Security news that informs and inspires

FTC Sues Data Broker For Selling Sensitive Location Data


The Federal Trade Commission (FTC) has filed a lawsuit against an Idaho-based data broker called Kochava, alleging that its customized data feeds allow purchasers to track end users at sensitive locations like places of worship and addiction recovery centers.

The lawsuit is the latest move by the FTC around data security and privacy policies under Lina Khan's administration since she was sworn in as the FTC chair in June 2021. In March, the FTC cracked down on online retailer CafePress after the company allegedly covered a major data breach and failed to secure customers’ sensitive data, while in August the commission announced its intent to scrutinize the surveillance and data collection tactics of big tech and ad tech firms.

“Of the privacy cases that have come out, this is the first one that most clearly reflects Lina Khan’s administration taking a big swing,” said Ben Rossen, special counsel with Baker Botts, who is a former senior attorney at the FTC with experience handling high-profile privacy and data security investigations. He noted that Kochava’s data collection practices here “are not terribly unusual, but it does potentially cause significant harm to consumers when they’re not aware it’s going on.”

Kochava, which was founded in 2011, is a self-described “mobile measurement platform” that collects data for advertising purposes or for clients to be able to analyze foot traffic at their stores.

The company has collected geolocation data from hundreds of millions of mobile devices that is categorized to match unique mobile device identification numbers - which are assigned to consumer mobile devices to assist marketers in advertising - with timestamped latitudinal and longitudinal locations, alleges the FTC. The company has sold this access on publicly accessible online data marketplaces for a monthly subscription fee. The FTC said it examined a data sample with precise location data collected from more than 61 million unique mobile devices in the previous week, for instance.

The FTC said that these measures violate the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” The data collected by Kochava is not anonymized, alleges the FTC, and can be used to trace individual visits to reproductive health clinics, domestic shelters and other areas, exposing them to threats like stalking, discrimination or physical violence. For instance, someone who attempts to match the geolocation data of mobile devices with consumers' nighttime timestamps would likely be able to identify end user home addresses, which can be combined with property records to discern end user identities, argued the FTC.

“Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a Monday statement. “The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”

Consent is another factor here, with the FTC saying that individuals are often unaware that their location is being purchased and sold by the company.

"The FTC is absolutely right that data brokers' tracking of Americans has spun wildly out of control and is a threat to every single person's privacy, no matter who they are or what they believe," said Sean Vitka, senior policy counsel for Demand Progress Action. "Kochava, among others, allegedly sells detailed geolocation information that reveals dozens of millions of innocent Americans' pursuit of health care, places of worship, and far more, rendering consumers vulnerable to the misuse of their data by corporations, the government, and stalkers. We strongly support the FTC's decision to crack down on this parasitic industry."

Kochava had filed a lawsuit against the FTC's investigation earlier in August, saying the commission was “wrongfully” alleging it had violated the FTC Act. In a statement, Kochava said that it has worked for the past several weeks to educate the FTC "on the role of data, the process by which it is collected and the way it is used in digital advertising."

"This lawsuit shows the unfortunate reality that the FTC has a fundamental misunderstanding of Kochava’s data marketplace business and other data businesses," said Brian Cox, general manager of Kochava Collective. "Kochava operates consistently and proactively in compliance with all rules and laws, including those specific to privacy... Absent specificity from the FTC, we are constantly monitoring and proactively adjusting our technology to block geo data from other sensitive locations. Kochava sources 100 percent of the geo data in our data marketplace from third party data brokers all of whom represent that the data comes from consenting consumers."