Sensitive data types and FTC regulation priorities

Location data has become one of the most scrutinized data types in the enforcement landscape, particularly after Dobbs v. Jackson raised awareness of how location information could be weaponized—revealing visits to reproductive health clinics, religious sites, or other sensitive venues. FTC enforcement actions against data brokers including Avast, InMarket, and OutLogic targeted the collection and sale of precise location data tied to sensitive location categories without consumer consent. Individual coordinates may seem benign, but layering on the type of location dramatically raises the sensitivity and enforcement risk. Consumer expectations matter too: most people don’t expect a flashlight app to be tracking their location, and that expectation gap is exactly where regulators look. Health data operates under similar principles. The FTC’s BetterHelp and GoodRx enforcement actions arose not from the collection of sensitive health information—which both companies legitimately needed—but from sharing that data with third parties for advertising and remarketing without informed consumer consent. The line between permissible data use and an enforcement action is crossed when data flows outside its original operational context. More broadly, browsing data stitched across sites can construct detailed dossiers that effectively function as health or behavioral profiles, which is why a senior FTC official’s suggestion that all browsing data may warrant opt-in treatment resonated as a significant signal. Enforcement doesn’t require a federal privacy law. Both the FTC and state AGs use consumer protection authority—Section 5 unfair and deceptive practices, and state equivalents—to reach conduct that violates reasonable consumer expectations. The New York AG’s recent guidance on pixel tracking is a clear example: no New York-specific privacy law is yet in place, but consumer protection authority reaches companies that make representations about data use and then fail to follow through. Regulators approach websites the same way informed consumers do—reading privacy policies and checking what technologies are firing—which means the gap between stated policy and actual practice is far more observable than most companies assume.

**Jonathan:** Let's start with with the first one of those. So firstly, data types. And we're seeing this play out, right, in this obsession with location data. And it really came, right, when v Wade was overturned. You could start to see this idea that location data could potentially be weaponized. Right? Where are you going? Are you visiting, like, religious places? Are you visiting planned parenthood and all that kind of stuff? And it really, I think, for me, raise the awareness of location data in this in the ecosystem. But, also, like, there's a consumer expectation piece to it. Right? Like, I don't know if we always expect as consumers that our location is being tracked, and sometimes we're surprised by that. Like, in some of the I think it was in the California AGs. Like, in some parts of CCPA talks about the flashlight app. As an example, like, if a flashlight app is collecting location data, that's an example where it doesn't quite meet expectations. And then, of course, health data, super sensitive data. So tell us a bit about what you're seeing in the location space and and kind of some of the enforcement actions that have come. **Raashee:** Yeah. I think, I mean, location, it's by itself. Right? Trying to track people through different sort of coordinates and different sort of, sort of variables is concerning. But when you layer on types of locations, that is even more sensitive. So religious locations, health locations, people don't need to know that I have a preschooler going to school, and that is none of their business. So, like, talk that's kinda goes beyond just sort of, your your locate your typical location tracking. So I think and the enforcements that we're seeing right now, in the cases such as Avast or InMode, Social or OutLogic. So some of the recent enforcements, these are all happen to be data brokers, but they were collecting location data and sensitive location data, which means the location is item is identifying these religious, locations or these clinics, abortion clinics, or and or sensitive health areas and health clinics. So that and then that was being shared and sold with other intermediaries within the ecosystem, and consumers are not aware of it or and they are not consenting to share this data. So those are some of the ways where we're seeing this notion of problematic data combined with the idea of how can we go upstream and how can we control it at scale. And then three, these enforcement actions coming into play. **Jonathan:** Got you. And then, like, with, I mean, health data, of course, like, we've we've we've there's been a lot of discussion around that, and it's still a little little ambiguous. Right? Like, what what what is health data? How can companies use it, as an example? What are you seeing in the, like, just biometrics, skin color, ethnicity? I mean, there's some companies that, like, like, need that data, right, to do their thing, like a makeup company as an example. Right? You need to figure out skin color. And is that does that become