On May 4, 2023, an Idaho federal judge ruled that the Federal Trade Commission (FTC) needs stronger assertions of consumer harm in order for its data privacy suit against data broker/mobile analytics provider Kochava Inc. (“Kochava”) to proceed. The court simultaneously found no basis for Kochava’s suit to block the FTC’s enforcement action. The judge sided with Kochava’s argument that the agency had not adequately supported its claim that the company sales of geolocation data constituted unfair conduct under Section 5 of the FTC Act, finding no allegations that the practices “created a ‘significant risk’ of concrete harm.”1 The agency has 30 days to amend the complaint.
Background
On August 29, 2022, the agency had filed suit against Kochava for its alleged unlawful sales of precise geolocation data from hundreds of millions of mobile devices. Coming in the wake of the agency’s warning of a coming crackdown on commercial surveillance, this action reveals much about the agency’s stance toward data broker collection of consumer data, and geolocation data in particular. With this action, and the advance of the FTC’s ambitious commercial surveillance rulemaking effort,2 companies may be in for greater challenges over their use and sharing of consumer data.
According to the FTC’s press release, Kochava’s sales of tracking data, or “sensitive geolocation data,” enabled the identification of individuals, “exposing them to threats of stigma, stalking, discrimination, job loss, and even physical violence.”3 With this lawsuit, the FTC seeks to halt Kochava’s sale of sensitive geolocation data, and delete the sensitive geolocation data it has collected so far.
Agency Scrutiny of Data Brokers
As a marketing data broker, Kochava allegedly collects information about consumers, including data collected from hundreds of millions of consumer mobile devices. The FTC alleges that Kochava sells this information to its clients in customized data feeds that match unique mobile device identification numbers with timestamped latitude and longitude locations.4 Kochava allegedly made this data available to clients for a monthly subscription fee, along with a free sample,5 enabling clients to improve their advertising with analysis of foot traffic, user demographics, and other measurements.6
The FTC contends that the precise geolocation data Kochava provided could be used to “track consumers to sensitive locations, including places of religious worship, places that may be used to infer an LGBTQ+ identification, domestic abuse shelters, medical facilities, and welfare and homeless shelters.”7 Kochava allegedly did not anonymize this timestamped longitudinal and latitudinal data, publicly posting it on the Amazon Web Services Marketplace.
The FTC’s complaint singles out Kochava’s alleged lack of technical controls to prevent identification of customers, pointing out that the company could have used a blacklist to remove or obfuscate location signals around sensitive locations within data sets.8
Unfairness and Geolocation
In its complaint, the FTC argues that the selling of “precise geolocation data associated with unique persistent identifiers that reveal consumers’ visits to sensitive locations” is likely to cause substantial injury to consumers and therefore constitutes an unfair practice under Section 5 of the FTC Act.9 This appears to be an expansion of the agency’s position on precise geolocation data. In a July blog post, the FTC framed precise geolocation data as a sensitive category of data protected by numerous federal and state laws. The December enforcement against OpenX hinged on the collection of children’s location data without parental consent, but did not claim that the act of selling sensitive geolocation data is unfair.
While it does not allege that any actual harm has taken place, the FTC’s complaint claims that Kochava’s practices are likely to cause harm because they “could be used” to identify individual consumers and track them to sensitive locations.10 This was not enough for the court, which found that while substantial secondary harms like discrimination, stigma and violence are theoretically possible, this possibility is not enough of an allegation.11 The judge also ruled that the agency’s other theory of injury over privacy intrusion is insufficient because the alleged intrusion is not “severe enough” to be a substantial consumer injury.12
Takeaways
With this enforcement, it seems that the FTC is adopting an assertive stance on commercial use of sensitive personal data, while looking to widen the net of its authority over unfair practices. Because the FTC did not allege a particular harm to an individual, the issue of harm was always likely to be heavily litigated. With this recent ruling the federal court in Idaho appears to have checked the agency’s expansive view of harm. Regardless of the result, this case will set the tone for enforcement towards the data broker business model. Data brokers, and any businesses dealing in sensitive personal data from consumers (such as precise geolocation data and health data), should examine their data collection, use and disclosure practices, and review their technical, administrative and physical controls.
Please contact a member of Akin’s cybersecurity, privacy and data protection team if you have any questions about this case or how it will affect your company.
1 FTC v. Kochava Inc., Memorandum Decision and Order, 2:22-cv-00377-BLW (May 4, 2023), hereinafter “Decision,” available at https://www.law360.com/articles/1604444/attachments/0.
2 See Allison Grande, FTC’s Bedoya Defends Need For Broad Privacy Rulemaking, Law360 (September 20, 2022) available at https://www.law360.com/cybersecurity-privacy/articles/1532168/ftc-s-bedoya-defends-need-for-broad-privacy-rulemaking?nl_pk=ab706bad-d60a-426e-a3bd-c41947a91d93&utm_source=newsletter&utm_medium=email&utm_campaign=cybersecurity-privacy&utm_content=2022-09-21.
3 Press Release, FTC Sues Kochava for Selling Data that Tracks People at Reproductive Health Clinics, Places of Worship, and Other Sensitive Locations, Federal Trade Comm’n (August 29, 2022), available at https://www.ftc.gov/news-events/news/press-releases/2022/08/ftc-sues-kochava-selling-data-tracks-people-reproductive-health-clinics-places-worship-other.
4 FTC v. Kochava, Inc., Complaint for Permanent Injunction and Other Relief, 2:22-cv-377 (August 29, 2022), hereinafter “Complaint,” available at https://www.ftc.gov/system/files/ftc_gov/pdf/1.%20Complaint.pdf.
5 The free sample, (the “Kochava Data Sample”) was made publicly available with minimal steps and no restrictions on usage, according to the FTC.
6 Complaint at 3.
7 Id. at 6.
8 Id. at 7.
9 Id. at 11; 15 U.S.C. § 45(a), (n).
10 Id. at 8.
11 Decision at 14.
12 Id. at 14-15.
