Settlement Resolves FTC Lawsuit Against Kochava Over Sale of Geolocation Data
A settlement has been reached between the Federal Trade Commission (FTC) and the Idaho-based data broker Kochava and its subsidiary Collective Data Solutions to end long-running litigation over the sale of precise geolocation data.
Kochava sells a range of data to its customers, which includes comprehensive consumer profiles and geolocation data. Kochava claims to be able to pinpoint an individual’s precise location to around 10 meters through GPS coordinates and other signals, which could be tied to an individual through a unique ID associated with their mobile device. Shortly after the Supreme Court decision that overturned Roe V. Wade and removed the federal right to an abortion, the FTC launched an investigation. The investigation prompted an August 2022 lawsuit, in which the FTC alleged that Kochava was selling consumers’ precise geolocation data that was collected without consumers’ knowledge or consent.
The FTC alleged that the data provided by Kochava could be used to track the movements of individuals visiting sensitive locations such as reproductive healthcare facilities, hospitals, places of worship, and refuges for victims of domestic abuse. The FTC claimed that the sale of the data violated consumer privacy and put them at risk of suffering secondary harms such as discrimination, stigma, emotional distress, and physical violence. Kochava continues to deny any wrongdoing and maintains it has “always operated consistently and proactively in compliance with all rules and laws, including those specific to privacy.” Further, Kochava has implemented a Privacy Block feature that blocks geolocation data from sensitive locations.
Kochava’s motion to dismiss the initial FTC lawsuit was successful. The FTC’s lawsuit was dismissed by a federal judge in 2023, who ruled that the FTC had failed to establish that Kochava’s business practices constituted a substantial injury to consumers. The FTC filed an amended complaint in June 2023, which Kochava also sought to have dismissed, although the same judge denied that motion in early 2024. Kochava vowed to continue to fight the lawsuit; however, a settlement has now been reached with the FTC to resolve the lawsuit.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The proposed consent order requires Kochava to stop “selling, licensing, transferring, sharing or disclosing sensitive location data in any products or services unless they obtain a consumer’s affirmative express consent and the data is used to provide a service directly requested by the consumer.” Kochava must develop, implement, and maintain a sensitive location data program. That requires the development of a comprehensive list of sensitive locations, and prevents the sale, licensing, transfer, sharing, or disclosure of that data.
Consumers will be given the right to request the name of any business or individual that has been sold geolocation data, and Kochava must provide an easy way for consumers to withdraw their consent to the sale of their geolocation data. At least every three months, Kochava must verify that Collective Data Solutions and Kochava itself have obtained consumers’ express consent to collect geolocation data. Kochava is also required to establish a data retention schedule and ensure the deletion of data within an established timeframe. Should Kochava determine that there has been a third-party incident involving the sharing of geolocation data in violation of contractual requirements, the FTC must be notified within 30 days. The consent order was approved by the FTC in a 2-0 vote and now awaits sign-off by a U.S. District Court Judge.
February 13, 2025: FTC’s Amended Complaint Against Kochava Survives Motion to Dismiss
An amended Federal Trade Commission (FTC) complaint against the data broker Kochava has survived a motion to dismiss. Idaho District Court Judge, B. Lynn Winmill, dismissed the first FTC complaint in May 2022, as the FTC failed to establish that the business practices of Kochava constituted a substantial injury to consumers. In dismissing the complaint, Judge Winmill permitted the FTC to file an amended complaint, which the FTC did in June 2023.
In its complaints, the FTC accused Kochava of invading consumers’ privacy and exposing them to risk by selling their precise geolocation information and other sensitive data to third parties. Geolocation data reveals consumers’ visits to sensitive locations such as abortion clinics, places of worship, addiction treatment facilities, and shelters for survivors of domestic abuse. The FTC explained in its complaint that Kochava obtains sensitive data from other data brokers and does not interact directly with consumers; however, the data amassed by Kochava and sold through its Kochava Collective product is highly granular and contains detailed information about the precise movements of consumers.
The precise geolocation information is obtained from mobile phones, which are associated with a persistent and individual identifier. The geolocation data includes consumers’ movements over days, weeks, months, or even years and is accurate to a few meters. As such, it is possible to tell which buildings consumers are in, and in some cases, even the room they are in. The data sold by Kochava directly links to the geolocation data and can include information such as names, addresses, email addresses, and phone numbers. Kochava also collects and sells enormous amounts of additional private and sensitive information of consumers.
Kochava sells data in different forms in the Kochava Collective, which includes precise geolocation data, a comprehensive profile of individual consumers (database graph), tracking consumers’ uses of mobile apps (App Graph), and audience segments, which categorize consumers based on identified sensitive and personal characteristics and attributes. The FTC explained in the amended complaint that Kochava’s customers can and do purchase that data and provided an example of the level of detailed information that can be purchased. “Kochava’s data identifies, for example, a woman who visits a particular building, the woman’s name, email address, and home address, and whether the woman is African-American, a parent (and if so, how many children), or has an app identifying symptoms of cancer on her phone.” The FTC said Kochava makes it clear to potential buyers that the purpose of the Kochava Collective is to sell this level of granular consumer data.
The FTC alleges that the sale of this information harms consumers in two ways. Consumers are put at risk of suffering secondary harms such as discrimination, stigma, emotional distress, and physical violence, and secondly, it invades their privacy. While the initial complaint failed to sufficiently allege a substantial injury, Judge Winmill ruled that the FTC included sufficient facts in its amended complaint to support both types of harm, and the detail was sufficient to satisfy the liberal plausibility standard that the alleged practices of Kochava may violate Section 5 of the FTC Act, which covers unfair business practices.
While Kochava’s motion to dismiss was denied, the company still believes that it will prevail. A spokesperson for Kochava said, “Kochava has always operated consistently and proactively in compliance with all rules and laws, including those specific to privacy.” Prior to the FTC complaint being filed, Kochava had already implemented measures to protect consumer privacy, including implementing the Privacy Block feature, which blocks geolocation data from sensitive locations such as those stated in the FTC complaint.
The FTC has been pursuing data brokers over the sale of sensitive data to third parties and recently announced settlements with X-Mode Social/Outlogic and InMarket Media, which the FTC claims have put companies on notice that the period of unchecked monetization and surveillance of consumers’ sensitive data is over.
