Since the start of the year, the Federal Trade Commission (FTC) has brought actions against – and reached proposed settlements with[1] – three business ventures engaged in the collection, use and sharing of certain consumer information.
geolocation data
In Amended Complaint, FTC Alleges Kochava, a Data Broker, Is Collecting, Using and Disclosing “Massive Amounts” of Precise Geolocation Data
The Federal Trade Commission (FTC) has long expressed a concern about the potential misuse of location data. For example, in a 2022 blog post, “Location, health, and other sensitive information: FTC committed to fully enforcing the law against illegal use and sharing of highly sensitive data,” the agency termed the entire location data ecosystem “opaque” and has investigated the practices and brought enforcement actions against mobile app operators and data brokers with respect to sensitive data.
One such FTC enforcement began with an August 2022 complaint against Kochava, Inc. (“Kochava”), a digital marketing and analytics firm, seeking an order halting Kochava’s alleged acquisition and downstream sale of “massive amounts” of precise geolocation data collected from consumers’ mobile devices. In that complaint, the FTC alleged that Kochava, in its role as a data broker, collects a wealth of information about consumers and their mobile devices by, among other means, purchasing data from outside entities to sell to its own customers. Among other things, the FTC alleged that the location data provided by Kochava to its customers was not anonymized and that it was possible, using third party services, to use the geolocation data combined with other information to identify a mobile device user or owner.
In May 2023, an Idaho district court granted Kochava’s motion to dismiss the FTC’s complaint, with leave to amend. Subsequently, the FTC filed an amended complaint, and Kochava requested that the court keep the amended complaint under seal, which it did until it could rule on the merits of the parties’ arguments.
On November 3, 2023, the court granted the FTC’s motion to unseal the amended complaint, finding no “compelling reason” to keep the amended complaint under seal and rejecting Kochava’s arguments that the amended complaint’s allegations were “knowingly false” or “misleading.” (FTC v. Kochava Inc., No. 22-00377 (D. Idaho Nov. 3, 2023)). As a result, the FTC’s amended complaint has been unsealed to the public.
FTC Sues Data Provider over the Collection and Sale of Geolocation Data
On August 29, 2022, the Federal Trade Commission (FTC) announced that it had filed a complaint against Kochava, Inc. (“Kochava”), a digital marketing and analytics firm, seeking an order halting Kochava’s alleged acquisition and downstream sale of “massive amounts” of precise geolocation data collected from consumers’ mobile devices.
The complaint alleges that the data is collected in a format that would allow third parties to track consumers’ movements to and from sensitive locations, including those related to reproductive health, places of worship, and their private residences, among others. The FTC alleged that “consumers have no insight into how this data is used” and that they do not typically know that inferences about them and their behaviors will be drawn from this information. The FTC claimed that the sale or license of this sensitive data, which could present an “unwarranted intrusion” into personal privacy, was an unfair business practice under Section 5 of the FTC Act.
FTC Blog Post Highlights Regulatory Focus on Collection of Location and Health Data
On July 11, 2022, the Federal Trade Commission (FTC) published “Location, health, and other sensitive information: FTC committed to fully enforcing the law against illegal use and sharing of highly sensitive data,” on its Business Blog. The blog post is likely related to an Executive Order (the “EO”) signed by President Biden in the wake of the Supreme Court’s Dobbs decision. Among other things, the EO directed the FTC to consider taking steps to protect consumers’ privacy when seeking information about and related to the provision of reproductive health care services.
While this latest drumbeat on this issue came from the FTC, we expect to see attention to this issue by other regulators, including, perhaps, the Department of Justice as well as state attorneys general.
Although the FTC post centers on location data and reproductive health services, it is likely that there will be more scrutiny of the collection and use of location data in general. This renewed focus will potentially subject a wide group of digital ecosystem participants to increased attention. The spotlight will likely fall on interactive platforms, app publishers, software development kit (SDK) developers, data brokers and data analytics firms – over practices concerning the collection, sharing and perceived misuse of data generally.
Senator Warren Introduces Bill to Ban the Sale of Location and Health Data
On June 15, 2022, Senator Elizabeth Warren introduced a bill, cosponsored by a host of other Democratic and independent Senators, the “Health and Location Data Protection Act of 2022,” which, subject to a few exceptions, would, among other things, prohibit the selling, sharing or transferring location data and health data. The bill gives the Federal Trade Commission (FTC) rulemaking and enforcement authority for violations of the law and also grants state attorneys general the right to bring actions; notably, the law would also give a private right of action to persons adversely affected by a violation of the proposed law.
Mobile Platforms to Block Data Broker from Collecting User Location Data
On December 9, 2020, the Wall Street Journal reported that Apple and Google will block the data broker X-Mode Social Inc. (“X-Mode”) from collecting location data from iPhone and Android users. Apple and Google have reportedly informed app developers to remove the X-Mode social tracking SDK from all of their apps within a short period of time or risk removal from the platforms’ app stores. This action apparently was prompted by reports that X-Mode was selling location data to certain defense contractors and government entities.
The WSJ report suggests that Apple and Google notified Senator Ron Wyden about this action. Senator Wyden and a group of other Senators have been soliciting government inquiries over the last several months into the sale of location data to government contractors and agencies. It is Senator Wyden’s position that such sales of users’ location data by commercial data brokers to government entities are unlawful without a warrant (citing the Supreme Court case, Carpenter v. United States, 138 S.Ct. 2206 (2018), which held that the acquisition of cell-site location information was a Fourth Amendment search).
Senator Wyden’s scrutiny over such practices does not seem to be limited to sale of location data to government sources, but more so toward the wider data tracking ecosystem. He was one of the senators that earlier this year sent a letter to FTC Chairman Joseph J. Simons urging the agency to investigate whether analytics firm Yodlee’s financial data collection practices were violating the FTC Act (a request which led to at least one civil investigative demand being issued by the FTC to Yodlee and a putative class action suit over such practices). In the WSJ article, Wyden is quoted as stating: “Apple and Google deserve credit for doing the right thing and exiling X-Mode Social, the most high-profile tracking company, from their app stores. But there’s still far more work to be done to protect Americans’ privacy, including rooting out the many other data brokers that are siphoning data from Americans’ phones.”