FTC Files Complaint Against Data Broker Kochava Inc. for Sale of Sensitive Geolocation Data

In an action that could have widespread implications for businesses collecting customers’ location data, the Federal Trade Commission (FTC) sued Kochava Inc., an Idaho-based digital marketing and analytics company, alleging that the company violated Section 5 of the FTC Act by selling precise geolocation data that revealed customers’ visits to “sensitive locations” such as abortion clinics, places of worship, and homeless shelters. The FTC’s complaint, authorized by a rare bipartisan vote—4-1 with only Republican Commissioner Noah Phillips voting no—underscores the stated intention of FTC Chair Lina Khan to use the Commission’s enforcement power aggressively for personal data protection purposes. It comes on the heels of President Biden’s executive order requesting the FTC take new steps to protect patient privacy (as part of the Administration’s response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization to overturn Roe v. Wade) and just one week after the FTC announced it was exploring rules to crack down on “harmful commercial surveillance and lax data security.”

The FTC’s complaint alleges that Kochava sold customized data feeds to clients in order to assist them with “advertising and analyzing foot traffic at stores or other locations.” These data feeds, the complaint claims, matched unique device identification numbers to timestamped location data, giving purchasers the ability to identify individual customers by, for example, using third-party services to match mobile advertising IDs with a user’s name or address. According to the complaint, this data could therefore be used to track consumers’ movements to and from “sensitive locations” and might result in both physical and emotional harms. Kochava allegedly charges a monthly subscription fee to access its location data, but also offers anyone, without significant effort, the ability to obtain a data sample containing the sensitive location information of over 61 million unique mobile devices.

Based on these allegations, the FTC asserts a single cause of action under Section 5(a) of the FTC Act for “Unfair Sale of Sensitive Data,” claiming that Kochava’s sale of data may expose customers to “stigma, discrimination, physical violence, emotional distress, and other harms.” Section 5(a) of the FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” The FTC’s complaint explains that “[a]cts or practices are unfair under Section 5 of the FTC Act if they cause or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition.” Whether the FTC meets its burden to prove a violation on this basis will likely have meaningful ramifications for any future substantive privacy violation causes of action it brings. The Complaint notably does not make any specific allegations of actual instances of harm resulting from Kochava’s use of customers’ data, nor does it make any allegations about the likelihood that harm could result from such use. However, recently, Kochava also was sued in a class action that similarly alleges Kochava engaged in the unlawful sale of geolocation information. The complaint, filed in the United States District Court for the Southern District of California based on claims of violations of the California Penal Code, expressly borrows facts from the FTC’s complaint in making its factual allegations, and asserts that Kochava’s actions cause or are likely to cause substantial injury.

Typically, the FTC has focused its privacy violation inquiries on whether a company’s data collection practices are “deceptive” in nature due to procedural failures like inadequate privacy notices or a failure to obtain required consents. In departing from that usual approach, this case appears to be consistent with comments Khan made in her first public address on data privacy and security issues as FTC chair, where she stated that she believed the FTC should “approach data privacy and security protections by considering substantive limits rather than just procedural protections, which tend to create process requirements, while sidestepping more fundamental questions about whether certain types of data collection and processing should be permitted in the first place.”

Stay tuned here on Enforcement Edge, as we continue monitoring how the FTC approaches data privacy and security protections under Khan’s direction.

© Arnold & Porter Kaye Scholer LLP 2022 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.