FTC Sues Data Broker, Condemns Improper Data Privacy Practices

August 30, 2022 - The US Federal Trade Commission (FTC) sued data broker Kochava over its alleged sale of geolocation data, signifying the Commission’s commitment to cracking down on improper location and health data privacy practices after the fall of Roe v. Wade.

The FTC alleged that the data broker knowingly sold geolocation data that could be used to trace individuals to sensitive locations, such as reproductive health clinics, domestic violence shelters, and places of worship.

“The FTC alleges that by selling data tracking people, Kochava is enabling others to identify individuals and exposing them to threats of stigma, stalking, discrimination, job loss, and even physical violence,” the FTC stated in a press release.

“The FTC’s lawsuit seeks to halt Kochava’s sale of sensitive geolocation data and require the company to delete the sensitive geolocation information it has collected.”

Idaho-based Kochava describes itself as a data marketing and analytics company that helps marketers
“establish identity, define and activate audiences, and measure and optimize their marketing across connected devices.”

READ MORE: Analytics Co. Sues FTC, Denies Allegations of Improper Data Privacy Practices

However, the FTC stated that Kochava purchases “vast troves of location information derived from hundreds of millions of mobile devices.”

“The information is packaged into customized data feeds that match unique mobile device identification numbers with timestamped latitude and longitude locations,” the FTC continued.

“According to Kochava, these data feeds can be used to assist clients in advertising and analyzing foot traffic at their stores and other locations. People are often unaware that their location data is being purchased and shared by Kochava and have no control over its sale or use.”

The FTC’s official compliant against Kochava alleged that the company’s “customized data feeds” allow purchasers to track and identify specific mobile device users.

“For example, the location of a mobile device at night is likely the user’s home address and could be combined with property records to uncover their identity. In fact, the data broker has touted identifying households as one of the possible uses of its data in some marketing materials,” the FTC explained.

READ MORE: FTC to Enforce Against Illegal Location, Health Data Privacy Practices

The risks of having precise geolocation data up for sale are plentiful. The FTC said that this data could reveal highly sensitive information about an individual’s health decisions and religious beliefs, as well as expose them to stigma and discrimination.

These data privacy risks have become even more prevalent since the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, which has endangered abortion rights in many states. Lawmakers have expressed concern over the role of data brokers, as exemplified in the recently introduced Health and Location Data Protection Act.

The FTC examined a Kochava data sample that included the exact, timestamped location of more than 61 million mobile devices collected in a single week. Using this data, the FTC showed that it was possible to use the data to identify people who have visited a reproductive health clinic to obtain an abortion, or to track a person escaping domestic violence.

“Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, explained in the press release.

“The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”

READ MORE: How the FTC’s Health Breach Notification Rule Will Impact Health Apps

But Kochava told a different story in its subsequent lawsuit against the FTC, denying the Commission’s allegations of its improper data privacy practices. Kochava claimed that the FTC’s lawsuit implied a misunderstanding of the company’s services.

“Specifically, the FTC claims that the Kochava Collective’s precise geolocation data is associated with MAIDs [Mobile Advertising Identifiers] and this combination makes it possible to track consumers to sensitive locations, such as therapists’ offices, addiction recovery centers, medical facilities, and women’s reproductive health clinics,” Kochava’s complaint against the FTC stated.

“The FTC also claims that because each set of coordinates is time-stamped, it is also possible to identify when a mobile device visited the location. The FTC further (wrongly) claims that Kochava employs no technical controls to prohibit its customers from identifying consumers or tracking them to sensitive locations.”

Kochava said that it does in fact collect latitude and longitude, IP addresses, and MAIDs associated with consumer devices. However, the suit claimed that Kochava does not receive the data elements until days after, nor does it link a specific location to the latitude and longitude, or identify the consumer associated with the MAID.

The intricacies of the case will be ironed out by the court. Regardless, the FTC’s decision to sue a data broker aligns with its renewed commitment to enforcing against improper and illegal consumer location and health data privacy practices. In July, the acting director of the FTC’s division of privacy and identity protection published a blog post on the FTC’s website that reiterated that the commission would not tolerate the misuse of consumer data for any purpose.

“The Commission is committed to using the full scope of its legal authorities to protect consumers’ privacy,” the blog post stated.

“We will vigorously enforce the law if we uncover illegal conduct that exploits Americans’ location, health, or other sensitive data. The FTC’s past enforcement actions provide a roadmap for firms seeking to comply with the law.”