FTC Commercial Data Surveillance Crack Down: Kochava Gains a Win in Data Privacy Suit

June 2, 2023

Reading Time : 5 min

On May 4, 2023, an Idaho federal judge ruled that the Federal Trade Commission (FTC) needs stronger assertions of consumer harm in order for its data privacy suit against data broker/mobile analytics provider Kochava Inc. (“Kochava”) to proceed. The court simultaneously found no basis for Kochava’s suit to block the FTC’s enforcement action. The judge sided with Kochava’s argument that the agency had not adequately supported its claim that the company sales of geolocation data constituted unfair conduct under Section 5 of the FTC Act, finding no allegations that the practices “created a ‘significant risk’ of concrete harm.”1 The agency has 30 days to amend the complaint.

Background

On August 29, 2022, the agency had filed suit against Kochava for its alleged unlawful sales of precise geolocation data from hundreds of millions of mobile devices. Coming in the wake of the agency’s warning of a coming crackdown on commercial surveillance, this action reveals much about the agency’s stance toward data broker collection of consumer data, and geolocation data in particular. With this action, and the advance of the FTC’s ambitious commercial surveillance rulemaking effort,2 companies may be in for greater challenges over their use and sharing of consumer data.

According to the FTC’s press release, Kochava’s sales of tracking data, or “sensitive geolocation data,” enabled the identification of individuals, “exposing them to threats of stigma, stalking, discrimination, job loss, and even physical violence.”3 With this lawsuit, the FTC seeks to halt Kochava’s sale of sensitive geolocation data, and delete the sensitive geolocation data it has collected so far.

Agency Scrutiny of Data Brokers

As a marketing data broker, Kochava allegedly collects information about consumers, including data collected from hundreds of millions of consumer mobile devices. The FTC alleges that Kochava sells this information to its clients in customized data feeds that match unique mobile device identification numbers with timestamped latitude and longitude locations.4 Kochava allegedly made this data available to clients for a monthly subscription fee, along with a free sample,5 enabling clients to improve their advertising with analysis of foot traffic, user demographics, and other measurements.6

The FTC contends that the precise geolocation data Kochava provided could be used to “track consumers to sensitive locations, including places of religious worship, places that may be used to infer an LGBTQ+ identification, domestic abuse shelters, medical facilities, and welfare and homeless shelters.”7 Kochava allegedly did not anonymize this timestamped longitudinal and latitudinal data, publicly posting it on the Amazon Web Services Marketplace.

The FTC’s complaint singles out Kochava’s alleged lack of technical controls to prevent identification of customers, pointing out that the company could have used a blacklist to remove or obfuscate location signals around sensitive locations within data sets.8

Unfairness and Geolocation

In its complaint, the FTC argues that the selling of “precise geolocation data associated with unique persistent identifiers that reveal consumers’ visits to sensitive locations” is likely to cause substantial injury to consumers and therefore constitutes an unfair practice under Section 5 of the FTC Act.9 This appears to be an expansion of the agency’s position on precise geolocation data. In a July blog post, the FTC framed precise geolocation data as a sensitive category of data protected by numerous federal and state laws. The December enforcement against OpenX hinged on the collection of children’s location data without parental consent, but did not claim that the act of selling sensitive geolocation data is unfair.

While it does not allege that any actual harm has taken place, the FTC’s complaint claims that Kochava’s practices are likely to cause harm because they “could be used” to identify individual consumers and track them to sensitive locations.10 This was not enough for the court, which found that while substantial secondary harms like discrimination, stigma and violence are theoretically possible, this possibility is not enough of an allegation.11 The judge also ruled that the agency’s other theory of injury over privacy intrusion is insufficient because the alleged intrusion is not “severe enough” to be a substantial consumer injury.12

Takeaways

With this enforcement, it seems that the FTC is adopting an assertive stance on commercial use of sensitive personal data, while looking to widen the net of its authority over unfair practices. Because the FTC did not allege a particular harm to an individual, the issue of harm was always likely to be heavily litigated. With this recent ruling the federal court in Idaho appears to have checked the agency’s expansive view of harm. Regardless of the result, this case will set the tone for enforcement towards the data broker business model. Data brokers, and any businesses dealing in sensitive personal data from consumers (such as precise geolocation data and health data), should examine their data collection, use and disclosure practices, and review their technical, administrative and physical controls.

Please contact a member of Akin’s cybersecurity, privacy and data protection team if you have any questions about this case or how it will affect your company.


1 FTC v. Kochava Inc., Memorandum Decision and Order, 2:22-cv-00377-BLW (May 4, 2023), hereinafter “Decision,” available at https://www.law360.com/articles/1604444/attachments/0.  

