The Federal Trade Commission (“FTC”) on Monday, August 29, 2022, sued Idaho-based Kochava Inc., a data broker, in the United States District Court for the District of Idaho, seeking a permanent injunction and other relief for alleged unfair trade practices in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a). In its Complaint the FTC alleges that Kochava acquires and sells “consumers’ precise geolocation data” in a format that allows Kochava’s buyers to “track the consumers’ movements to and from sensitive locations, including, among others, locations associated with medical care, reproductive health, religious worship, mental health, temporary shelters … and addiction recovery.” This, the FTC alleges, affords Kochava’s customers with “massive amounts of precise geolocation data collected from consumers’ mobile devices.” The FTC alleges that Kochava sells its customers specific timestamped latitude and longitude coordinates showing the location of mobile devices. Each pair of coordinates is associated with a “device_id_value,” known as a “Mobile Advertising ID” or “MAID,” which, the FTC alleges, uniquely identifies a consumer’s mobile device. The FTC further alleges that Kochava made consumers’ data available publicly “with only minimal steps and no restrictions on usage.”
Under the relevant portion of the FTC Act, an act is “unfair” when it causes or is likely to cause substantial injury to consumers that consumers cannot reasonably avoid. To that end, the FTC alleges that consumers cannot reasonably avoid the harm that Kochava’s sale of their data poses because data collection is “opaque to consumers, who typically do not know who has collected their location data and how it is being used. Indeed, once information is collected from consumers from their mobile devices, the information can be sold multiple times to companies that consumers have never heard of and never interacted with.”
The FTC was not, however, the first to the courthouse on this issue. Kochava itself filed a Complaint against the FTC in the District of Idaho on August 12, 2022. In its Complaint, Kochava seeks declaratory and injunctive relief to prevent the FTC from shutting down Kochava’s data sales. Kochava denies the FTC’s allegations. While Kochava admits that it “collects latitude and longitude, IP address and MAID associated with a consumer’s device,” it maintains that it does not do so in real time. Rather, “Kochava does not receive these data elements until days after … does not identify the location associated with latitude and longitude,” or “identify the customer associated with the MAID.”
To directly address the FTC’s allegations of unfairness, Kochava alleges that consumers can opt out of sharing their locations with app developers to avoid the injuries the FTC alleges. “In other words, the consumer agreed to share its location data with an app developer. As such, the consumer should reasonably expect that this data will contain the consumer’s locations, even locations which the consumer deems are sensitive.”
In its Complaint, Kochava also touts its August 10, 2022 implementation of its “Privacy Block” capability, which removes the locations of health services information from the Kochava data marketplace. That may not be enough, however, to avoid the FTC’s allegations. The “Privacy Block,” appears only to apply to health services, and therefore does not address the other examples of privacy concerns that the FTC pled in its Complaint, including the sensitivity of locations such as houses of worship and temporary shelters.
Given the reactions on all sides of the political spectrum to the Supreme Court’s recent decision in Dobbs, interest in consumer privacy may be at an all-time high. This lawsuit is likely not the last of its kind to pit the federal government against data brokers. The outcome of these dueling lawsuits may signal the direction of federal privacy law for years to come.