradford, would later
recount what forced him and his fellow migrants to travel, first to the
Netherlands and then to the New World. They were ``hunted & persecuted
on every side,'' he wrote. While ``some were taken & clapt up in
prison, others had their houses besett & watctht night and day[.]'' \5\
---------------------------------------------------------------------------
\5\ See William Bradford, Of Plymouth Plantation 6 (c. 1630-
1651). Professor Coffey explains that, while Catholics were the
focus of government surveillance efforts at the time, Separatist
Puritans were also targeted. See Coffey, supra note 2, at 103 (``The
harsh repression of the Separatists in the 1580s and 90s was. . .
out of all proportion to their threat. [. . .] Separatist
congregations were hunted down and incarcerated, their ringleaders
put to death.'').
---------------------------------------------------------------------------
Four-hundred years later, those loose networks of citizen-
informants have been succeeded by a digitized, automated, and highly
profitable industry of commercial data brokers that ``artfully dodge[ ]
privacy laws.'' \6\ In 2001, the Electronic Privacy Information Center
used the Freedom of Information Act to survey Federal law enforcement
agencies' reliance on those firms.\7\ They determined that this network
of data brokers allows law enforcement to easily and warrantlessly
``download comprehensive dossiers on almost any adult.'' \8\ They
warned that ``[i]f we are ever unfortunate enough to have George
Orwell's Big Brother in the United States, it will be made possible by
the private sector.'' \9\
---------------------------------------------------------------------------
\6\ See Chris J. Hoofnagle, Big Brother's Little Helpers: How
ChoicePoint and Other Commercial Data Brokers Collect and Package
Your Data for Law Enforcement, 29 N.C. J. Int'l L. 595, 595 (2003).
\7\ Id. at 597.
\8\ Id. at 595.
\9\ Id. at 633.
---------------------------------------------------------------------------
This complaint and proposed settlement concern two contemporary
peers of those data brokers, Gravy Analytics, Inc. and its subsidiary,
Venntel, Inc. (``Respondents''). The Commission alleges these companies
collect, aggregate, and sell precise geolocation data from roughly one
billion mobile devices.\10\ According to public reporting, Venntel's
customers have included American law enforcement.\11\
---------------------------------------------------------------------------
\10\ Complaint, FTC v. Gravy Analytics, Inc. & Venntel, Inc.,
(Dec. 2, 2024), [hereinafter Complaint] at 2.
\11\ See, e.g., Byron Tau and Michelle Hackman, Federal Agencies
Use Cellphone Location Data for Immigration Enforcement, Wall Street
Journal, (Feb. 7, 2020), <a href="https://www.wsj.com/articles/federal-agencies-use-cellphone-location-data-for-immigration-enforcement-11581078600">https://www.wsj.com/articles/federal-agencies-use-cellphone-location-data-for-immigration-enforcement-11581078600</a>; Joseph Cox, The DEA Abruptly Cut Off Its App Location
Data Contract, Vice, (Dec. 7, 2020), <a href="https://www.vice.com/en/article/dea-venntel-location-data/">https://www.vice.com/en/article/dea-venntel-location-data/</a>; Lee Fang, FBI Expands Ability to
Collect Cellphone Location Data, Monitor Social Media, Recent
Contracts Show, The Intercept, (Jun. 24, 2020), <a href="https://theintercept.com/2020/06/24/fbi-surveillance-social-media-cellphone-dataminr-venntel/">https://theintercept.com/2020/06/24/fbi-surveillance-social-media-cellphone-dataminr-venntel/</a>; Byron Tau, IRS Used Cellphone Location Data to
Try to Find Suspects, Wall Street Journal, (Jun. 19, 2020), <a href="https://www.wsj.com/articles/irs-used-cellphone-location-data-to-try-to-find-suspects-11592587815">https://www.wsj.com/articles/irs-used-cellphone-location-data-to-try-to-find-suspects-11592587815</a>.
---------------------------------------------------------------------------
[[Page 96990]]
II. The Respondents' Privacy Invasions Clearly Violate Section 5 of the
FTC Act
You may not know anything about Gravy Analytics, but Gravy
Analytics may know quite a bit about you.
Do you eat breakfast at McDonald's? Do you buy CBD oil? Did you
recently buy lingerie? Are you pregnant? Are you a stay-at-home parent?
Are you a Republican? A Democrat? Are you in the pews every Sunday in
Charlotte? Or Atlanta? Have you recently attended an event for breast
cancer? Are you a blue-collar Gen X parent and golf-lover who has
recently been looking into Medicare?
These are just a few of the 1,100 labels that the Commission
alleges that Gravy Analytics appended to individual consumers so as to
sell their bundled data to private companies for targeted advertising--
or to better understand the ``persona'' of any given individual whose
data a company has requested.\12\ According to our complaint,
Respondents actively encouraged their customers to identify individual
people using the data they sold.\13\
---------------------------------------------------------------------------
\12\ See Complaint, supra note 10, at 9-10.
\13\ Id. at 5.
---------------------------------------------------------------------------
In the complaint, the Commission alleges that the Respondents' 1)
sale of data tying consumers to sensitive locations, (2) collection and
use of geolocation data without verifying that it was obtained with
consumers' informed consent, and (3) the sale of sensitive inferences
about those consumers' ``medical conditions, political activities, and
religious beliefs,'' among other things, constitute unfair trade
practices prohibited by section 5 of the Federal Trade Commission Act.
I agree with my colleague Commissioner Holyoak that the specific
practices alleged in the complaint meet the threshold for ``substantial
injury'' under section 5.\14\ More than a decade ago, the Commission
issued a final report offering guidance to businesses on protecting the
privacy of American consumers.\15\ That report classified ``precise
geolocation'' as a type of ``sensitive information,'' and urged
companies to obtain people's affirmative express consent before
collecting it.\16\ As the District Court of Idaho affirmed last year,
collection and disclosure of precise geolocation is a violation of
privacy--itself an injury.\17\ It can further lead to stigma,
harassment, and even physical danger.\18\
---------------------------------------------------------------------------
\14\ Statement of Commissioner Melissa Holyoak, In the Matter of
Gravy Analytics, Inc. & Venntel, Inc. (Dec. 2, 2024).
\15\ Fed. Trade Comm'n, Protecting Consumer Privacy in an Era of
Rapid Change: Recommendations for Businesses and Policymakers,
(2012).
\16\ Id. at 58.
\17\ See Order on Motion to Dismiss, FTC v. Kochava, Inc., 2:22-
cv-00377-BLW, (D. Idaho May 4, 2023) at 8-10, (``an invasion of
privacy may constitute an injury that gives rise to liability under
Section 5(a)'') <a href="https://www.ftc.gov/system/files/ftc_gov/pdf/71-OpiniononMTD.pdf">https://www.ftc.gov/system/files/ftc_gov/pdf/71-OpiniononMTD.pdf</a>.
\18\ Id. at 8-9.
---------------------------------------------------------------------------
This is the fourth recent Commission action and third settlement
brought to stop the nonconsensual collection and sale of geolocation
data.\19\ In my view, the illegality of this conduct is more than
clear.
---------------------------------------------------------------------------
\19\ Complaint, FTC v. Kochava, Inc., 2:22-cv-00377-BLW, (D.
