The Federal Trade Commission and Idaho-based data broker Kochava and its subsidiary Collective Data Solutions have reached a settlement to resolve litigation concerning the sale of geolocation data.
Kochava sells data products that include consumer profiles and geolocation information. The company states that it can identify an individual’s location within approximately 10 meters through GPS coordinates and other signals connected to a unique mobile device identifier. The Federal Trade Commission (FTC) investigated Kochava shortly after the Supreme Court decision that overturned Roe v. Wade and removed the federal right to an abortion. In August 2022, a lawsuit was filed alleging that Kochava sold precise geolocation data collected without consumers’ knowledge or consent.
Allegedly, the data sold by Kochava could be used to track the locations individuals visited that are considered sensitive, such as reproductive healthcare facilities, hospitals, places of worship, and refuges for victims of domestic abuse. The FTC stated that the sale of the data created data privacy risks (though not necessarily HIPAA-covered) and could expose individuals to harms that included discrimination, stigma, emotional distress, and physical violence.
Kochava denied wrongdoing in connection with the allegations. It claimed that it consistently complied with applicable laws and privacy requirements. It even implemented a Privacy Block feature to block geolocation data associated with sensitive locations.
The litigation included multiple court proceedings before the settlement was reached. A federal judge dismissed the original Federal Trade Commission lawsuit in 2023 after determining that the FTC had not established that Kochava’s practices caused substantial injury to consumers. The FTC filed an amended complaint in June 2023. Kochava sought the dismissal of the amended complaint, but was denied in early 2024.
The proposed consent order places restrictions on Kochava’s handling of sensitive location data. Under the agreement, Kochava is not allowed to sell, license, transfer, share, or disclose sensitive location data in products or services unless consumers give express consent and the data is used to provide a consumer service.
The consent order also requires Kochava to create and maintain a sensitive location data program. The program must include a comprehensive list of sensitive locations. The sensitive data connected to these locations must not be sold, licensed, transferred, shared, or disclosed.
Consumers must be allowed to request the identity of any business or individual that purchased their geolocation data, and to withdraw consent for the sale of geolocation data, if desired.
The agreement establishes additional compliance obligations related to consent verification and data retention practices. At least once every three months, Kochava must verify that both Kochava and Collective Data Solutions obtained consumers’ express consent to collect geolocation data. Kochava must follow a data retention schedule and delete the data within defined timeframes.
The consent order includes incident notification obligations tied to third-party data sharing. If Kochava determines that a third-party incident involved the sharing of geolocation data in violation of contractual requirements, the company must notify the FTC within 30 days.
The FTC approved the consent order in a 2-0 vote. The agreement is awaiting approval from a United States District Court judge.