FTC Sues Data Broker Over Sales of Geolocation Data
On August 29, 2022, the Federal Trade Commission (FTC) announced it had filed a complaint in Idaho federal district court against Kochava Inc., a data broker, seeking injunctive relief on account of alleged violations of Section 5(a) of the FTC Act. Specifically, the FTC alleged that Kochava's sales of precise geolocation information collected from consumers' mobile devices constitutes an "unfair or deceptive act or practice" because it enables those who obtain the data to identify the mobile devices' owners, track their movements to and from sensitive locations, and make inferences about those individuals and their behavior that could be harmful.
According to the FTC, Kochava offers customers precise geolocation data collected from mobile devices, including latitude and longitude coordinates with a timestamp and the corresponding device's mobile advertising ID. Kochava makes these data sets available on a paid subscription basis (via a data feed) and as a free sample (covering seven days of data). Kochava previously advertised its monthly data feed as containing the data of approximately 94 billion transactions per month, relating to 35 million individuals daily. The FTC emphasized that Kochava does not anonymize the location data or implement other controls over who accesses its location data feed or to prevent customers from identifying individuals and tracking them to sensitive locations.
For instance, according to the FTC, those who obtained these large datasets could track individuals to religious sites, medical facilities (such as reproductive healthcare clinics), domestic abuse shelters, and their own homes. And with this information, the purchasers of the data could then determine or infer precisely where an individual lived; what their religious preferences were; whether they were homeless or experienced addiction or domestic violence; what their daily commuting practices and patterns were; whether they worked at an abortion clinic or had obtained abortion care—all of which, the FTC alleged, could expose an individual to harassment, stigma, discrimination, violence, and other harms.
The complaint deemed Kochava's practices "an unwarranted intrusion into the most private areas of consumers' lives" that was compounded by the opacity of geolocation tracking and data brokers' sales. Indeed, most consumers are unaware of this collection and sale of their data and cannot avoid being included in these datasets or inferences being made about them. The FTC claimed these practices violated the "unfairness" prong of Section 5 of the FTC Act because they "cause or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves" without countervailing benefits that outweigh such injuries. Although Kochava's facilitation of government surveillance is not mentioned in the FTC's complaint, Kochava's data could be used by governmental entities to gain access to consumers' precise locations without a warrant, which the Supreme Court deemed necessary in Carpenter v. United States. There, the Court held that "an individual maintains a legitimate expectation of privacy in the record of his physical movements" captured electronically and that "accessing seven days of [location information] constitutes a Fourth Amendment search" requiring a warrant.
The Kochava lawsuit—and its explicit mention of the potential use of geolocation data to track an individual to an abortion clinic—suggests the FTC may be particularly attuned to the sensitivity of geolocation information post-Dobbs. Taken in conjunction with the recent Advance Notice of Proposed Rulemaking regarding "commercial surveillance" and data security, FTC Chairwoman Lina Khan appears ready to take on privacy protection for individuals and not willing to wait for congressional action.