The Federal Trade Commission filed a lawsuit Monday against data broker Kochava, alleging the company sold geolocation information from hundreds of millions of mobile devices — often without user permission — that could reveal individual’s sensitive behaviors, including visits to reproductive health clinics.
“Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement. “The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”
The lawsuit demonstrates how the agency has responded to a July request from the Biden administration to use its authorities to protect reproductive privacy.
An FTC press release claims that by using a data sample from Kochava it would be possible to track an individual from a visit to a reproductive clinic to their home address. “The data may also be used to identify medical professionals who perform, or assist in the performance, of reproductive health services,” the agency argues.
Such an argument blasts a common defense by many commercial surveillance companies that if data is not directly tied to an identified individual, it is anonymous. The FTC lawsuit reasons that because Kochava sells precise location data tied to advertising identifiers, that data could be combined with other information such as property records to identify exact users. The lawsuit cites Kochava’s own advertising, which suggests that its data could be used for “Household Mapping.”
The lawsuit also alleges that Kochava has taken only minimal steps to restrict public access to this data. The agency reports that until June 2022 it was possible to access with a free AWS Marketplace account the data of 61,803,400 unique mobile identifiers from Kochava.
The FTC is suing to halt Kochava’s sale of the data, which the agency argues “is enabling others to identify individuals and exposing them to threats of stigma, stalking, discrimination, job loss, and even physical violence,” and require the company to delete sensitive information it has collected.
Kochava filed a lawsuit earlier this month in an Idaho court in an attempt to block the FTC from acting. The company alleged that the FTC had overreached its authorities and made inaccurate claims about how its technology works.
Kochava maintains that it “operates consistently and proactively in compliance with all rules and laws, including those specific to privacy,” according to a statement provided to CyberScoop by Brian Cox, general manager of Kochava Collective.
Prior to the proceedings Kochava announced a new feature that would block geolocation data from sensitive locations and is currently in the process of adding the function, according to Cox. Cox added that the company had been in communications with the FTC about its concerns.
“It’s disappointing that the agency continues to circumvent the lawmaking process and perpetuate misinformation surrounding data privacy,” Cox said.
The action against Kochava signals what the FTC may have in store for data brokers as it pursues stronger rules for the commercial surveillance industry, a process the agency announced it would explore earlier this month.
“By undertaking this enforcement action they’re making it clear to other players in the industry that this is not a practice that will be tolerated in the future,” said John Davisson, director of litigation and senior counsel at privacy nonprofit Electronic Privacy Information Center.
A successful case against Kochava could held provide a legal basis for rulemaking that establishes the trafficking of location data as an unfair practice, he notes.
“The FTC is bursting the bubble of this idea that you can get away with selling location data based on the flimsy claim that it is de-identified,” he said.
Updated Aug. 9: This story has been updated after initial publication to include a response from Kochava.