Idaho Jul. 15, 2024), <a href="https://www.ftc.gov/system/files/ftc_gov/pdf/1.%20Complaint.pdf">https://www.ftc.gov/system/files/ftc_gov/pdf/1.%20Complaint.pdf</a>; Complaint, FTC v. X-Mode Social, Inc., Docket
No. 212-3038, (Jan. 9, 2024), <a href="https://www.ftc.gov/system/files/ftc_gov/pdf/X-Mode-Complaint.pdf">https://www.ftc.gov/system/files/ftc_gov/pdf/X-Mode-Complaint.pdf</a>; Complaint, FTC v. InMarket Media,
LLC, Docket No. 202-3088, (Jan. 18, 2024), <a href="https://www.ftc.gov/system/files/ftc_gov/pdf/Complaint-InMarketMediaLLC.pdf">https://www.ftc.gov/system/files/ftc_gov/pdf/Complaint-InMarketMediaLLC.pdf</a>.
---------------------------------------------------------------------------
III. Venntel's Sales of Location Data Undermine Established Fourth
Amendment Protections
According to our complaint, Respondent Venntel ``markets to its
public sector customers that the location data and these enhanced tools
can be used for government purposes.'' \20\ Public reporting suggests
that these government clients have included Federal law enforcement
agencies like the Department of Homeland Security (DHS), the Drug
Enforcement Administration (DEA), the Federal Bureau of Investigation
(FBI), and the Internal Revenue Service (IRS).\21\ This poses an
important question: Can a collection of precise geolocation data that
otherwise violates section 5 be cured by a potential future law
enforcement use of that data?
---------------------------------------------------------------------------
\20\ Complaint, supra note 10.
\21\ See supra note 11.
---------------------------------------------------------------------------
I think the answer is ``no.'' Section 5 makes no mention of such a
circumstance, but it does expressly call on the Commission to consider
``countervailing benefits to consumers'' from the practice in question,
and further permits the Commission to weigh ``established public
policies as evidence to be considered with all other evidence'' when
declaring a practice unfair.\22\
---------------------------------------------------------------------------
\22\ 15 U.S.C. 45(n). To be clear, I do not believe that an
appeal to public policy is necessary to support this matter. Still,
I believe it is useful exercise here, especially when considering
the Commission's actions relative to other policy priorities.
---------------------------------------------------------------------------
In 1928, Justice Louis Brandeis, one of the architects of this
Commission, warned against formalistic interpretations of the Fourth
Amendment. ``Clauses guaranteeing to the individual protection against
specific abuses of power must have a . . . capacity of adaptation to a
changing world,'' he wrote.\23\ For the last 60 years, since the Katz
court's declaration that the Fourth Amendment ``protects people, not
places,'' the Supreme Court has more or less heeded that call.\24\
---------------------------------------------------------------------------
\23\ Olmstead v. United States, 277 U.S. 438, 472 (Brandeis, J.,
dissenting). The Olmstead majority held that a prolonged wiretap did
not constitute a search or seizure for the purposes of the Fourth
Amendment because the interception occurred along public phone lines
leading to the home in question--``[t]here was no entry of the
houses or offices of the defendants.'' Id. at 464.
\24\ Katz v. United States, 389 U.S. 347, 351 (1967).
---------------------------------------------------------------------------
In Kyllo, the Court found that a thermal imaging device that
allowed law enforcement to track activities inside a home constituted a
search under the Fourth Amendment--even though it involved no trespass
into the home.\25\ In Riley, the Court refused to equate the search of
someone's cellphone with searches of their purse or wallet or any other
physical items people carry.\26\ Most relevantly, in Carpenter, the
Court held that citizens have a reasonable expectation of privacy in
extended cell-site location records of their movements, irrespective of
the fact that the data accessed by the government was disclosed to and
held by a commercial third party, and further held that the government
must generally obtain a warrant before acquiring such records.\27\
---------------------------------------------------------------------------
\25\ Kyllo v. United States, 533 U.S. 67 (2001).
\26\ Riley v. California, 573 U.S. 373 (2014).
\27\ See Carpenter v. United States, 585 U.S. 296, 306-321
(2018).
---------------------------------------------------------------------------
Look at the cell-site location data in Carpenter; look at the data
in question here. It's basically the same data. In some ways, the
Respondents' data is more invasive.
The cell-site records in Carpenter could place an individual
``within a wedge-shaped sector ranging from one-eighth to four square
miles''; \28\ Respondents' data locates people down to a meter.\29\
Cellphone carriers maintain location records for five years, and
Federal agents obtained a total of 129 days of geolocation data--
although the Court held that accessing just seven days of data
constitutes a Fourth Amendment search.\30\ The Respondents can draw on
three years of data, and Venntel offers its clients the ability to
``continuously'' track a person's phone for 90 days.\31\ The Carpenter
court warned that cell-site geolocation records
[[Page 96991]]
can reveal a person's ``familial, political, professional, and sexual
associations''--a phrase that might as well be Respondents' marketing
slogan.\32\
---------------------------------------------------------------------------
\28\ See Carpenter, 585 U.S. at 312.
\29\ Complaint, supra note 10, at 2.
\30\ See Carpenter, 585 U.S. at 302 (129 days) & 310 n. 3 (seven
days constitutes a Fourth Amendment search).
\31\ Complaint, supra note 10, at 3-4.
\32\ See Carpenter, 585 U.S. at 311 (citing United States v.
Jones, 565 U.S. 400, 415 (2011) (Sotomayor, J., concurring)).
Furthermore, while it may be easier to refrain from using an app
than to stop using a smartphone altogether, the complaint makes
clear that the customers whose geolocation information has been
collected by Venntel have in no way voluntarily ``assume[d] the
risk'' of disclosing their geolocation information in this manner.
See id. at 315; Complaint, supra note 10, at 5-9. In sum, it is easy
to agree with my colleague Commissioner Holyoak, who wrote that our
enforcement actions protecting precise geolocation ``[correlate]
with judicial recognition, in other contexts, of how significant
such information is.'' See Concurring Statement of Comm'r Melissa
Holyoak, Kochava, Inc., FTC Matter No. X230009, at 2 (July 15, 2024)
(``The Commission's effort to protect the privacy of consumers'
precise geolocation data in this case correlates to judicial
recognition, in other contexts, of how significant such information
is.''), <a href="https://www.ftc.gov/system/files/ftc_gov/pdf/2024-7-15-Commissioner-Holyoak-Statement-re-Kochava-final.pdf">https://www.ftc.gov/system/files/ftc_gov/pdf/2024-7-15-Commissioner-Holyoak-Statement-re-Kochava-final.pdf</a>.
---------------------------------------------------------------------------
To make this plain: Carpenter said that to get this data, you need
a warrant; Venntel lets them get it without a warrant. I cannot see how
this is a ``countervailing benefit to consumers.'' It certainly
contravenes ``established public policy.''
Looking beyond Carpenter, a panoply of statutes sets out a range of
safeguards against the government's untrammeled collection of
Americans' sensitive data. The Wiretap Act requires warrants to
authorize wiretapping and interception of communications.\33\ The
Stored Communications Act protects the privacy of subscribers'
information held by internet service providers and established
procedures for government access by warrant, subpoena, court order, or
written consent.\34\
---------------------------------------------------------------------------
\33\ 18 U.S.C. 2510 through 2522.
