FTC Sues Location Data Collector, Alleging Lax Security

The Federal Trade Commission confirmed it filed a lawsuit against geographic data broker Kochava over its sale of sensitive data that can track individuals’ visits to locations including health care clinics and places of worship from mobile devices. 

Announced on Monday, the FTC alleges that selling this tracking data endangers the public to stalking, discrimination and physical violence. 

“Where consumers seek out health care, receive counseling or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” said Director of FTC’s Bureau of Consumer Protection Samuel Levine. “The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”

The regulatory agency wishes to have the company cease collecting individuals’ location data as well as delete current data stored on the company’s network. Kochava purchases geographical data from millions of devices represented by a device-specific identification number and its longitudinal and latitudinal coordinates. Data harvested by Kochava was found via direct contact with the company or on Amazon Web Services, where users could subscribe to Kochava’s data collection.

The FTC also added that people are broadly unaware of their location data being sold, purchased, and collected by Kochava––an allegation that the company has refuted in a recent press release, saying that consumers must consent before Kochava collects any data. 

“This action is part of the FTC’s work to use all of our tools to protect Americans' privacy,” FTC Chairwoman Lina Khan wrote on Twitter. 

In addition to the potential exposure of this data, FTC officials allege that Kochava does not take enough action to protect their networks and the sensitive information stored on them. Regulators allege that up until June 2022, the company allowed “anyone” to have access to large quantities of sample data. 

While Kochava hasn’t publicly responded to the news of the lawsuit, the company recently announced a new privacy feature that would block health services location data from the company’s data reserves, dubbed the “Kochava Collective marketplace.” 

Data privacy has been at the forefront of the FTC’s agency policy agenda. As news of the lawsuit debuted, FTC officials released the final agenda for its proposed rule simultaneously, asking for public feedback on consumer data privacy and security. 

In addition to consumer consent, the FTC’s potential rule would emphasize the ways that companies like Kochava collect, analyze, and sell individuals’ data. 

While widespread commercial data hacks are becoming more and more commonplace, the overturning of Roe v. Wade sparked national concern over the security of pregnant individuals seeking abortion access or other reproductive care. Through brokers like Kochava, this information could become easily available to entities like law enforcement. 

To combat this, President Joe Biden signed an executive order in July granting additional protections to combat the digital surveillance of Americans’ health care.