HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

FTC Sues Kochava Over Unlawful Collection and Sale of Sensitive Geolocation Data

The Federal Trade Commission (FTC) has sued the Idaho-based data broker Kochava for unlawfully collecting and selling the sensitive data of mobile users, in violation of the FTC Act. According to the lawsuit, Kochava has been collecting and selling consumers’ precise geolocation data along with information that allows individuals to be identified. The location data is accompanied by a Mobile Advertising ID (MAID), which is a unique identifier that is assigned to a consumer’s mobile device for advertising purposes. While it is possible for individuals to change the MAID, doing so requires a consumer to proactively reset the MAID on their mobile device.

Kochava’s customers can purchase a license to receive feeds of premium data that include timestamped latitude and longitude coordinates showing the location of mobile devices along with unique identifiers. The data is used for a variety of purposes, including for advertising and tracking foot traffic into retail outlets. While Kochava customers must pay a subscription to access the data, a sample of the data is provided free of charge that requires minimal steps to access – signing up for a free AWS account and receiving approval to access the sample from Kochava. No restrictions are placed on usage of the sample data. The sample spans a 7-day period, with the FTC stating in the lawsuit that one day’s worth of data in the free sample included 327,480,000 rows, 11 columns, and the data collected from more than 61,803,400 unique mobile devices.

“By plotting the latitude and longitude coordinates included in the Kochava data stream using publicly available map programs, it is possible to identify which consumers’ mobile devices visited reproductive health clinics,” said the FTC in the lawsuit. “Further, because each set of coordinates is time-stamped, it is also possible to identify when a mobile device visited the location. Similar methods may be used to trace consumers’ visits to other sensitive locations.” The FTC says some data brokers advertise services that match MAIDS with consumers’ names and physical addresses, although it would be possible to identify individuals without using those services based on the dwell time and frequency of visits to certain locations and from public records.

The FTC says Kochava has not implemented any technical controls to prohibit its customers from identifying consumers or tracking visits to sensitive locations, such as using blacklists to remove location data when individuals visit sensitive locations such as abortion clinics, mental healthcare providers, and addiction treatment centers. The FTC’s analysis of the data sample determined that one device had visited a women’s reproductive health center and revealed that individual’s family residence.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The FTC alleges that the sale of sensitive geolocation data represents an unwarranted intrusion on the private lives of consumers and is likely to cause substantial injury. The lawsuit alleges Kochava’s business practices constitute unfair acts or practices in violation of Section 5 of the FTC Act, 15 U.S.C. § 45(a), and that consumers are suffering, have suffered, and will continue to suffer substantial injury as a result of Kochava’s FTC Act violations. The lawsuit is seeking an end to the sale of sensitive geolocation information and the deletion of all sensitive location data that Kochava has collected.

Earlier this month, Kochava filed a lawsuit in an attempt to counter the FTC lawsuit, in which the company stated that it had implemented a new feature on August 10, 2022, dubbed Privacy Block, which removes sensitive location data from its marketplace, including location data indicating visits to healthcare providers.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.