\34\ 18 U.S.C. 2703(d).
---------------------------------------------------------------------------
Both of those laws concern oral or written communications; one may
assume that Congress would want to protect this data. Consider that if
law enforcement wants YouTube to disclose the name of a single video
that I have watched online, Federal statute requires that they get a
warrant, grand jury subpoena, or a court order.\35\ Similarly, the
Cable Act provides that cable subscribers' personally identifiable
information, such as their viewing habits, cannot be disclosed without
their consent, except in the case of a court order.\36\
---------------------------------------------------------------------------
\35\ Id. 2710(b)(2)(C). Separately, while it cannot yet
constitute ``an established public policy,'' I would be remiss if I
did not note that The Fourth Amendment Is Not For Sale Act, which
would extend these Fourth Amendment protections to geolocation data
held by data brokers, recently passed the House of Representatives.
See H.R. 4639, 118th Cong. (2023).
\36\ 47 U.S.C. 551(c).
---------------------------------------------------------------------------
Admittedly, there is active debate around whether these statutes
impose the correct degree of protection in light of the Fourth
Amendment. That said, the correct degree is clearly not zero.
IV. The Proposed Order
Speaking generally, the proposed order prohibits Respondents from
disclosing sensitive location data in any of its products or
services.\37\ Sensitive location data includes, inter alia, medical
facilities, religious buildings, schools and daycares, domestic
violence shelters, and military facilities.\38\ The order also directs
Respondents to ensure that their clients do not use their data to track
people to political protects, or to locate someone's home.\39\ The
order requires that Respondents not collect any data from consumers
that have opted out of targeted advertising via their operating system,
and will block them from collecting, using, or disclosing geolocation
data without proof that people have agreed to that.\40\
---------------------------------------------------------------------------
\37\ See Order, Gravy Analytics, Inc. & Venntel, Inc., FTC
Docket No. 2123035 at 5 (``II. Prohibitions on the Use, Sale, or
Disclosure of Sensitive Location Data'').
\38\ See id. at 4-5.
\39\ See id. at 7-8 (``IV. Other Location Data Obligations'').
\40\ See id. at 9 (''VI. Limitations on Collection, Use,
Maintenance, and Disclosure of Location Data''). These are just a
few parts of the order, which includes various other provisions and
exceptions.
---------------------------------------------------------------------------
Like the Court in Carpenter, the proposed order recognizes that not
all government uses of geolocation data are alike.\41\ It has
exceptions for the disclosure of geolocation data for certain bona fide
national security and data security purposes, including countering
espionage and disrupting cyber threats from foreign ``nation states,
terrorists, or their agents or proxies.'' \42\ It also has exceptions
for Federal law enforcement agencies responding ``to an imminent risk
of death or serious bodily harm to a person.'' \43\
---------------------------------------------------------------------------
\41\ See Carpenter, 585 U.S. at 319.
\42\ Order, supra note 37.
\43\ See id. at 4. These should not be understood as
``exceptions'' to section 5, but rather a recognition that in this
specific instance, these order provisions are appropriate.
---------------------------------------------------------------------------
Unless one of these special exceptions applies, agencies like DHS,
DEA, FBI, and IRS will not be able to use Venntel to warrantlessly
track people to church, to the doctor, to school, to protests, or to
their homes. And Venntel will soon not be able to trade in any
geolocation data without the consent of the people being tracked.
Concurring Statement of Commissioner Melissa Holyoak Joined in Part by
Commissioner Alvaro M. Bedoya (Section I Only)
I support today's settlement with two location data broker
companies--Respondents Gravy Analytics, Inc. (``Gravy'') and its
subsidiary, Venntel, Inc. (``Venntel'')--to resolve allegations that
Respondents: packaged and sold consumers' precise geolocation data to
third parties, revealing consumers' visits to places of worship,
medical facilities, and political gatherings (Count I); failed to
employ reasonable procedures to verify that geolocation data obtained
from third parties had been collected with appropriate consumer consent
(Count II); and created and sold ``audience segments'' based on
consumers' religious beliefs, political leanings, and medical
conditions that had been derived from precise geolocation data (Count
III).\1\ Staff are to be commended for their efforts and hard work in
resolving this matter.
---------------------------------------------------------------------------
\1\ Compl. ]] 76-81.
---------------------------------------------------------------------------
My statement proceeds in two parts: Section I discusses
Respondents' collection and sale of consumers' precise geolocation data
to third parties and the alleged direct and cognizable harms resulting
from that conduct. Section II outlines my views on the necessity,
efficacy, and scope of the Proposed Order's injunctive provisions and
my interpretation of Count III of the Complaint.
I. The Alleged Harms From Respondents' Conduct
I start by recounting Respondents' alleged conduct here. The
Complaint alleges that Respondents collected and purchased vast amounts
of consumers' precise geolocation information from third-party data
suppliers and mobile applications.\2\ Through these various suppliers
and applications, Respondents claimed to collect, process, and curate
over 17 billion signals from approximately a billion mobile devices on
a daily basis.\3\ Respondents allegedly packaged and sold this
geolocation data--in both raw and enriched formats--along with other
persistent identifiers to different commercial entities and government
clients.\4\ The Complaint also alleges that Gravy separately offered
commercial entities curated ``audience segments'' for targeted
advertising, sometimes based on consumers' perceived religious beliefs,
political leanings, and medical
[[Page 96992]]
conditions derived from insights about their geolocation data.\5\
---------------------------------------------------------------------------
\2\ Id. ]] 7-9.
\3\ Id. ] 9.
\4\ Id. ]] 7, 13-22.
\5\ Id. ]] 44-45, 50-53.
---------------------------------------------------------------------------
I am gravely concerned about the potential harms stemming from the
sale of consumers' geolocation data,\6\ and in certain instances, these
harms may constitute a ``substantial injury'' under section 5 of the
FTC Act.\7\ Here, the Complaint alleges that Respondents' sale of
consumers' precise geolocation data in certain circumstances enabled
their third-party clients to directly track individual consumers'
movements at sensitive ``geo-fenced'' locations, such as places of
worship, medical facilities, and political events, with no guardrails
or oversight.\8\ The Complaint further alleges that this practice
directly revealed consumers' political, religious, and medical
activities, and thus, constitutes a ``substantial injury'' under
section 5.\9\ I agree. As I explained in the Kochava action, selling
``precise geolocation information revealing political, medical, or
religious activities, without consumers' consent to willing purchasers,
. . . breaches [consumers'] trust and jeopardizes Americans'
freedoms.'' \10\ Thus, under these circumstances, the alleged sale of
consumers' precise geolocation information--data obtained from third-
party suppliers without consumers' knowledge and appropriate consent--
meets the threshold for alleging ``substantial injury'' under section
5.\11\
---------------------------------------------------------------------------
\6\ See, e.g., Dhruv Mehrotra & Dell Cameron, Anyone Can Buy
Data Tracking US Soldiers and Spies to Nuclear Vaults and Brothels
in Germany, Wired (Nov. 19, 2024) (``Experts caution that foreign
governments could use [geolocation] data to identify individuals
with access to sensitive areas; terrorists or criminals could
decipher when [U.S.] nuclear weapons are least guarded; or spies or
nefarious actors could leverage embarrassing information for
blackmail.''), <a href="https://www.wired.com/story/phone-data-us-soldiers-spies-nuclear-germany/">https://www.wired.com/story/phone-data-us-soldiers-spies-nuclear-germany/</a>.
