The FTC sued data broker Kochava, Inc. in federal district court, alleging their sale and distribution of consumer geolocation data constitutes an unfair act or practice. In the complaint, the FTC takes issue with Kochava’s model of collecting and selling geolocation data from mobile devices where consumers aren’t made fully aware of such activity. More specifically, the FTC asserts that Kochava’s practices are likely to cause substantial harm to consumers because the precise geolocation data can reveal not only consumers’ identities, but also information about potentially sensitive locations they visited, such as abortion clinics, addiction recovery centers, domestic violence shelters, and places of worship.
Mirroring many of the concerns the FTC raised in its blog post earlier this summer about the use and sharing of highly sensitive data related to precise location and health, the complaint highlights several concerns with Kochava’s practices that the FTC alleges will likely cause substantial harm to consumers.
The FTC’s concerns include:
- The sheer quantity of data, which the FTC characterizes as “massive”;
- the use and disclosure of Mobile Advertising ID (MAID), which the FTC asserts can be used in combination with geolocation data to identify a mobile device’s user or owner; and
- a lack of transparency, which, according to the FTC, leaves consumers in the dark about who has their data and what is being done with it.
The complaint also alleges that Kochava failed to maintain proper controls to limit who could access the data or how they use it. Further, the FTC takes issue with Kochava’s alleged failure to implement measures to limit what a customer could infer from the data, such as specific individuals’ identities, their sensitive locations, and other characteristics that could be predicted based upon those visits.
Shortly before the FTC filed its lawsuit, Kochava preemptively sued the FTC, challenging its authority to seek relief under these circumstances and asserting that the data it receives is appropriately collected with consumer consent. Kochava also maintains that the data cannot be used to identify individuals. As both suits were filed in federal court in Idaho, they may eventually be linked or consolidated, but that remains to be seen.
Will there be additional enforcement actions?
This action and the FTC’s numerous public statements on the sensitivity of precise location data, particularly health data, suggests that this will likely not be the FTC’s final enforcement action in this space. Data providers and brokers and their customers dealing in precise geolocation data may want to assess their current practices and relationships in light of the FTC’s guidance, including whether they have implemented appropriate safeguards and controls regarding identification of individuals.
Notably, the FTC’s complaint does not identify issues with how the data is collected or whether Kochava is using the data with consumer consent, which arguably could have allowed for Kochava’s collection and use of data in these ways. That said, mobile applications that collect precise geolocation data and either share that data with third parties or permit third parties to collect that data directly should take note of the FTC’s actions, particularly in relation to what the FTC refers to as an “opaque” system whereby consumers “do not know who has collected their location data and how it is being used.”