2 See Allison Grande, FTC’s Bedoya Defends Need For Broad Privacy Rulemaking, Law360 (September 20, 2022) available at https://www.law360.com/cybersecurity-privacy/articles/1532168/ftc-s-bedoya-defends-need-for-broad-privacy-rulemaking?nl_pk=ab706bad-d60a-426e-a3bd-c41947a91d93&utm_source=newsletter&utm_medium=email&utm_campaign=cybersecurity-privacy&utm_content=2022-09-21.

3  Press Release, FTC Sues Kochava for Selling Data that Tracks People at Reproductive Health Clinics, Places of Worship, and Other Sensitive Locations, Federal Trade Comm’n (August 29, 2022), available at https://www.ftc.gov/news-events/news/press-releases/2022/08/ftc-sues-kochava-selling-data-tracks-people-reproductive-health-clinics-places-worship-other.

4 FTC v. Kochava, Inc., Complaint for Permanent Injunction and Other Relief, 2:22-cv-377 (August 29, 2022), hereinafter “Complaint,” available at https://www.ftc.gov/system/files/ftc_gov/pdf/1.%20Complaint.pdf.

5 The free sample, (the “Kochava Data Sample”) was made publicly available with minimal steps and no restrictions on usage, according to the FTC.

6 Complaint at 3.

7 Id. at 6.

8 Id. at 7.

9 Id. at 11; 15 U.S.C. § 45(a), (n).

10 Id. at 8.

11 Decision at 14.

12 Id. at 14-15.

Share This Insight

Previous Entries

Data Dive

March 3, 2025

On January 16, 2025, the Federal Trade Commission (FTC) issued a Final Rule updating the Children’s Online Privacy Protection (COPPA) Rule, significantly expanding compliance obligations for online services that collect, use, or disclose personal information from children under 13.1 The amendments impose new restrictions on targeted advertising, add data security requirements, refine parental consent mechanisms, and introduce additional compliance measures.

...

Read More

Data Dive

February 21, 2025

On January 8, 2025, the DOJ published a final rule prohibiting and restricting certain transactions that could allow persons from countries of concern, such as China, access to bulk sensitive personal data of U.S. citizens or to U.S. government-related data (regardless of volume).

...

Read More

Data Dive

January 22, 2025

On January 17, 2025, days before the inauguration, former President Joe Biden issued an executive order titled Strengthening and Promoting Innovation in the Nation's Cybersecurity (EO 14144). Building on previous efforts, including Executive Order 14028, this directive seeks to bolster cybersecurity across federal systems, supply chains and critical infrastructure from adversarial nations, particularly from the People’s Republic of China (PRC).

...

Read More

Data Dive

January 10, 2025

UPDATE: The California Privacy Protection Agency (CPPA) has extended the deadline for submitting public comments from January 14 to February 19, 2025, in response to the recent California wildfires. This extension aims to afford stakeholders additional time to provide comprehensive and detailed feedback, considering the significant challenges posed by the wildfires.

...

Read More

Data Dive

November 25, 2024

Treasury has issued a Final Rule to implement President Biden’s 2023 EO targeting U.S. investments in Chinese companies engaged in certain activities related to semiconductors, quantum computing or AI.

...

Read More

Data Dive

November 19, 2024

The European Union’s AI Office published the inaugural General-Purpose AI Code of Practice on November 14, 2024. The Code is intended to assist providers of AI models in their preparations for compliance with the forthcoming EU AI Act, to be enforced from August 2, 2025. The Code is designed to be both forward-thinking and globally applicable, addressing the areas of transparency, risk evaluation, technical safeguards and governance. While adherence to the Code is not mandatory, it is anticipated to serve as a means of demonstrating compliance with the obligations under the EU AI Act. Following a consultation period that garnered approximately 430 responses, the AI Office will be empowered to apply these rules, with penalties for nonconformity potentially reaching 3% of worldwide turnover or €15 million. Three additional iterations of the Code are anticipated to be produced within the coming five months.

...

Read More

Data Dive

November 15, 2024

On October 29, 2024, the DOJ issued a proposed rule prohibiting and restricting certain transactions that could allow persons from countries of concern, such as China, access to bulk sensitive personal data of U.S. citizens or to U.S. government-related data (regardless of volume).

...

Read More

Data Dive

October 17, 2024

During the course of any lending transaction, lenders will conduct a due diligence review of the borrower, including reviewing any relevant “know-your-customer” information.

...

Read More

© 2025 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.