HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Digital Marketing and Analytics Company Files Lawsuit Against FTC Over Alleged Privacy Violations

A lawsuit has been filed against the Federal Trade Commission by an Idaho-based digital marketing and analytics company, which is alleged to have violated the Federal Trade Commission (FTC) Act with its data practices.

Kochava’s primary business unit provides mobile advertising attribution through customizable software tools, which are provided under the software-as-a-service model. The software allows its customers to obtain data points and analytics for digital marketing campaigns and applications. The second business unit is an aggregator of third-party provided mobile device data, which Kochava makes available through its data marketplace, the Kochava Collective.

Following the Supreme Court’s decision to overturn Wade v. Roe, privacy advocates have voiced their concern about the potential for data brokers and law enforcement in some states to collect information about individuals who visit reproductive health clinics to seek advice about abortions.  Shortly after the Supreme Court’s decision, the FTC announced its commitment to fully enforce the law against the illegal use and sharing of highly sensitive data, such as the collection and use of consumer location data and illegal privacy practices with respect to reproductive healthcare data.

The Kochava Collective provides data feeds and audience targeting to clients for marketing purposes. The FTC alleges the Kochava Collective provides precise geolocation data that is associated with Mobile Advertising Identifiers (MAIDs), which means it is possible to identify and track consumers when they visit sensitive locations such as reproductive health clinics, therapist’s offices, medical facilities, and addiction recovery centers.  The FTC also alleges that the data is time-stamped, so it is possible to tell exactly when an individual visited a location and that there are no technical controls in place to prohibit Kochava’s customers from tracking consumers when they visit those locations. The collection of latitude and longitude, IP address, and mobile advertising identifier information associated with consumers’ devices is a violation of the FTC Act, according to the FTC, which is seeking a permanent injunction against Kochava to prevent future FTC Act violations.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Kochava denies that its data can be used by its customers to identify and track individuals and claims that the FTC has misunderstood the services it provides. Kochava maintains that while the FTC is correct with respect to the collection of latitude and longitude, IP addresses, and MAIDS associated with consumer devices, those data elements are not received until days afterward, and the specific locations and consumers associated with MAIDs are not linked. Further, Kochava explains in the lawsuit that the FTC is wrong in its view that there are no technical controls in place to prevent its customers from tracking consumers when they visit sensitive locations. Kochava said it introduced a new capability on August 10, 2022, called Privacy Block, which allows its clients to shut off the collection of sensitive location data such as visits to healthcare providers.

Kochava maintains that it “operates consistently and proactively in compliance with all rules and laws, including those specific to privacy,” and that the FTC has threatened the company with a District Court lawsuit and a proposed settlement when both the lawsuit and settlement are based on inaccurate information. Kochava also alleges the FTC is overstepping its legal authority to enforce the FTC Act and is attempting to make the company a scapegoat in order to set a precedent across the ad tech industry. Kochava files the lawsuit to get the Idaho Federal Court to intervene.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.