The FTC scored a small win in its ongoing case against a data broker allegedly selling large amounts of location data about consumers. Most recently, in the ongoing FTC v. Kochava saga, a federal judge ruled against Kochava’s motion to dismiss the agency’s lawsuit, which claims Kochava is violating Section 5 of the FTC Act by amassing and selling data about consumers’ visits to sensitive locations, such as abortion clinics, places of worship, and domestic abuse shelters.
As Ars Technica reports, the agency says Kochava sells data “obtained from millions of mobile devices across the world” without users’ knowledge or informed consent. Kochava allegedly combines precise geolocation data with “a staggering amount of sensitive and identifying information” that is “not anonymized and is linked or easily linkable to individual consumers.”
Kochava’s customers pay thousands of dollars for that data so that they, in turn, can send their customers targeted advertisements based on categories beyond just age or gender, such as places they’ve visited or whether they’re pregnant. It could even segment consumers into categories like “all the pregnant Muslim women in Kochava’s database,” the FTC said.
The agency said using data that way, without informing consumers and obtaining their consent, intrudes into “the most private areas of consumers’ lives” and could cause consumers “substantial injury.”
Kochava openly advertises its ability to connect precise geolocation data with details such as email, demographics, and households. Based on the FTC’s complaint, the graphic below shows how Kochava markets its product to prospective customers.
Remember: The FTC’s case against Kochava follows the Dobbs decision, which overturned Roe v. Wade and cast doubt on the continuing vitality of a constitutional right to privacy. Almost immediately after the Dobbs decision, privacy groups urged lawmakers to introduce bills protecting Americans from law enforcement’s access to sensitive data that could be incriminating in a post-Dobbs world. For example, law enforcement access to period-tracking apps could put pregnant women seeking healthcare at risk of prosecution. Or worse, it could freeze women from seeking healthcare for fear they could face prosecution.
It’s not a hypothetical concern: In September 2023, police charged Brittany Watts with a felony after she miscarried in a bathroom.
As San Jose State University Prof. Grace Howard told the Associated Press, “[Roe v. Wade] was a clear legal roadblock to charging felonies for unintentionally harming pregnancies when women were legally allowed to end their pregnancies through abortion. Now that Roe is gone, that roadblock is entirely gone.”
After the Dobbs decision, President Joe Biden asked the FTC to step up to protect the privacy interests associated with reproductive rights. Without a federal privacy law, the FTC is the only agency with a statutory hook to police this space, thanks to Section 5 of the FTC Act. As Vox reported in June, Biden told the agency it “should not tolerate unfair or deceptive practices related to reporting, surveillance, sharing or sale of personal information — including sensitive health-related information — in any state.”
You might be thinking: If the U.S. had a federal privacy law, would this be an issue? Wouldn’t that help? And you wouldn’t be wrong. The FTC called for U.S. privacy laws to protect Americans in its amended lawsuit against Kochava.
But, you know, Congress.
The case history: A back-and-forth
August 2022: The FTC files its lawsuit in federal district court against Kochava to stop its sale of sensitive geolocation data and mandate deletion.
October 2022: Kochava moves to dismiss the FTC’s lawsuit.
May 2023: The court dismisses the lawsuit, finding that the FTC hadn’t alleged a “significant risk of concrete harm,” but granted the FTC leave to refile its complaint and try to make those allegations.
June 2023: The FTC amends its lawsuit to highlight the identifiability of the data and to cite specific examples of additional consumer insights Kochava infers from their locations, like gender, race, or political affiliation.
July 2023: Kochava asks the court to dismiss the amended complaint.
February 2024: The court rules against Kochava, and the FTC’s lawsuit can proceed.
Why does the Kochava case matter?
Everyone has a cell phone, and our phones are gold to an industry desperate for details about what we like, who we are, and where we go. Kochava is one of about 4,000 players in the data broker industry, worth about $200 billion annually, by some estimates.
This case is a warning that what’s been common practice among data aggregators is now much riskier business, mainly because if Kochava eventually settles or loses the case, it must delete the data it’s been cashing in on. That’s a significant loss!
It also suggests that courts are more willing to consider a wider range of potential harms. That matters because the threshold for establishing privacy harm has often posed a mammoth hurdle for plaintiffs to clear. If the harm is the data collection itself, what does that mean for an industry utterly reliant on collecting it?
I’d also think about whether you’ve got data brokers within your ecosystem, and if so, if you’re certain they’ve gathered consent on any data they’ve shared with you. You know?! Third-party risk management, peeps.
For now, we wait to see if the FTC comes out with a victory in the end.
Additional resources on the Kochava case:
The FTC’s original complaint from 2022
The FTC’s refiled complaint from 2023
Lawfare’s piece on the refiled complaint
This blog by Cobun Zweifel-Keegan, J.D., CIPP/US, CIPM