\7\ See Concurring Statement of Comm'r Melissa Holyoak, Kochava,
Inc., FTC Matter No. X230009, at 2 (July 15, 2024) (``I agree that
the complaint adequately alleges a likelihood of substantial injury,
in the revelation of sensitive locations implicating political,
medical, and religious activities. The Commission's effort to
protect the privacy of consumers' precise geolocation data in this
case correlates to judicial recognition, in other contexts, of how
significant such information is.''), <a href="https://www.ftc.gov/system/files/ftc_gov/pdf/2024-7-15-Commissioner-Holyoak-Statement-re-Kochava-final.pdf">https://www.ftc.gov/system/files/ftc_gov/pdf/2024-7-15-Commissioner-Holyoak-Statement-re-Kochava-final.pdf</a>.
\8\ Compl. ]] 11-12, 16, 18-22, 25-26.
\9\ Id. ]] 48, 50-53, 56-57, 59.
\10\ Holyoak Concurring Statement, supra note 7, at 3.
\11\ The Complaint alleges several secondary (and indirect)
harms that may arise from Respondents' conduct, including ``stigma,
discrimination, physical violence, emotional distress, and other
harms.'' See Compl. ]] 60-69. I have concerns about whether certain
secondary harms are legally cognizable, and whether we could meet
our burden of proof--at summary judgment or trial--that Respondents'
practices raised a ``significant risk of concrete harm'' to
consumers. Cf. FTC v. Neovi, Inc., 604 F.3d 1150, 1157-58 (9th Cir.
2010) (``An act or practice can cause `substantial injury' by doing
a `small harm to a large number of people, or if it raises a
significant risk of concrete harm.' '' (citation omitted)); In re
Soc. Media Adolescent Addiction/Pers. Inj. Prod. Liab. Litig., No.
4:23-CV-05448-YGR, 2024 WL 4532937, at *29 (N.D. Cal. Oct. 15, 2024)
(concluding that the States plausibly alleged a ``substantial
injury'' for Meta's alleged unfair conduct because: (1) ``body image
and eating disorders'' are real medical conditions, (2) ``knowingly
developing tools that encourage youth addiction `cannot fairly be
classified as either trivial or speculative,' '' and (3) the States'
allegations present a ``substantial risk of imposing at least a
`small harm to a large number of people,' . . . , given these
practices are allegedly targeted at all minor users of Facebook and
Instagram'') (internal citations omitted)). I await guidance from
future court decisions, including in the Commission's ongoing
Kochava litigation, about these harms.
---------------------------------------------------------------------------
In addition, consumers' precise geolocation data can be easily
misused by law enforcement to impinge on basic freedoms under the
United States Constitution, including Americans' Fourth Amendment
rights against wrongful government surveillance.\12\ I share
Commissioner Bedoya's concerns about this practice and the harms it
poses to Americans.\13\ The continued misuse of geolocation data by law
enforcement is an ongoing and extant threat to Americans' civil
liberties.\14\ Moreover, foreign actors can readily purchase precise
geolocation data about Americans, including our active-duty military
personnel, with no oversight or guardrails, which can pose serious
national security and counterintelligence risks.\15\
---------------------------------------------------------------------------
\12\ Holyoak Concurring Statement, supra note 7, at 2-3
(describing how ``government officials can purchase precise
geolocation data from commercial data brokers in ways that may
circumvent Fourth Amendment protections,'' and how ``[t]here are
examples of public-private collaboration in other settings, too,
suggesting that government and private-sector entities increasingly
work together to leverage consumers' private information without
compulsory or formal process, such as a warrant'') (citations
omitted); see also id. at 3 n.12 (citing Lee Fang, FBI Expands
Ability to Collect Cellphone Location Data, Monitor Social Media,
Recent Contracts Show, The Intercept (June 24, 2020), <a href="https://theintercept.com/2020/06/24/fbi-surveillance-social-mediacellphone-dataminr-venntel/">https://theintercept.com/2020/06/24/fbi-surveillance-social-mediacellphone-dataminr-venntel/</a>).
\13\ See Concurring Statement of Comm'r Alvaro Bedoya, In re
Gravy Analytics, Inc., FTC Matter No. 2123035, at Sec. III (Dec. 3,
2024).
\14\ See, e.g., H.R. Rep. No. 118-459, pt. 1, at 2 (Apr. 15,
2024) (``H.R. 4639, the Fourth Amendment Is Not For Sale Act . . .
closes the legal loophole that allows data brokers to sell
Americans' personal information to law enforcement, intelligence
agencies, and other government agencies without the agency first
acquiring a warrant. If the agency were to gather this information
itself, it would be required to obtain a warrant, subpoena, or other
legal order. By closing this loophole, the bill prevents government
agencies from conducting an end-run around the protections of the
Fourth Amendment.'').
\15\ Supra note 6.
---------------------------------------------------------------------------
Although I firmly believe that a comprehensive solution for the
sale and disclosure of consumers' geolocation information requires
Congressional action,\16\ the Commission should not shy away from using
all available enforcement tools in the interim to address the evolving
practices in the location data broker industry. The Commission should
also investigate how location data brokers share geolocation data about
Americans with foreign or malign actors. And where the facts warrant
it, the Commission should consider stronger injunctive remedies in
those cases, including restrictions that prevent or impede the sale of
geolocation data about Americans, especially our servicemembers and
their families, to bad actors overseas.
---------------------------------------------------------------------------
\16\ See generally H.R. 4639, Fourth Amendment Is Not For Sale
Act, Sec. 2 (``A law enforcement agency of a governmental entity
and an element of the intelligence community may not obtain from a
third party in exchange for anything of value a covered customer or
subscriber record or any illegitimately obtained information.'');
H.R. 815, Public Law 118-50, Division I, Protecting Americans' Data
from Foreign Adversaries Act of 2024, Sec. 2 (``It shall be
unlawful for a data broker to sell, license, rent, trade, transfer,
release, disclose, provide access to, or otherwise make available
personally identifiable sensitive data of a United States individual
to--(1) any foreign adversary country; or (2) any entity that is
controlled by a foreign adversary.'').
---------------------------------------------------------------------------
II. The Proposed Order and Count III of the Complaint
I also write separately today to share my views on the Proposed
Order's injunctive provisions and my interpretation of Count III of the
Complaint (Unfair Sale of Sensitive Inferences Derived from Consumers'
Location Data). To begin with, let me be clear: my vote for today's
settlement should not be read as a full-throated endorsement of the
Proposed Order in its entirety or every allegation in the Complaint. I
have serious concerns about whether the Commission could obtain many of
the Proposed Order's injunctive provisions in a contested
litigation.\17\ Indeed, while the Federal district court in the Kochava
litigation may address the propriety of various types of injunctive
relief from the Proposed Order in the coming months, I will continue to
reserve judgment here. I also have questions about the necessity and
efficacy of the injunctive provisions found in Sections VI, VII, and
IX,\18\
[[Page 96993]]
which first appeared in the X-Mode Social matter before my arrival at
the Commission.\19\ As we turn the page on the last four years, the
Commission should comprehensively examine the utility of the type of
injunctive relief found in today's Proposed Order in the future and
implement changes where warranted.\20\
---------------------------------------------------------------------------
\17\ See, e.g., Dissenting Statement of Comm'r Melissa Holyoak,
Joined by Comm'r Andrew N. Ferguson, In re Rytr, LLC, FTC Matter No.
