FTC settlement targets sale of mobile location data linked to sensitive sites

The Federal Trade Commission (FTC) has moved to prohibit Sandpoint, Idaho-based data broker Kochava and its subsidiary, Cedar Rapids, Iowa-based Collective Data Solutions (CDS), from selling, sharing, or disclosing sensitive location data without consumers’ affirmative express consent.

The agency’s proposed order resolves allegations that the companies sold mobile location data that could be used to trace the movements of individuals, and marks the latest FTC action targeting the commercial trade in precise geolocation data.

The agency sued Kochava in August 2022, alleging that its collection, use and disclosure of precise location data invaded consumers’ privacy because people were unaware of, and had not consented to, the sharing.

The FTC’s lawsuit sought to halt Kochava’s sale of sensitive geolocation data and require the company to delete the sensitive geolocation information it has collected.

The agency said “geolocation data from hundreds of millions of mobile devices … can be used to trace the movements of individuals to and from sensitive locations. Kochava’s data can reveal people’s visits to reproductive health clinics, places of worship, homeless and domestic violence shelters, and addiction recovery facilities.”

The FTC alleged that by selling data tracking people, “Kochava is enabling others to identify individuals and exposing them to threats of stigma, stalking, discrimination, job loss, and even physical violence.”

“Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”

The regulatory agency said “Kochava purchases vast troves of location information derived from hundreds of millions of mobile devices,” and that “the information is packaged into customized data feeds that match unique mobile device identification numbers with timestamped latitude and longitude locations.”

“According to Kochava,” the FTC said, “these data feeds can be used to assist clients in advertising and analyzing foot traffic at their stores and other locations. People are often unaware that their location data is being purchased and shared by Kochava and have no control over its sale or use.”

Under the settlement, Kochava and CDS, which has taken over Kochava’s data broker business, cannot sell, license, transfer, or disclose sensitive location data unless they obtain affirmative express consent and the data is used to provide a service directly requested by the consumer.

The companies also must create a sensitive location data program, assess suppliers to confirm consumer consent, report certain third-party violations to the FTC, allow consumers to learn where their precise location data was sold, provide a way to withdraw consent, and adopt a data retention schedule requiring deletion on a set timeframe.

The Commission approved the stipulated final order by a 2-0 vote and filed it in the U.S. District Court for the District of Idaho. The order will carry the force of law once approved and signed by the judge.

Article Topics

data brokers  |  data privacy  |  FTC  |  location data  |  regulation  |  U.S. Government