an issue? Do we need an opt in for that? And I think a broader question I have for you, Rashi, is do you think there's a sentiment at the FTC that all browsing data just eventually becomes opt in? Like, it doesn't stop at sensitive health data. It's like and what's your browsing problem? Yeah. What do you think? I think she Vikram said that. Right? Didn't she? **Raashee:** Yeah. Browsing was, I think when she's when that was the announcement that came out, I think that was kinda like a bombshell announcement. Like, wait. All browsing data is sensitive data. Like, again, I think the underlying, point here is that when you stitch different variables that you're collecting, you can create a very rich profile even by a sort of, like, browsing data. That is considered standard. Like, so I went to a website. I went there and looked at this article, and this article happens to be about a health condition that I may have, or I'm looking for treatment. So as you stitch a lot of these things and then they go cross site, I think that's where you can start to see a profile building. A dossier is created of a user, and that becomes a problematic area. So going to back to your question about health data. So I think this was last year when BetterHelp, enforcement came to action. So that was about sort of them sharing sensitive data with third parties for advertising purposes and without informed consent of the users. And so I think the point is companies who need they are a health company. They are they need that information. They they provide, online, health, therapy and all these sort of, like, health related services. So to your point, they need this information. But I think the buck needs to stop there. Right? They need this information to provide service and for their operations. But when this information is then shared without information to the consumer, without an informed consent, and you're using it for further advertising purposes, for remarketing, retargeting purposes, that's where the problem becomes. So it's not necessarily that companies can't collect data or can't use data, but I think there is that fine line. When that's crossed is where problems start to happen and where some enforcement and all these things start to, surface. **Jonathan:** I got you, Raj. It's interesting. Right? Because in that particular case I mean, it's not it's not I mean, actually see even though there is a factor of privacy regulator, it's you gotta ask yourself how do they do it without a privacy federal privacy law. Well, they do it with, like you said, deceptive conduct. And this map into consumer expectation, it's you're jumping on a therapy app. You're not really expecting that that information is gonna be used for advertising. Right. Right? Because you have an expectation that therapy is always one on one. And this idea that and maybe not in that case, but in some other cases that you're presenting yourself as privacy safe and transparent, but you're really not is one of the areas. I know the FTC has been digging in. I think, the point you're making was also in GoodRx where they had very clear disclaimers disclosures that your data will not be sent somewhere. Your data will be staying within the company's, four walls. **Raashee:** And and but they had a similar issue where the data was being shared with other external parties for advertising marketing purposes. **Jonathan:** Yeah. Yeah. Yeah. I mean, it's and it reminds you of the New York AG recent blog on Yeah. If you're gonna do it, if you're gonna talk about cookies and opt in, make sure you're enforcing those. Make sure you're actually, you know, doing something with that privacy choice that someone gave you. And they and that's a good example because they also say that even though there is not a clear privacy rule or law in place for New York yet, but they are using their consumer protection authority. Right. And every state has one of those. Right? The exact, different to central practice roles. **Raashee:** I wanted to ask you about data collection practices, which is not a true in your framework. The, you know, you think of the FTC and you kinda wonder, like, you know, I I don't know how many how much people think about the FTC, but, like, are they some mythical being? Where are they? Who are they? What are they doing exactly? But one of the ways I think about them is they're real people, and what I mean by that is, you know, they're just like us. But what I what I really mean by that is they can see these practices, like, pretty clearly. Like, you know, they're consumers as well. Right? So they can jump in your website pretty easy to see what's firing, pretty easy to read your privacy policy. They're looking at it from the perspective of someone who might be a privacy evangelist. Right? Like, maybe you were right when you got a website with that kind of keen eye. And at the same time, they're looking at, I mean, offline data collection practices, which hasn't come up a ton. But, you know, you go into a coffee shop and you just want your latte. And I said, well, can I get your email address for our loyalty program? And they're seeing that as well. So I'm wondering what you think of data collection practices and how the FTC is thinking about those, but I'd love to to pack that unpack that for online and offline.