2323052, at 1 (Sept. 25, 2024) (``As I have suggested recently in
other contexts, the Commission should steer clear of using
settlements to advance claims or obtain orders that a court is
highly unlikely to credit or grant in litigation.''), <a href="https://www.ftc.gov/system/files/ftc_gov/pdf/holyoak-rytr-statement.pdf">https://www.ftc.gov/system/files/ftc_gov/pdf/holyoak-rytr-statement.pdf</a>.
\18\ For example, these injunctive provisions collectively
require Respondents to ensure that consumers have affirmatively
consented to all upstream uses of their location data, such as for
targeted advertising, and provide opt-out mechanisms for consumers
to withdraw consent directly with Respondents, even though
Respondents ``do not collect mobile location data directly from
consumers'' and consumers ``have no interactions with Respondents
and have no idea that Respondents have obtained their location
data.'' Compl. ] 8; see generally Proposed Decision and Order
Sec. Sec. VI (Limitations on Collection, Use, Maintenance, and
Disclosure of Location Data), VII (Supplier Assessment Program), and
IX (Withdrawing Consent). I question the efficacy of these
provisions given their focus on Respondents, which are upstream from
the initial collection of this data from consumers. While ensuring
appropriate consent for all upstream uses of consumers' data is
laudable goal, the Commission may be better served by focusing
injunctive relief on the companies that collect this data in the
first instance, not upstream data aggregators like Respondents.
\19\ Compare Proposed Decision and Order Sec. Sec. VI
(Limitations on Collection, Use, Maintenance, and Disclosure of
Location Data), VII (Supplier Assessment Program), and IX
(Withdrawing Consent) with In re X-Mode Social, Inc. and Outlogic,
LLC, FTC Matter No. 212-3038, Proposed Decision and Order Sec. Sec.
VI-VII, IX (Jan. 9, 2024), <a href="https://www.ftc.gov/system/files/ftc_gov/pdf/X-Mode-D%26O.pdf">https://www.ftc.gov/system/files/ftc_gov/pdf/X-Mode-D%26O.pdf</a>.
\20\ During the first Trump administration, the Commission held
several public hearings on Competition and Consumer Protection in
the 21st Century, including to solicit public and industry feedback
on improvements to the Commission's data security orders. See
Hearings on Competition & Consumer Protection in the 21st Century,
Fed. Trade Comm'n (2018-19), <a href="https://www.ftc.gov/enforcement-policy/hearings-competition-consumer-protection">https://www.ftc.gov/enforcement-policy/hearings-competition-consumer-protection</a>. Following these public
hearings, the Commission updated its data security orders, and FTC
staff explained the key changes in public-facing guidance. See
Andrew Smith, Former Director of the Bureau of Consumer Protection,
New and Improved FTC Data Security Orders: Better Guidance for
Companies, Better Protection for Consumers, FTC Business Blog (Jan.
6, 2020), <a href="https://www.ftc.gov/business-guidance/blog/2020/01/new-and-improved-ftc-data-security-orders-better-guidance-companies-better-protection-consumers">https://www.ftc.gov/business-guidance/blog/2020/01/new-and-improved-ftc-data-security-orders-better-guidance-companies-better-protection-consumers</a>.
---------------------------------------------------------------------------
A. Proposed Order
While today's settlement is not perfect by any measure, several
provisions in the Proposed Order will mitigate the harms resulting from
Respondents' allegedly unlawful practices--i.e., the disclosure of
consumers' political, religious, and medical activities. Critically,
the Proposed Order will prohibit the unauthorized sale or disclosure of
``Sensitive Location Data''--geolocation data associated with military
installations and buildings, medical facilities, religious
organizations, childcare and education services, and many others--to
third parties.\21\ It also requires Respondents to implement a
``Sensitive Data Location'' program, as well as prophylactically avoid
associating consumers' precise geolocation data with (1) political
demonstrations, marches, and protests and (2) residences for individual
consumers.\22\ The Proposed Order further requires Respondents to offer
individual consumers the ability to request deletion of their
geolocation data in Respondents' datasets.\23\
---------------------------------------------------------------------------
\21\ Proposed Decision and Order Sec. II; see also id. at 2
(Definitions).
\22\ See id. Sec. Sec. III-IV. Indeed, I believe the Proposed
Order's terms will prevent some of the unfortunate public-private
partnerships we have seen recently in the context of political
activity. See, e.g., Holyoak Concurring Statement, supra note 7, at
3 n.13.
\23\ Proposed Decision and Order Sec. XI.
---------------------------------------------------------------------------
I support Sections II, III, IV, and XI of the Proposed Order since
they are directly tied to Respondents' alleged conduct, help mitigate
the specific harms from disclosing consumers' political, religious, and
medical activities, and properly balance the costs and benefits, as
required by section 5 of the FTC Act. But today's settlement also has
important limits, particularly with the sale and use of ``Sensitive
Location Data''. In my view, the Proposed Order strikes the proper
balance under our unfairness authority. Permitting the use and
disclosure of precise geolocation information to third parties for
national security or data security purposes,\24\ or to prevent imminent
risk of death or serious bodily harm,\25\ presents tangible benefits
that appropriately fall within the confines of the Proposed Order's
carefully negotiated definitions.
---------------------------------------------------------------------------
\24\ See Proposed Decision and Order at 4 (defining ``National
Security'' to mean ``the national defense, foreign intelligence and
counterintelligence, international and internal security, and
foreign relations[,]'' which ``includes countering terrorism;
combating espionage and economic espionage conducted for the benefit
of any foreign government, foreign instrumentality, or foreign
agent; enforcing export controls and sanctions; and disrupting cyber
threats that are perpetrated by nation states, terrorists, or their
agents or proxies'').
\25\ Id. at 4 (defining ``Location Data'' to exclude data used
for ``National Security'' purposes, ``Security Purposes,'' and
``response by a federal law enforcement agency to an imminent risk
of death or serious bodily harm to a person'').
---------------------------------------------------------------------------
At the same time, the Proposed Order's restrictions on further
disclosure of consumers' geolocation data help protect American
citizens' constitutional rights under the Fourth Amendment of the
United States Constitution. Fourth Amendment rights should not be for
sale, under any circumstance. I agree with Commissioner Bedoya on this
issue and the importance of the Proposed Order's restrictions here.\26\
Constitutionally appropriate process, such as warrants or subpoenas,
exists for law enforcement to obtain information it needs, without
resorting to purchasing consumers' precise geolocation data from
unscrupulous location data brokers to circumvent judicial
oversight.\27\ Nor does the Proposed Order have a deleterious impact on
law enforcement efforts. Law enforcement personnel can always avail
themselves of the appropriate legal process to obtain such data in a
manner that comports with Fourth Amendment requirements.
---------------------------------------------------------------------------
\26\ Bedoya Concurring Statement, supra note 13, at Sec. IV.
\27\ Holyoak Concurring Statement, supra note 7, at 2-3.
