The U.S. Federal Trade Commission's recent enforcement actions against Mobilewalla and Gravy Analytics signal the agency expects companies to conduct risk-based due diligence and verify consent.
While the unfairness prong of Section 5 of the FTC Act formed the grounds of those complaints and may generally be leveraged less frequently with the current composition of FTC commissioners, the majority, concurring and dissenting statements all evince a clear concern around a failure to conduct diligence. This concern was also expressed in previous FTC enforcement actions, e.g., InMarket and X-Mode Social.
Indeed, Chairman Andrew Ferguson stated in his concurrence, "data brokers that purchase sensitive information cannot avoid liability by turning a blind eye to the strong possibility that consumers did not consent to its collection and sale." Instead, they must "take reasonable steps to ensure that the data they are acquiring were originally collected with the consumer's consent."
The FTC's approach to diligence is not in a vacuum. State privacy laws also include due diligence requirements by mandating contractual rights for vendor assessments and requiring data protection assessments for high-risk processing activities, including targeted advertising. State attorneys general also have tools similar to those of the FTC under their state unfair and deceptive statutes to regulate similar practices, as reflected in recent state enforcement actions, such as Texas v. Allstate.
While the precise reach of those cases remains unclear, it is clear businesses should establish risk-based due diligence programs, scaling diligence level to data sensitivity and potential consumer harm.
Background
Mobilewalla and Gravy Analytics are data brokers that collect, aggregate and sell consumer information, including precise geolocation. In those cases, the FTC alleges both engaged in unfair practices, including selling precise geolocation data without verifying consent for collecting, processing and selling such data.
In the Gravy Analytics complaint, the FTC pointed out the company acknowledged the need to validate consumer consent and required some data suppliers to complete questionnaires and provide consumer notice samples. However, Gravy Analytics continued to use data from suppliers with ambiguous, nonresponsive or missing answers.
Similarly, the FTC alleges Mobilewalla had a vendor due diligence process but lacked a validation mechanism to verify consumer consent for precise geolocation data collection and sharing. The FTC also criticized its annual certification process, which relied on supplier assurances without independent validation.
These enforcement actions indicate the FTC expects businesses to establish supplier assessment programs, particularly where consumer harm is manifest, and implement robust, documented supplier assessments that identify risks, ensure follow-ups and enable validation. Simply put, relying on generic due diligence questionnaires, rubber-stamping responses and boilerplate contractual provisions will not suffice.
Supplier assessment programs
The FTC's settlement orders outline common themes expected in a supplier assessment program. Under the orders, businesses will need to document the program from beginning to end, including its content, implementation and maintenance. They must conduct timely initial assessments during onboarding and annually to validate consent. Additionally, businesses should maintain a complete record of suppliers' responses and take remedial actions where suppliers are noncompliant, including refraining from using, selling, licensing, transferring, or otherwise sharing or disclosing precise geolocation data when consent cannot be verified.
Although the settlements focus on precise location data, businesses should consider applying these best practices to sensitive personal information that could cause substantial consumer harm under Section 5 if misused.
U.S. state privacy law perspectives
In addition to the FTC Act, due diligence is a logical step for meeting compliance requirements under state privacy laws.
First, most U.S. state privacy laws mandate controllers to contractually ensure processors allow for and cooperate with reasonable assessments, such as Conn. Gen. Stat. § 42-521(b). The California Consumer Privacy Act extends that requirement to include all third parties to whom the personal information is sold. It's logical to expect companies to exercise these contractual rights to identify and mitigate risks.
State regulators have indicated as much in several forums. Additionally, most U.S. state privacy laws require a controller to conduct data protection assessments for processing activities that present a heightened risk of harm to consumers and provide them to the State attorney general upon request. These activities include processing personal information for targeted advertising, selling personal information and processing sensitive personal information.
In addition, the CCPA contains a due diligence-based liability shifting mechanism, whereby whether a business conducts due diligence of its service providers and third parties factors into whether it may be liable for that party's wrongdoing, per Cal. Code Regs. tit. 11, §§ 77051(c) and 7053(b).
While state privacy laws impose diligence requirements on the disclosing party, the FTC's actions in Mobilewalla and Gravy Analytics provide states with an additional framework under their unfair, deceptive, or abusive acts or practices to impose liability upon a receiving party that does not conduct privacy diligence of the disclosing party. Moreover, the scope of what constitutes sensitive personal information is more clearly defined under state laws, and targeted advertising is often regarded as a high-risk activity such that it is reasonable to expect a broader scope in the receiving party's diligence obligations by the states.
Vendor due diligence after Mobilewalla and Gravy Analytics
Several best practices can be distilled from the settlement orders and the requirements of U.S. state privacy laws.
Create a sensitivity-based continuum for conducting privacy diligence. While the FTC's parameters for sensitive personal information remain unclear, state laws provide clear definitions. Companies should scale due diligence efforts based on data sensitivity and volume.
Conduct privacy due diligence upstream and downstream. While the FTC in Mobilewalla and Gravy Analytics focused on the need to verify upstream consent, state privacy laws focus on conducting downstream privacy diligence.
Conduct timely due diligence during onboarding and update them periodically. As the settlement consent orders indicate, due diligence is expected during onboarding. It is not a once-and-done effort; the orders expect companies to update them annually.
Ask detailed, industry-relevant and processing-specific questions. Overly broad due diligence questionnaires that ask generic questions fail to yield precise answers, making noncompliance challenging to discern. The Interactive Advertising Bureau Diligence Platform addresses this concern by asking industry-specific questions designed to track digital advertising dataflows.
Impose disciplinary actions or adopt remedial measures for noncompliant data suppliers and downstream partners. This one should be a given. Businesses should address noncompliance by halting data use and/or requesting corrective action when noncompliance is identified.
Contractually require data suppliers to obtain consumer consent for sensitive personal information. As the Mobilewalla complaint clarifies, it is insufficient to rely on "vague contractual assurances" that the sale of personal information complies with applicable law. Instead, contractual representations and warranties should consider clarifying key requirements, e.g., consent for the collection and sharing of sensitive personal information, to set clear expectations between the parties on how compliance is achieved.
Conclusion
The recent FTC enforcement actions highlight the agency's expectation for third-party risk management to prevent consumer harm. A robust compliance program under U.S. privacy laws and UDAP also calls for establishing a risk-based and well-designed due diligence program. Companies should proactively allocate resources to develop comprehensive, well-documented supplier assessment programs, especially when handling sensitive personal information. Failure to do so enhances risk and will cause counterparties to balk at buying or selling such data, as we're already beginning to see in the marketplace.
Adam Eisler is legal counsel, Michael Hahn is executive vice president and general counsel, and Arlene Mu, AIGP, CIPM, CIPP/C, CIPP/US, PLS, is assistant general counsel at IAB.
