RegImpact
ftcenforcement· Published 12/6/2024

Mobilewalla Inc.; Analysis of Proposed Consent Order To Aid Public Comment

The consent agreement in this matter settles alleged violations of Federal law prohibiting unfair or deceptive acts or practices. The attached Analysis of Proposed Consent Order to Aid Public Comment describes both the allegations in the complaint and the terms of the consent order--embodied in the consent agreement--that would settle these allegations.

What this rule actually says

The FTC settled a case against Mobilewalla Inc. for deceiving people about how their data was being collected and used. The company allegedly claimed it wasn't tracking users or selling data when it actually was doing both. This consent order now sets requirements that any company handling user data must follow: be honest about what data gets collected, how it's used, and who it's shared with—no hidden tracking or misleading privacy claims.

Who it applies to

  • If you collect user data (names, emails, behavior, location, health info, hiring info) and make any public statement about privacy or data practices, this applies to you.
  • If you're in the US, this FTC rule applies. The consent order itself targeted one company, but the underlying FTC Act prohibition on "unfair or deceptive practices" applies to all businesses operating in US markets.
  • If you're building: medical scribes (collecting patient data), hiring assistants (collecting candidate data), support chatbots (collecting user interaction logs), or any other AI product that handles personal information.
  • What's in scope: All data you collect directly from users or infer about them (behavior patterns, inferred attributes, etc.).
  • What's out of scope: Anonymous, truly aggregated data that can't be linked back to individuals—but be careful claiming anonymity; the bar is high.

What founders need to do

  1. Audit your privacy claims (1-2 days): Review your website, app, and any marketing materials. Write down every claim you make about data collection, use, and sharing. Flag anything vague or potentially misleading.
  1. Document what you actually do with data (2-3 days): Create a real inventory of what data you collect, how long you keep it, who sees it (employees, third-party APIs, etc.), and what you use it for. This becomes your source of truth.
  1. Update your privacy policy and disclosures (2-3 days): Rewrite any misleading statements. Be specific: "We collect names and email addresses to send you invoices" not "We collect data for service improvement."
  1. Set up documentation practices (ongoing, 1-2 hours/month): Keep records of data practices, third-party integrations, and any changes. The FTC looks for companies that can't explain what they do with user data.
  1. If you use third-party AI tools or APIs, verify their privacy practices and document that verification. You're responsible for what happens with user data even if another tool processes it.

Bottom line

If you collect any user data, stop claiming you're more privacy-protective than you actually are—audit your claims now and fix them, or you risk FTC action.