---------------------------------------------------------------------------
B. Count III (Unfair Sale of Sensitive Inferences)
The Complaint alleges that Gravy created and sold custom ``audience
segments'' based on consumers' religious beliefs, political leanings,
and medical conditions by geo-fencing sensitive locations, such as
breast cancer events, specific churches, and ``Republican focused
political events.'' \28\ The sale of ``audience segments'' tied to
consumers' religious beliefs, political leanings, and medical
conditions qualifies as an unfair practice: it ``causes or is likely to
cause substantial injury'' by revealing consumers' political,
religious, and medical activities (as discussed supra in Section I),
consumers cannot reasonably avoid the harm (they are not aware of
Respondent and did not consent to the use), and it is not outweighed by
any countervailing benefits to consumers or competition.\29\ For these
reasons, I support Count III.
---------------------------------------------------------------------------
\28\ Compl. ]] 50-53.
\29\ Id. ]] 56-59.
---------------------------------------------------------------------------
However, my vote today does not entail broader support for the
Majority's continued effort to deem targeted advertising an unfair
practice under section 5. Nor should my vote be construed as endorsing
the Complaint's theory about secondary harm to consumers.\30\ As I have
explained before, we must ``tease out the complexity of the privacy
debate'' and ``press for more empirical research'' to ground our
unfairness analysis.\31\ Our complaints cannot simply rely on
politically charged buzzwords. For example, the Complaint here
expresses concerns with Gravy's practice of creating general ``audience
segments''
[[Page 96994]]
for targeted advertising--e.g., ``Sports Betting Enthusiast[s],''
``Early Risers,'' ``Healthy Dads,'' ``New Parents'', or ``Parents with
Young Kids'' \32\ But the Complaint fails to confront how these
audience segments create a ``significant risk of concrete harm'' and
ignores the potential benefits to consumers and competition.
Behaviorally targeted advertising may produce more relevant ads to
consumers, reducing their search costs and allowing small businesses
and new market entrants to connect with a broader consumer base.\33\
---------------------------------------------------------------------------
\30\ Id. ]] 60-69.
\31\ Melissa Holyoak, Remarks at National Advertising Division,
A Path Forward on Privacy, Advertising, and AI, at 7 (Sept. 17,
2024), <a href="https://www.ftc.gov/system/files/ftc_gov/pdf/Holyoak-NAD-Speech-09-17-2024.pdf">https://www.ftc.gov/system/files/ftc_gov/pdf/Holyoak-NAD-Speech-09-17-2024.pdf</a>.
\32\ Compl. ]] 47-49.
\33\ See, e.g., Commissioner Holyoak Remarks, supra note 31, at
6.
---------------------------------------------------------------------------
Moreover, my vote should not be construed as support for deeming
the use of sensitive data or the categorization of sensitive data as
unlawful in every circumstance. Consumers may be deceived or harmed
where their sensitive data is used without their knowledge or consent,
contrary to their reasonable expectations. But context matters. For
example, if a consumer searches online for nearby pediatricians close
to their home, then serving ads in other contexts for pediatrician
offices and groups based on the consumer's location may be both
reasonable and desirable. If a consumer subscribes to a podcast on a
certain type of politics, advertisements for other political podcasts
may be of interest to that consumer.
We also need to disentangle any objections to the content of an
advertisement from the practices of categorization and targeting
generally. Take, for example, the practice of categorizing consumers
into the ad segment ``women over 50 suffering from breast cancer.'' An
advertiser may use that segment to target ads for well-validated
treatments, potentially connecting women with life-saving care. Or an
advertiser could use that segment to target ads for bogus treatments.
We should not conflate our concern about deceptive advertising (the
bogus treatment) with the lawful act of categorizing and targeting
based on sensitive data, lest we undermine the ability to connect women
with life-saving care. This is just one example of the potentially
beneficial or harmful content served to audience segments. Certain
types of categorization and targeting may offer similar benefits to
consumers and competition, if used properly and in a lawful manner.\34\
---------------------------------------------------------------------------
\34\ See generally Concurring and Dissenting Statement of Comm'r
Melissa Holyoak, Social Media and Video Streaming Services Staff
Report, Matter No. P205402, at 15-18 (Sept. 19, 2024), <a href="https://www.ftc.gov/system/files/ftc_gov/pdf/commissioner-holyoak-statement-social-media-6b.pdf">https://www.ftc.gov/system/files/ftc_gov/pdf/commissioner-holyoak-statement-social-media-6b.pdf</a>.
---------------------------------------------------------------------------
As we consider these types of difficult privacy questions in the
future, it is of paramount importance that we challenge only unfair or
deceptive conduct, supported by specific facts and empirical research,
rather than demonizing the entire digital advertising industry.\35\ And
until Congress acts to address privacy directly through legislation, it
is vital we recognize and abide by the limited remit of the
Commission's statutory authority.
---------------------------------------------------------------------------
\35\ Commissioner Holyoak Remarks, supra note 31, at 5-7.
---------------------------------------------------------------------------
Concurring and Dissenting Statement of Commissioner Andrew N. Ferguson
Today the Commission approves complaints against, and proposed
consent orders with, Gravy Analytics \1\ (``Gravy'') \2\ and
Mobilewalla \3\ for various practices concerning the collection and
dissemination of precise location data allegedly constituting unfair or
deceptive acts or practices in violation of section 5 of the Federal
Trade Commission Act.\4\ Gravy and Mobilewalla are data brokers that
aggregate and sell consumer data, including location data.\5\ Gravy and
Mobilewalla do not collect the data from consumers.\6\ Those data are
collected from applications that consumers use on their smartphones,
and Gravy and Mobilewalla purchase or otherwise acquire those data
after they are collected.\7\ Gravy and Mobilewalla then sell those data
to private firms for advertising, analytics, and other purposes, as
well as to the government.\8\
---------------------------------------------------------------------------
\1\ Also named is Venntel, Inc., a wholly-owned subsidiary of
Gravy Analytics.
\2\ Complaint, In re Gravy Analytics (``Gravy Complaint'').
\3\ Complaint, In re Mobilewalla (``Mobilewalla Complaint'').
\4\ 15 U.S.C. 45.
\5\ Gravy Complaint ] 7; Mobilewalla Complaint ]] 3, 18.
\6\ Gravy Complaint ] 8; Mobilewalla Complaint ] 4.
\7\ Gravy Complaint ]] 9-10; Mobilewalla Complaint ]] 4, 5.
\8\ Gravy Complaint ]] 13-21; Mobilewalla Complaint ]] 6, 19,
36. As my colleagues' statements make clear, the sale of data to the
government for law-enforcement, national-security, and immigration-
enforcement purposes implicates different constitutional and
statutory questions than the sale of those same data to private
firms. I take no firm position on those questions except to say that
I believe that the restrictions on sale to the government in the
Gravy order are lawful.
---------------------------------------------------------------------------
Part I
I concur entirely in two of the counts the Commission brings
against both firms, and one that we bring against Mobilewalla alone.
These counts are sufficient to justify my vote in favor of submitting
the complaints and proposed consent orders for public comment. First,
the Commission alleges that Gravy and Mobilewalla sell consumers'
precise location data without taking sufficient measures to anonymize
the information or filter out sensitive locations.\9\ This type of
data--records of a person's precise physical locations--is inherently
intrusive and revealing of people's most private affairs. The sale of
such revealing information that can be linked directly to an individual
consumer poses an obvious risk of substantial injury to that
consumer.\10\ The theft or accidental dissemination of those data would
be catastrophic to the consumer. The consumer cannot avoid the injury.
