The Federal Trade Commission (FTC) has long expressed a concern about the potential misuse of location data. For example, in a 2022 blog post, “Location, health, and other sensitive information: FTC committed to fully enforcing the law against illegal use and sharing of highly sensitive data,” the agency termed the entire location data ecosystem “opaque” and has investigated the practices and brought enforcement actions against mobile app operators and data brokers with respect to sensitive data.
One such FTC enforcement began with an August 2022 complaint against Kochava, Inc. (“Kochava”), a digital marketing and analytics firm, seeking an order halting Kochava’s alleged acquisition and downstream sale of “massive amounts” of precise geolocation data collected from consumers’ mobile devices. In that complaint, the FTC alleged that Kochava, in its role as a data broker, collects a wealth of information about consumers and their mobile devices by, among other means, purchasing data from outside entities to sell to its own customers. Among other things, the FTC alleged that the location data provided by Kochava to its customers was not anonymized and that it was possible, using third party services, to use the geolocation data combined with other information to identify a mobile device user or owner.
In May 2023, an Idaho district court granted Kochava’s motion to dismiss the FTC’s complaint, with leave to amend. Subsequently, the FTC filed an amended complaint, and Kochava requested that the court keep the amended complaint under seal, which it did until it could rule on the merits of the parties’ arguments.
On November 3, 2023, the court granted the FTC’s motion to unseal the amended complaint, finding no “compelling reason” to keep the amended complaint under seal and rejecting Kochava’s arguments that the amended complaint’s allegations were “knowingly false” or “misleading.” (FTC v. Kochava Inc., No. 22-00377 (D. Idaho Nov. 3, 2023)). As a result, the FTC’s amended complaint has been unsealed to the public.
The unsealed complaint includes additional details about Kochava’s alleged unlawful practices surrounding location data. For example, the complaint amplifies the FTC’s allegations about Kochava’s collection of consumers’ precise mobile geolocation data and asserts that Kochava’s data “is used to trace consumers’ movements over a day, week, month, and even year, including to locations that are sensitive and personal” and that such data is “not anonymous” and “can be, and is, used to track and identify individual consumers.”
Other allegations in the amended complaint paint a more elaborate picture of Kochava’s data practices including an allegation that “Kochava collects, uses, and discloses massive amounts of information about consumers.” The amended complaint also asserts that in addition to precise location data, Kochava allegedly “amasses and discloses a staggering amount of sensitive and identifying information about consumers,” including “names, MAIDs, addresses, phone numbers, email addresses, gender, age, ethnicity, yearly income, ‘economic stability,’ marital status, education level, political affiliation, ‘app affinity’ (i.e. what apps consumers have installed on their phones), app usage, and “interests and behaviors” – what the complaint calls Kochava’s marketed “360-degree perspective” on consumers.
In all, the FTC generally alleges Kochava “sells data in several different forms” in its mobile data marketplace and that “Kochava uses records of consumers’ precise geolocation over time to categorize consumers into audience segments and then sell lists of consumers to others with promises that the details revealed by consumers’ movements will assist the third parties to identify and target individual consumers.” All of this is done, according to the FTC, “without consumers’ knowledge or consent.”
Not surprisingly, Kochava, in its opposition to the unsealing of the amended complaint, has claimed that many of the allegations in the amended complaint are misleading (or that the FTC’s claims do not sufficiently describe how its data products are packaged or how customers use discrete Kochava datasets) or are otherwise foreclosed by Kochava’s subsequent implementation of a Privacy Block feature following the FTC’s initial investigation. The case is ongoing, so discovery and further proceedings will presumably clarify the parties’ positions.
We will continue to watch this enforcement action and Kochava’s counterarguments closely. Regardless of the outcome, for companies that acquire geolocation data or related data analytics, due diligence about how and where the data was collected remains important to ensure that the information being offered by outside data analytics firms complies with applicable laws and regulations.