US federal agencies FTC & CFPB crack down on data sharing, ringing warning bell in adland
Two US government agencies on Tuesday took action to limit the nonconsensual collection, use and sharing of consumers’ personal information. The developments could make accurate audience segmentation and ad targeting more difficult – but align with broader privacy trends globally.
Both the FTC and the CFPB are moving to restrict the collection and sale of sensitive consumer data in the US / Adobe Stock
The US’s Consumer Financial Protection Bureau (CFPB) is seeking to tighten the reins on data brokers, on Tuesday proposing a rule that would subject them to stricter oversight, including restrictions on the sale of consumers’ sensitive personal information such as phone numbers and Social Security numbers. It would also ensure that consumers’ financial information – such as their income – is only shared for “legitimate purposes, such as facilitating a mortgage approval, and not sold to scammers targeting those in financial distress,” according to the filing.
“By selling our most sensitive personal data without our knowledge or consent, data brokers can profit by enabling scamming, stalking and spying,” the agency’s director, Rohit Chopra, said in a statement published Tuesday. He said the new proposal, if adopted, would “curtail these practices that threaten our personal safety and undermine America’s national security.”
The development coincides with landmark settlements by the US Federal Trade Commission (FTC) on Tuesday against two data brokers – one involving Mobilewalla and another involving Gravy Analytics and its subsidiary Venntel. Both organizations were accused of unlawfully collecting, storing and selling the location data of millions of Americans.
According to the FTC, Mobilewalla tapped into sensitive data from real-time bidding exchanges and third-party aggregators without consumers’ knowledge. The company also used sensitive location data to build out audience segments for ad targeting. Between January 2018 and June 2020, the Georgia-based firm gathered over 500m unique advertising identifiers, paired with their precise location data, and sold this non-anonymized data to advertisers.
The agency’s chair, Lina Khan, called out the bad behavior explicitly. “Persistent tracking by data brokers can put millions of Americans at risk, exposing the precise locations where service members are stationed or which medical treatments someone is seeking,” she said in a statement. “Mobilewalla exploited vulnerabilities in digital ad markets to harvest this data at a stunning scale. The FTC is cracking down on firms that unlawfully exploit people’s sensitive location data and ensuring that we protect Americans from unchecked surveillance.”
Following the FTC settlements, both companies agreed to halt the collection of sensitive location data, delete previously gathered information and establish safeguards to prevent further misuse. The settlements also require the firms to create sensitive-location programs to shield areas such as medical facilities and religious organizations from tracking.
These settlements are just the latest in a long line of investigations into and actions against data brokers and adtech companies for privacy violations. The FTC is currently embroiled in a similar case with Kochava; the regulatory body has accused the broker of selling the geolocation data of millions of users – including from sensitive locations.
Earlier this year, Oracle settled a class action lawsuit concerning its alleged use of invasive data tracking technologies for $115m – and just weeks later announced it would shutter its entire advertising operation.
Want to go deeper? Ask The Drum
What it means for the digital advertising industry
The CFPB’s proposed rule and the FTC orders share two key goals: providing consumers with greater control over how their personal data is used, shared or sold and limiting the collection and use of sensitive data in particular – such as health or location information.
These restrictions would go further than many existing state privacy laws, which often allow organizations to gather and use data unless consumers opt out. However, some states already require opt-in consent for sensitive data.
Advertisement
The key issue for the ad industry, according to Arielle Garcia, director of intelligence at adtech watchdog Check My Ads and former chief privacy officer at UM Worldwide, is that, taken together, the CFPB’s proposal and the FTC actions are likely to create tighter limitations on the amount of data available to companies.
“The reality is that when people are given actual choice over having their visits to church or the doctor, or their income shared with an unknown number of third parties, domestically and abroad, many will choose ‘no.’ As a result, providing people with meaningful choices necessarily means a reduction in data availability,” she says.
The implications for downstream data recipients, including many adtech companies and data aggregators, may be especially significant due to mandates in the FTC orders that would require companies to implement a supplier assessment program to verify that consumer consent is obtained for all location data collection. In short, it’s an extra check. This guardrail would, in Garcia’s telling, “curb the ability to turn a blind eye and rely on contractual assurances.” She adds: “The days of plausible deniability would be no more.”
As a result, the digital advertising landscape could expect audience segments to become less accurate and less reliable.
Advertisement
Despite the potential negative effects on advertising efficacy, many advertisers – and their partners – have shifted away from a reliance on third-party data as privacy regulations proliferate in markets across the world and signal loss worsens on the open web. With these new hurdles in its way, the ad industry has embraced first-party data strategies, which are likely to remain fair game.
“Generally, non-sensitive first-party data – where there is a legitimate consumer relationship, and where that data is collected with adequate notice and choice – is not in the crosshairs,” Garcia says, “despite the fear-mongering prevalent in industry about any attempt to regulate privacy.”
Nonetheless, not every advertiser is well-positioned to build up strong first-party datasets, and limitations like those being considered by the CFPB could still limit the scale of available consumer data across the ecosystem. As such, experts such as Garcia recommend testing other approaches such as contextual targeting, running on inclusion lists and reallocating media budgets to trusted environments.
A tipping point for federal action on privacy?
The CFPB’s and the FTC’s crackdown on the collection, storage and sale of personal information aligns with broader efforts by the Biden administration to enhance consumers’ data privacy. In February, the President signed an executive order restricting the sale of Americans’ data to “countries of concern,” including China, Russia, North Korea, Iran, Venezuela and Cuba. The move rattled adland at the time, with industry leaders suggesting that it could limit the commercial uses of consumer data collected by apps including TikTok and Temu.
Tuesday’s developments could represent a “tipping point” in the momentum building to pass federal privacy legislation in the US, says Jamie Barnard, CEO and co-founder of Compliant, a data compliance firm serving the ad industry. These actions, he says, indicate “a growing commitment from regulatory bodies to enforce stricter data privacy measures,” and anticipates that they could spur similar action from other regulators and enforcement bodies.
Suggested newsletters for you
Barnard expects that the proliferation of strict privacy regulations in Europe over the last decade could serve as a “bellwether” for what’s to come in the US – and suggests that the country may soon replace its opt-out standard for consumer choice with an opt-in regime “The US will be forced to consent. It is the only viable, reliable long-term solution,” he says.
Such a change would carry major implications for the digital ad ecosystem and would require “significant adjustments for advertisers and publishers,” Barnard says, “who would need to prioritize compliance and transparency to avoid legal repercussions.”
Some other industry leaders, such as Mike Cross, executive vice-president of measurement at digital-first global agency Monks, agree that the ad industry should read the writing on the wall. These developments, he says, “underscore the importance of how enterprises centralize and govern all data they use to run their businesses, including marketing,” and warns against poor data management – which could diminish organizations’ abilities to control non-compliant practices.
Barnard goes so far as to say that “today’s … adtech model is living on borrowed time.” He anticipates that the data brokering business will require a fundamental overhaul sooner rather than later. And as a result, so too will digital advertising.
“Relying on opaque data practices and invasive tracking is unsustainable,” he says. “The call for transparency and ethical data sourcing is deafening. Advertisers must prioritize consumer trust and adopt privacy-preserving strategies. This isn’t just about compliance; it’s about aligning business practices with societal values.”
Despite the warning calls, the future of these regulatory efforts remains uncertain, particularly given the incoming administration’s stated intention to roll back consumer protections under the leadership of Donald Trump.
The CFPB’s proposal will be open for public comment until March 2025.