On August 29, 2022, the Federal Trade Commission (FTC) announced that it had filed a complaint against Kochava, Inc. (“Kochava”), a digital marketing and analytics firm, seeking an order halting Kochava’s alleged acquisition and downstream sale of “massive amounts” of precise geolocation data collected from consumers’ mobile devices.
The complaint alleges that the data is collected in a format that would allow third parties to track consumers’ movements to and from sensitive locations, including those related to reproductive health, places of worship, and their private residences, among others. The FTC alleged that “consumers have no insight into how this data is used” and that they do not typically know that inferences about them and their behaviors will be drawn from this information. The FTC claimed that the sale or license of this sensitive data, which could present an “unwarranted intrusion” into personal privacy, was an unfair business practice under Section 5 of the FTC Act.
In the complaint, the FTC alleged that Kochava, in its role as a data broker, collects a wealth of information about consumers and their mobile devices by, among other means, purchasing data from outside entities to sell to its own customers. According to the complaint, precise geolocation data is timestamped and associated with a “device_id_value,” also known as a Mobile Advertising ID (“MAID”). The FTC also alleged that the location data provided by Kochava to its customers was not anonymized and that it was possible, using third party services, to use the geolocation data combined with the MAID to identify a mobile device user or owner. According to the complaint, the amount of location data was substantial in scope: “[Kochava’s] location data feed ‘delivers raw latitude/longitude data with volumes around 94B+ geo transactions per month, 125 million monthly active users, and 35 million daily active users, on average observing more than 90 daily transactions per device.’” Given the precise nature of the data, the FTC asserts that the data may be used to track consumers to sensitive locations and poses an unwarranted privacy risk likely to cause substantial injury to consumers, thus constituting an unfair business practice. The agency is asking for a permanent injunction barring Kochava from the unfair sale of sensitive data and requiring Kochava to delete the sensitive geolocation information it has collected.
This enforcement was not unexpected as the FTC complaint was filed about two weeks after settlement negotiations between the agency and Kochava appeared to falter. At that time, on August 12, 2022, Kochava filed a preemptive declaratory judgment action against the FTC in Idaho district court. The filing sought various relief, including an order stating that Kochava’s practice of location data collection was not an unfair practice under Section 5 of the FTC Act. In its complaint, Kochava, among other things, denies that the mobile location data that it acquires can be used to identify people and track them to sensitive locations or that Kochava employs no technical controls to prohibit its customers from identifying consumers or tracking them to sensitive locations. For example, in its pleading, Kochava refers to a consumer’s right to opt-out of locational data collection and claimed to have developed a “Privacy Block” which removes health services location data from the Kochava data marketplace.
As we’ve previously discussed in a prior post, it is likely that there will be more scrutiny of the collection and use of location data in general, beyond reproductive health privacy concerns, a fact borne out by the complaint against Kochava. With the FTC sharpening its focus regarding practices related to the collection, use and sale of mobile location data, it’s possible we will see additional enforcement actions in the coming months. And until a comprehensive federal data privacy law is passed (note: the so-called bipartisan ADPPA is still being debated in the Senate), the federal lead in regulation over data privacy will sit with the FTC (under its existing authority). In this current regulatory environment, that means all eyes will be on the location data collection practices of mobile app and software development kit (SDK) developers, app publishers and digital advertising firms, to name a few.
Moreover, for companies that acquire geolocation data or related data analytics, due diligence about how and where the data was collected remains vital to ensure that the information being offered by outside data analytics firms complies with applicable laws and regulations. (In statements reported after the FTC complaint was filed, Kochava claimed that it complies with all laws and that the location data it acquires comes from outside brokers who represent that such information is obtained with consumer consent.)