Unless the consumer has consented to the sale of intimate data linked
directly to him, the sale of the data happens entirely without his
knowledge.\11\ Finally, given that the anonymized data remain valuable
to firms for advertising and analytics, the injury that the consumer
suffers is not outweighed by any countervailing benefits for the
consumer.\12\ The sale of non-anonymized, precise location data without
first obtaining the meaningfully informed consent of the consumer is
therefore an unfair act or practice in violation of section 5.
---------------------------------------------------------------------------
\9\ Gravy Complaint ]] 73-75; Mobilewalla Complaint ]] 66-67.
\10\ 15 U.S.C. 45(n); see FTC v. Kochava, Inc., 715 F. Supp. 3d
1319, 1323-24 (D. Idaho 2024).
\11\ 15 U.S.C. 45(n).
\12\ Ibid.
---------------------------------------------------------------------------
Second, the Commission accuses both companies of collecting, using,
and selling precise location information without sufficiently verifying
that the consumers who generated the data consented to the collection
of those data by the applications that collected it.\13\ Given that the
failure to obtain meaningful consent to the collection of precise
location data is widespread, data brokers that purchase sensitive
information cannot avoid liability by turning a blind eye to the strong
possibility that consumers did not consent to its collection and sale.
The sale of precise location data collected without the consumer's
consent poses a similarly unavoidable and substantial risk of injury to
the consumer as does the sale of the non-anonymized data. I therefore
concur in these counts against Gravy and Mobilewalla.\14\
---------------------------------------------------------------------------
\13\ Gravy Complaint ]] 76-78; Mobilewalla Complaint ]] 71-72.
\14\ Section 5 does not impose strict liability for the purchase
of precise location data collected without the consumer's consent,
nor do I understand the complaints and orders as interpreting
section 5 hold data brokers strictly liable for every purchase of
precise location data that was collected without the consumer's
consent. Data brokers need only take reasonable steps to ensure that
the data they are acquiring were originally collected with the
consumer's consent. Gravy Complaint ] 76 (faulting Gravy for not
taking ``reasonable steps to verify that consumers provide informed
consent to Respondents' collection, use, or sale of the data for
commercial and government purposes.''); Mobilewalla Complaint ] 71
(similar).
---------------------------------------------------------------------------
[[Page 96995]]
I further concur in one additional count charged against
Mobilewalla alone. The Commission accuses it of having committed an
unfair act or practice for its conduct on real-time bidding exchanges
(RTBs).\15\ An RTB is a marketplace where advertisers bid in real time
on the opportunity to show an advertisement to a user as the user is
visiting a website or using an application.\16\ The auctions take place
in the blink of an eye, and the listings on which advertisers bid
include information such as the user's mobile advertising ID (MAIDs)
and current precise location.\17\ Advertisers crave these data because
it allows them to maximize the value of each ad impression by
displaying the ads only to the users most likely to find the
advertisement useful. The Commission accuses Mobilewalla of sitting on
the RTBs, submitting bids, collecting the MAIDs and location data for
the bids, retaining those data even when it did not win the auction,
and combining those data with data acquired from other sources to
identify the user represented by the MAID.\18\ It aggregated and sold
this combined identity and location information to its clients.\19\
This alleged practice violated Mobilewalla's legal contracts with the
exchanges.\20\
---------------------------------------------------------------------------
\15\ Mobilewalla Complaint ] 70.
\16\ Id. ] 9.
\17\ Ibid.
\18\ Id. ]] 12-15.
\19\ Id. ] 18.
\20\ Mobilewalla Complaint ] 10.
---------------------------------------------------------------------------
The violation of a private contract alone is not enough to
establish a violation of section 5.\21\ But these agreements protected
more than just Mobilewalla's contractual counterparties. They also
protected large numbers of consumers from the risk of having their
private data aggregated, linked to their identity, and sold without
their consent, as Mobilewalla did. Mobilewalla's breach of its
contractual obligations therefore exposed consumers to the same
substantial risk of injury as collection of their data without consent,
was not reasonably avoidable by consumers (as this conduct was far
removed from their knowledge and control), and was not outweighed by
any countervailing benefits to consumers. It is therefore in the public
interest to hold Mobilewalla liable for this conduct under section 5,
as it would be even if no contract governed Mobilewalla's obligations
regarding the unconsented collection and retention of these precise
location data.\22\
---------------------------------------------------------------------------
\21\ See FTC v. Klesner, 280 U.S. 19, 28 (1929) (Section 5's
requirement that enforcement ``would be to the interest of the
public'' is not satisfied in the case of a purely private dispute,
as ``the mere fact that it is to the interest of the community that
private rights shall be respected is not enough to support a finding
of public interest.'').
\22\ See id. at 27-28 (explaining that protection of private
rights can be incident to the public interest, and that such cases
might include those where the conduct threatens the existence of
competition, involves the ``flagrant oppression of the weak by the
strong,'' or where the aggregate loss is sufficient to make the
matter one of public consequence but incapable of vindication by
individual private suits).
---------------------------------------------------------------------------
Part II
I dissent from the Commission's counts against both firms accusing
them of unfairly categorizing consumers based on sensitive
characteristics, and of selling those categorizations to third
parties.\23\ The FTC Act prohibits the collection and subsequent sale
of precise location data for which the consumer has not consented to
the collection or sale. It further requires data brokers to take
reasonable steps to ensure that consumers originally consented to the
collection of the data that the data brokers subsequently use and sell.
If a company aggregates and categorizes data that were collected
without the consumer's consent, and subsequently sells those
categorizations, it violates section 5. But it does so only because the
data were collected without consent for such use, not because the
categories into which it divided the data might be on an indeterminate
naughty categories list. The FTC Act imposes consent requirements in
certain circumstances. It does not limit how someone who lawfully
acquired those data might choose to analyze those data, or the
conclusions that one might draw from them.\24\
---------------------------------------------------------------------------
\23\ Gravy Complaint ]] 79-81; Mobilewalla Complaint ]] 68-69.
\24\ Of course, other laws might prohibit particular uses of
data that were collected consistently with the requirements of
section 5. Using lawfully obtained data to draw conclusions about a
consumer's race alone would not violate section 5, but using those
conclusions to make an employment or housing decision, for example,
might violate the Civil Rights Act of 1964, 42 U.S.C. 2000e et seq.,
or the Fair Housing Act, 42 U.S.C. 3601 et seq. But merely drawing a
conclusion from lawfully obtained data does not violate section 5.
---------------------------------------------------------------------------
Consider an analogous context: the collection of data by private
investigators. Private investigators do not violate the law if they
follow someone on the public streets to his place of employment,
observe him entering a church, observe him attending the meeting of a
political party, or watch him enter a hospital. These are all public
acts that people carry out in the sight of their fellow citizens every
day. Nor do private investigators violate the law by concluding from
their lawful observations that the person works for that company,
practices that religion, belongs to that political party, or suffers
from an illness. Nor would the law prohibit the private investigator
from selling his conclusions to a client. But the law would forbid
private investigators from trespassing on the employer's property; from
surreptitiously planting cameras inside the church sanctuary to observe
the rites; from recording the proceedings of the political meeting
without consent; or from extorting hospital staff for information about
the person's condition. The law prohibits collecting data in unlawful
ways; it does not prohibit drawing whatever conclusions one wants, or
selling those conclusions to someone else, so long as the data from
which the conclusions were drawn were lawfully obtained.
