On August 29, 2022, the Federal Trade Commission (FTC) announced that it had filed a complaint against Kochava, Inc. (“Kochava”), a digital marketing and analytics firm, seeking an order halting Kochava’s alleged acquisition and downstream sale of “massive amounts” of precise geolocation data collected from consumers’ mobile devices.

The complaint alleges that the data is collected in a format that would allow third parties to track consumers’ movements to and from sensitive locations, including those related to reproductive health, places of worship, and their private residences, among others.  The FTC alleged that “consumers have no insight into how this data is used” and that they do not typically know that inferences about them and their behaviors will be drawn from this information.  The FTC claimed that the sale or license of this sensitive data, which could present an “unwarranted intrusion” into personal privacy, was an unfair business practice under Section 5 of the FTC Act.

In the complaint, the FTC alleged that Kochava, in its role as a data broker, collects a wealth of information about consumers and their mobile devices by, among other means, purchasing data from outside entities to sell to its own customers.  According to the complaint, precise geolocation data is timestamped and associated with a “device_id_value,” also known as a Mobile Advertising ID (“MAID”).  The FTC also alleged that the location data provided by Kochava to its customers was not anonymized and that it was possible, using third party services, to use the geolocation data combined with the MAID to identify a mobile device user or owner. According to the complaint, the amount of location data was substantial in scope: “[Kochava’s] location data feed ‘delivers raw latitude/longitude data with volumes around 94B+ geo transactions per month, 125 million monthly active users, and 35 million daily active users, on average observing more than 90 daily transactions per device.’” Given the precise nature of the data, the FTC asserts that the data may be used to track consumers to sensitive locations and poses an unwarranted privacy risk likely to cause substantial injury to consumers, thus constituting an unfair business practice. The agency is asking for a permanent injunction barring Kochava from the unfair sale of sensitive data and requiring Kochava to delete the sensitive geolocation information it has collected.

This enforcement was not unexpected as the FTC complaint was filed about two weeks after settlement negotiations between the agency and Kochava appeared to falter. At that time, on August 12, 2022, Kochava filed a preemptive declaratory judgment action against the FTC in Idaho district court.  The filing sought various relief, including an order stating that Kochava’s practice of location data collection was not an unfair practice under Section 5 of the FTC Act.  In its complaint, Kochava, among other things, denies that the mobile location data that it acquires can be used to identify people and track them to sensitive locations or that Kochava employs no technical controls to prohibit its customers from identifying consumers or tracking them to sensitive locations. For example, in its pleading, Kochava refers to a consumer’s right to opt-out of locational data collection and claimed to have developed a “Privacy Block” which removes health services location data from the Kochava data marketplace.

As we’ve previously discussed in a prior post, it is likely that there will be more scrutiny of the collection and use of location data in general, beyond reproductive health privacy concerns, a fact borne out by the complaint against Kochava.  With the FTC sharpening its focus regarding practices related to the collection, use and sale of mobile location data, it’s possible we will see additional enforcement actions in the coming months.  And until a comprehensive federal data privacy law is passed (note: the so-called bipartisan ADPPA is still being debated in the Senate), the federal lead in regulation over data privacy will sit with the FTC (under its existing authority). In this current regulatory environment, that means all eyes will be on the location data collection practices of mobile app and software development kit (SDK) developers, app publishers and digital advertising firms, to name a few.

Moreover, for companies that acquire geolocation data or related data analytics, due diligence about how and where the data was collected remains vital to ensure that the information being offered by outside data analytics firms complies with applicable laws and regulations. (In statements reported after the FTC complaint was filed, Kochava claimed that it complies with all laws and that the location data it acquires comes from outside brokers who represent that such information is obtained with consumer consent.)

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jeffrey Neuburger Jeffrey Neuburger

Jeffrey Neuburger is co-head of Proskauer’s Technology, Media & Telecommunications Group, head of the Firm’s Blockchain Group and a member of the Firm’s Privacy & Cybersecurity Group.

Jeff’s practice focuses on technology, media and intellectual property-related transactions, counseling and dispute resolution. That expertise…

Jeffrey Neuburger is co-head of Proskauer’s Technology, Media & Telecommunications Group, head of the Firm’s Blockchain Group and a member of the Firm’s Privacy & Cybersecurity Group.

Jeff’s practice focuses on technology, media and intellectual property-related transactions, counseling and dispute resolution. That expertise, combined with his professional experience at General Electric and academic experience in computer science, makes him a leader in the field.

As one of the architects of the technology law discipline, Jeff continues to lead on a range of business-critical transactions involving the use of emerging technology and distribution methods. For example, Jeff has become one of the foremost private practice lawyers in the country for the implementation of blockchain-based technology solutions, helping clients in a wide variety of industries capture the business opportunities presented by the rapid evolution of blockchain. He is a member of the New York State Bar Association’s Task Force on Emerging Digital Finance and Currency.

Jeff counsels on a variety of e-commerce, social media and advertising matters; represents many organizations in large infrastructure-related projects, such as outsourcing, technology acquisitions, cloud computing initiatives and related services agreements; advises on the implementation of biometric technology; and represents clients on a wide range of data aggregation, privacy and data security matters. In addition, Jeff assists clients on a wide range of issues related to intellectual property and publishing matters in the context of both technology-based applications and traditional media.

Photo of Jonathan Mollod Jonathan Mollod

Jonathan P. Mollod is an attorney and content editor and a part of the firm’s Technology, Media and Telecommunications (TMT) Group. Jonathan earned his J.D. from Vanderbilt Law School. He focuses on issues involving technology, media, intellectual property and licensing issues and general…

Jonathan P. Mollod is an attorney and content editor and a part of the firm’s Technology, Media and Telecommunications (TMT) Group. Jonathan earned his J.D. from Vanderbilt Law School. He focuses on issues involving technology, media, intellectual property and licensing issues and general online/tech law issues of the day.