FTC sues data broker Kochava for sale of people’s sensitive location data, including visits to reproductive health clinics

The U.S. Federal Trade Commission (FTC) on Monday announced it has filed a lawsuit against data broker Kochava Inc. for selling geolocation data from “hundreds of millions of mobile devices,” it says, which could be used to trace the movements of individuals including those to and from sensitive locations. Specifically, the FTC said the data could reveal people’s visits to places like reproductive health clinics, domestic violence or homeless shelters, addiction recovery centers and places of worship.

This personal and private information could expose people to “threats of stigma, stalking, discrimination, job loss, and even physical violence,” the FTC explained in a press release.

The suit aims to halt Kochava’s data collection practices involving sensitive geolocation data and will request that the company delete the data it has already collected.

Its arrival additionally signals the FTC is cracking down on mobile data brokers whose businesses rely on collecting and reselling data from consumers’ smartphones — a longtime industry practice that has numerous privacy implications, but is one often unknown to the end users who are impacted. The move also follows a significant rethinking of tracking by Apple, which updated its mobile operating system to allow consumers to opt out of some data collection practices on a per-app basis.

More recently, the U.S. House Oversight Committee began investigating how the business practices of period-tracking apps and data brokers could potentially weaponize consumers’ private health data in the post-Roe v. Wade era, TechCrunch reported.

Idaho-based Kochava is not a household name but has a sizable footprint in the data collection industry. The company is a location data broker that provides precise geolocation data from consumers’ smartphones and also purchases data from other brokers to resell to clients. These data feeds are often used by clients who want to analyze things like foot traffic at local stores or other locations. This data itself is highly precise — it includes things like timestamped latitude and longitude coordinates showing the exact location of mobile devices which is additionally associated with a unique identifier, like a device ID as well as other information, like an IP address, device type, and more.

This device ID, or Mobile Advertising ID, is a unique identifier that’s assigned to a consumer’s mobile device to assist marketers who want to advertise to the end user. Though consumers can reset this ID at any time, they would have to know to do so as well as understand where in their device’s settings this option is available.

According to Kochava’s own description of its product, cited by the FTC’s complaints, the company offers clients “raw latitude/longitude data with volumes around 94B+ geo transactions per month, 125 million monthly active users, and 35 million daily active users, on average observing more than 90 daily transactions per device.” It sells its data feeds on a subscription basis on publicly accessible sites, including on the AWS Marketplace up until June 2022. To access the feed, a purchaser would need a free AWS account and $25,000 for the Kochava location data feed subscription. A data sample containing over 327 million rows and 11 columns of data related to 61.8+ million unique mobile devices was also available.

This data is not anonymized, the FTC says, and can be used to identify the mobile device’s user or owner. This is possible because other data brokers specifically sell services that work to match these Mobile Advertising IDs with offline information, like consumers’ names and physical addresses.

In addition to being able to track consumers visiting sensitive locations, the FTC noted the data could be used to make inferences about a consumer’s LGBTQ+ identification or visits to other medical facilities beyond those that provide reproductive care. It could be used to tie that activity to someone’s home address, too.

And, in light of the reversal of Roe v. Wade, the FTC points out that this data could be used to not only identify people visiting reproductive health clinics but also the medical professionals who perform, or assist in the performance, of abortion services. This was the subject of recent reporting by VICE’s Motherboard, but it had focused on a different data broker known as SafeGraph. The broker along with Placer.ai in July agreed to stop selling location data of people who visit abortion clinics after Senator Warren and thirteen other senators wrote to the companies to request answers about their data collection practices and asked them to stop selling data related to visits to abortion clinics.

That same month, Google said it would automatically remove location history from “particularly personal” places from users’ accounts, including abortion clinics, shelters, addiction treatment centers, and others. It also advised its Fitbit users how to delete their logs manually.

 

The FTC aims to prosecute Kochava based on numerous violations of the FTC Act, including those involving the unfair sale of sensitive data and consumer injury. It’s seeking a permanent injunction to prevent future violations and any additional relief as determined by the court.

“Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, in a statement. “The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”

The Commission vote authorizing the filing of the complaint against Kochava was 4-1, with Commissioner Noah Joshua Phillips the only to vote no.

The news of this latest action is not surprising. The agency had warned businesses in July it planned to enforce the law over the illegal use and sharing of sensitive consumer data and said this month it was exploring new rules that would further crack down on businesses that “collect, analyze, and profit from information about people.”

This is also not the first action the FTC has taken that directly targets a business involved in sensitive data collection, however. Last year, the FTC had taken action against the fertility tracking app Flo for sharing sensitive data with third parties. The app didn’t receive a financial penalty but was noteworthy for being the first time the regulator had ordered notice of a privacy action of this kind.

Kochava said it will release its statement at 2:30 PM ET today. We’ll update then with its response.

“Harvesting our location behaviors has become a major way that apps, mobile phone carriers and other ‘location intelligence’ companies monetize our information,” noted Jeff Chester, Executive Director at digital rights and consumer protection advocate Center for Digital Democracy, in a statement following the FTC’s announcement. “The FTC is saying that information on the places we visit is sensitive data and cannot be used in the ways the surveillance marketing business has come to expect. With a bipartisan vote supporting the lawsuit, today’s commission action demonstrates privacy is a key issue for both parties. It’s putting the data and platform industry on notice it has a serious fight on its hands,” he said.