On August 16, this site noted that Kochava was suing the Federal Trade Commission in response to a proposed injunction.
Today, the FTC announced it was suing Kochava:
The Federal Trade Commission filed a lawsuit against data broker Kochava Inc. for selling geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations. Kochava’s data can reveal people’s visits to reproductive health clinics, places of worship, homeless and domestic violence shelters, and addiction recovery facilities. The FTC alleges that by selling data tracking people, Kochava is enabling others to identify individuals and exposing them to threats of stigma, stalking, discrimination, job loss, and even physical violence. The FTC’s lawsuit seeks to halt Kochava’s sale of sensitive geolocation data and require the company to delete the sensitive geolocation information it has collected.
“Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”
Idaho-based Kochava purchases vast troves of location information derived from hundreds of millions of mobile devices. The information is packaged into customized data feeds that match unique mobile device identification numbers with timestamped latitude and longitude locations. According to Kochava, these data feeds can be used to assist clients in advertising and analyzing foot traffic at their stores and other locations. People are often unaware that their location data is being purchased and shared by Kochava and have no control over its sale or use.
In a complaint filed against Kochava, the FTC alleges that the company’s customized data feeds allow purchasers to identify and track specific mobile device users. For example, the location of a mobile device at night is likely the user’s home address and could be combined with property records to uncover their identity. In fact, the data broker has touted identifying households as one of the possible uses of its data in some marketing materials.
According to the FTC’s complaint, Kochava’s sale of geolocation data puts consumers at significant risk. The company’s data allows purchasers to track people at sensitive locations that could reveal information about their personal health decisions, religious beliefs, and steps they are taking to protect themselves from abusers. The release of this data could expose them to stigma, discrimination, physical violence, emotional distress, and other harms.
The FTC alleges that Kochava fails to adequately protect its data from public exposure. Until at least June 2022, Kochava allowed anyone with little effort to obtain a large sample of sensitive data and use it without restriction. The data sample the FTC examined included precise, timestamped location data collected from more than 61 million unique mobile devices in the previous week. Using Kochava’s publicly available data sample, the FTC complaint details how it is possible to identify and track people at sensitive locations such as:
- Reproductive health clinics: The data could be used to identify people who have visited a reproductive health clinic and therefore expose their private medical decisions. Using the data sample, it is possible to track a mobile device from a reproductive health clinic to a single-family residence to other places routinely visited. The data may also be used to identify medical professionals who perform, or assist in the performance, of reproductive health services.
- Places of worship: The data could be used to track consumers to places of worship, and thus reveal the religious beliefs and practices of consumers. The data sample identifies mobile devices that were located at Jewish, Christian, Islamic, and other religious denominations’ places of worship.
- Homeless and domestic violence shelters: The data could be used to track consumers who visited a homeless shelter, domestic violence shelter, or other facilities directed to at-risk populations. This information could reveal the location of people who are escaping domestic violence or other crimes. The data sample identifies a mobile device that appears to have spent the night at a temporary shelter whose mission is to provide residence for at-risk, pregnant young women or new mothers. In addition, because Kochava’s data allows its customers to track people over time, the data could be used to identify their past conditions, such as homelessness.
- Addiction recovery centers: The data could be used to track consumers who have visited addiction recovery centers. The data could show how long consumers stayed at the center and whether a consumer potentially relapses and returns to a recovery center.
Protecting sensitive consumer data, including geolocation and health data, is a top priority for the FTC. This month, the FTC announced that it is exploring rules to crack down on harmful commercial surveillance practices that collect, analyze, and profit from information about people. In July, the FTC warned businesses that the agency intends to enforce the law against the illegal use and sharing of highly sensitive consumer data, including sensitive health data. Last year, the FTC issued a policy statement warning health apps and connected devices that collect or use consumers’ health information that they must notify consumers and others when that data is breached as required by the Health Breach Notification Rule. In 2021, the agency also took action against the fertility app Flo Health for sharing sensitive health data with third parties.
The Commission vote authorizing the staff to file the complaint against Kochava was 4-1. Commissioner Noah Joshua Phillips voted no. The complaint was filed in the U.S. District Court for the District of Idaho.
NOTE: The Commission files a complaint when it has “reason to believe” that the named defendants are violating or are about to violate the law and it appears to the Commission that a proceeding is in the public interest. The case will be decided by the court.
The public can read Kochava’s complaint against the FTC courtesy of Bloomberg. In relevant part, its response to the FTC’s then-proposed injunction states:
The FTC’s allegations regarding Kochava’s alleged business practices illustrate a lack of understanding of Kochava’s services. As part of its Collective services, Kochava does not uniquely identify users, but collects Mobile Advertising Identifier (MAID) information and links it to hashed emails and primary IP addresses in relation to Kochava’s Data Marketplace. Although the Kochava Collective collects latitude and longitude, IP address and MAID associated with a consumer’s device, Kochava does not receive these data elements until days after (unlike a GPS tool, for instance), Kochava does not identify the location associated with latitude and longitude, nor does Kochava identify the consumer associated with the MAID. As such, Kochava does not collect, then subsequently sell data compilation that allows one to track a specific individual to a specific location. Even if an injury to the consumer did indeed occur, it is reasonably avoidable by the consumer themselves by way the opt-out provision to allow the data collection. In other words, the consumer agreed to share its location data with an app developer. As such, the consumer should reasonably expect that this data will contain the consumer’s locations, even locations which the consumer deems is sensitive. Prior to the data collection, a disclaimer or a warning was also provided to a consumer regarding collection of data from all locations, including sensitive ones.