The same principle should apply to section 5. The added wrinkle is
that in the information economy, private data are usually collected in
the context of a commercial relationship between the user and the
developer of an application or website. Just as we expect a merchant to
disclose the material terms of a transaction before collecting payment,
we expect that the user of an app or website be informed of how their
private information--part, and often all, of the consideration they
give in exchange for use of the app or website--will be collected and
used, and given a chance to decline the transaction. Commercial
fairness might also require more than vague hidden disclosures,
especially when the loss of privacy is substantial, as is the case with
collection of precise location data and its sale to third parties.
Rather than faulting these companies for disclosing data about
users without adequate consent, these counts in the complaints focus
instead on the inherent impropriety of categorizing users according to
so-called ``sensitive characteristics.'' Perhaps my colleagues are
worried that advertisements targeted on the basis of these categories
can cause emotional distress--the theory they advanced in the
Commission's Social Media 6(b) Report earlier this year.\25\ But as I
argued then, it is folly
[[Page 96996]]
to try to identify which characteristics are sensitive and which are
not. ``[T]he list of things that can trigger each unique individual's
trauma is endless and would cover every imaginable'' advertisement
based on every possible categorization, so whatever lines we end up
drawing will be ``either arbitrary or highly politicized.'' \26\
---------------------------------------------------------------------------
\25\ FTC, A Look Behind the Screens: Examining the Data
Practices of Social Media and Video Streaming Services, An FTC Staff
Report, at 44 (Sept. 2024), <a href="https://www.ftc.gov/system/files/ftc_gov/pdf/Social-Media-6b-Report-9-11-2024.pdf">https://www.ftc.gov/system/files/ftc_gov/pdf/Social-Media-6b-Report-9-11-2024.pdf</a>.
\26\ Concurring and Dissenting Statement of Commissioner Andrew
N. Ferguson, A Look Behind the Screens: Examining the Data Practices
of Social Media and Video Streaming Services, at 5 (Sept. 19, 2024),
<a href="https://www.ftc.gov/system/files/ftc_gov/pdf/ferguson-statement-social-media-6b.pdf">https://www.ftc.gov/system/files/ftc_gov/pdf/ferguson-statement-social-media-6b.pdf</a>.
---------------------------------------------------------------------------
We can already see this dysfunction in these complaints, which
mention as sensitive characteristics race, ethnicity, gender, gender
identity, sexual orientation, pregnancy, parenthood, health conditions,
religion, and attendance of a political protest, among others.\27\
While some of these characteristics often entail private facts, others
are not usually considered private information. Attending a political
protest, for example, is a public act. The public expression of
dissatisfaction or support is the point of a protest. Treating
attendance at a political protest as uniquely private and sensitive is
an oxymoron. Moreover, there are no objective criteria on which to base
this list.\28\ The statute provides no guidance. The list is therefore
a purely subjective creation of Commission bureaucrats. And it excludes
categories that many would consider deeply private and sensitive.\29\
And if we did a full accounting of characteristics that someone,
somewhere might consider sensitive, no useful categorizations would
remain. If what we are worried about is that the generation and sale of
these categorizations will be a substitute for the sale of the user
data from which they are derived, the correct approach is to treat
conclusions derived from user data as no different than the underlying
data. In either case, adequate consent is required for their
collection, use, and sale.
---------------------------------------------------------------------------
\27\ Mobilewalla Complaint ]] 27-32.
\28\ See Kyllo v. United States, 533 U.S. 27, 38-39 (2001)
(rejecting a Fourth Amendment rule that limited thermal-imaging data
collection to only ``intimate details'' because of the impossibility
of developing a principled distinction between intimate and
nonintimate information).
\29\ Gun ownership is an example. In many States, citizens are
free to own guns without registering them. There is therefore no
public record that a person owns a gun. And in constitutional-carry
States, a citizen may carry his handgun in concealment without the
government's permission, which means that bearing a firearm outside
the home remains a private act. I expect many Americans would be
horrified if their sensitive location data were used to place them
in a ``gun owner'' category, and that category were then sold to
other firms or to the government--particularly banks have gotten in
the habit of ejecting customers who engaged in disfavored
activities. Yet gun ownership does not make the Commission's list.
But political protests do. It is hard to see this list as anything
other than the product of arbitrary or political decision making.
---------------------------------------------------------------------------
Finally, I have doubts about the viability of a final charge levied
against Mobilewalla for indefinitely retaining consumer location
information.\30\ It is a truism that data stored indefinitely is at a
greater risk of compromise than data stored for a short period of time.
But nothing in section 5 forms the basis of standards for data
retention. The difficulty is illustrated perfectly by the proposed
order we approve today. Rather than impose any particular retention
schedule, it merely requires that Mobilewalla:
---------------------------------------------------------------------------
\30\ Mobilewalla Complaint ]] 73-74.
. . . document, adhere to, and make publicly available . . . a
retention schedule . . . setting forth: (1) the purpose or purposes
for which each type of Covered Information is collected or used; (2)
the specific business needs for retaining each type of Covered
Information; and (3) an established timeframe for deletion of each
type of Covered Information limited to the time reasonably necessary
to fulfill the purpose for which the Covered Information was
collected, and in no instance providing for the indefinite retention
of any Covered Information . . .\31\
---------------------------------------------------------------------------
\31\ Decision and Order, In re Mobilewalla, Inc., at 13.
Given that Mobilewalla is in the business of selling user
information, and that the marginal cost of data storage is low, the
``specific business need'' can be nothing more than the possible
existence in the future of some buyer willing to pay more than the low
cost of storage to acquire the data. I see no reason why Mobilewalla
could not set a retention period of many decades based on this
reasoning. In fact, while two-year-old location data is intuitively
less valuable than one-year-old location data, it is quite plausible
that twenty- or thirty-year-old location data is more valuable than
location data that is only a few years old, as it may allow advertisers
to tap into nostalgic sentiments.
The trouble with both the sensitive-categories count and the data-
retention count is that the text of section 5 cannot bear the
tremendous weight my colleagues place on it. My colleagues want the FTC
Act to be a comprehensive privacy law. But it is not. Comprehensive
privacy regulation involves difficult choices and expensive tradeoffs.
Congress alone can make those choices and tradeoffs. It did not do so
when it adopted the general prohibitions of section 5 nearly nine
decades ago. And it has not adopted comprehensive privacy legislation
since then. We must respect that choice.
Until Congress acts, we should vigorously protect Americans'
privacy by enforcing the laws Congress has actually passed. But we must
not stray from the bounds of the law. If we do, we will sow uncertainty
among legitimate businesses, potentially disrupt the ongoing
negotiations in Congress on privacy legislation, and risk damaging
losses for the Commission in court.
[FR Doc. 2024-28738 Filed 12-5-24; 8:45 am]
BILLING CODE 6750-01-P
</pre></body>
</html>Indexed from Federal Register on December 6, 2024.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.