The Federal Trade Commission filed a lawsuit against data broker Kochava Inc. for selling geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations. Kochava’s data can reveal people’s visits to reproductive health clinics, places of worship, homeless and domestic violence shelters, and addiction recovery facilities. The FTC alleges that by selling data tracking people, Kochava is enabling others to identify individuals and exposing them to threats of stigma, stalking, discrimination, job loss, and even physical violence. The FTC’s lawsuit seeks to halt Kochava’s sale of sensitive geolocation data and require the company to delete the sensitive geolocation information it has collected.
“Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”
Idaho-based Kochava purchases vast troves of location information derived from hundreds of millions of mobile devices. The information is packaged into customized data feeds that matches unique mobile device identification numbers with timestamped latitude and longitude locations. According to Kochava, these data feeds can be used to assist clients in advertising and analyzing foot traffic at their stores and other locations. People are often unaware that their location data is being purchased and shared by Kochava and have no control over its sale or use.
In a complaint filed against Kochava, the FTC alleges that the company’s customized data feeds allow purchases to identify and track specific mobile device users. For example, the location of a mobile device at night is likely the user’s home address and could be combined with property records to uncover their identity. In fact, the data broker has touted identifying households as one of the possible uses of its data in some marketing materials.
According to the FTC’s complaint, Kochava’s sale of geolocation data puts consumers at significant risk. The company’s data allows purchasers to track people at sensitive locations that could reveal information about their personal health decisions, religious beliefs, and steps they are taking to protect themselves from abusers. The release of this data could expose them to stigma, discrimination, physical violence, emotional distress, and other harms.
The FTC alleges that Kochava fails to adequately protect its data from public exposure. Until at least June 2022, Kochava allowed anyone with little effort to obtain a large sample of sensitive data and use it without restriction. The data sample the FTC examined included precise, timestamped location data collected from more than 61 million unique mobile devices in the previous week. Using Kochava’s publicly available data sample, the FTC complaint details how it is possible to identify and track people at sensitive locations such as:
- Reproductive health clinics: The data could be used to identify people who have visited a reproductive health clinic and therefore expose their private medical decisions. Using the data sample, it is possible to track a mobile device from a reproductive health clinic to a single-family residence to other places routinely visited. The data may also be used to identify medical professionals who perform, or assist in the performance, of reproductive health services.
- Places of worship: The data could be used to track consumers to places of worship, and thus reveal the religious beliefs and practices of consumers. The data sample identifies mobile devices that were located at Jewish, Christian, Islamic, and other religious denominations’ places of worship.
- Homeless and domestic violence shelters: The data could be used to track consumers who visited a homeless shelter, domestic violence shelter, or other facilities directed to at-risk populations. This information could reveal the location of people who are escaping domestic violence or other crimes. The data sample identifies a mobile device that appears to have spent the night at a temporary shelter whose mission is to provide residence for at-risk, pregnant young women or new mothers. In addition, because Kochava’s data allows its customers to track people over time, the data could be used to identify their past conditions, such as homelessness.
- Addiction recovery centers: The data could be used to track consumers who have visited addiction recovery centers. The data could show how long consumers stayed at the center and whether a consumer potentially relapses and returns to a recovery center.
Protecting sensitive consumer data, including geolocation and health data, is a top priority for the FTC. This month, the FTC announced that it is exploring rules to crack down on harmful commercial surveillance practices that collect, analyze, and profit from information about people. In July, the FTC warning that the agency intends to enforce the law against the illegal use and sharing of highly sensitive consumer data, including sensitive health data. Last year, the FTC issued a policy statement warning health apps and connected devices that collect or use consumers’ health information that they must notify consumers and others when that data is breached as required by the Health Breach Notification Rule. In 2021, the agency also took action against the fertility app Flo Health for sharing sensitive health data with third parties.
The Commission vote authorizing the staff to file the complaint against Kochava was 4-1. Commissioner Noah Joshua Phillips voted no. The complaint was filed in the US District Court for the District of Idaho.
NOTE: The Commission files a complaint when it has “reason to believe” that the named defendants are violating or are about to violate the law and it appears to the Commission that a proceeding is in the public interest. The case will be decided by the court.