Governance & Risk Management , Healthcare , Industry Specific
Court: FTC Privacy Suit Against Data Broker Can Move Ahead
Judge Denies Kochava's Motion to Dismiss Agency's Claim of Privacy ViolationsA federal judge has denied Kochava's latest attempt to ditch a Federal Trade Commission lawsuit that accuses the data broker of invading consumers' privacy and exposing them to risk by aggregating and selling their geolocation information and other sensitive data to third parties.
See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare
District Judge B. Lynn Winmill of the U.S. District Court for the District of Idaho on Friday in a 14-page ruling denied Kochava's motion to dismiss an amended complaint filed last June by the FTC alleging that the Boise, Idaho company is unlawfully acquiring and selling sensitive identifying information from millions of mobile devices globally.
Winmill last May dismissed the FTC's first complaint filed in 2022 against Kochava in the dispute, saying that the agency had failed to establish that Kochava's business practices constitute substantial injury to consumers (see: Court Dismisses FTC Complaint Against Data Broker Kochava).
But in that earlier dismissal, the judge gave the FTC an opportunity to beef up its allegations against Kochava in an amended complaint, which the agency filed in June 2023 (see: FTC Alleges Data Broker Sells Vast Amounts of Sensitive Data).
In his ruling Friday, Winmill said the FTC's amended complaint "significantly expands the factual allegations in its original complaint."
The new detail contained in the FTC's amended lawsuit "easily satisfies the liberal plausibility standard" that Kochava's alleged practice of selling vast amounts of data about mobile device users may violate Section 5 of the FTC Act, which involves unfair business practices, "by depriving consumers of their privacy and exposing them to significant risks of secondary harms," Winmill wrote.
Some legal experts said the ruling is important for several reasons. "It underscores that courts are taking the notion of privacy and data security seriously," said regulatory attorney Rachel Rose.
The ruling also shows "that the failure of companies to obtain appropriate consent and give adequate notice of the poaching and selling of information, including tracking data, race categorization, etc., is material," she said.
Sensitive Data Sold?
The FTC's amended lawsuit alleges that Kochava's geolocation and other data invades consumers' personal privacy, creating risk that third parties will target consumers based upon their visits to certain sensitive locations, including abortion clinics, addiction treatment facilities, places of worship, and shelters for domestic abuse survivors.
The FTC's amended complaint focuses on four of Kochava's data products: geolocation data, the database graph, the app graph, and audience segments.
Kochava's customers "can and do purchase any and all of this data," the FTC alleges. "Consequently, although the data is contained in separate collections, it is not anonymized and is linked or easily linkable to individual consumers," the FTC alleges.
"For example, drawing upon data contained in Kochava’s various collections, a customer could identify 'a woman who visits a particular building, the woman's name, email address, and home address, and whether the woman is African-American, a parent - and if so, how many children, or has an app identifying symptoms of cancer on her phone," the FTC alleges. It also says Kochava's customers could do this "without mining other sources of data."
The FTC claims that Kochava's sales of that data harm consumers in two distinct ways.
"First, by putting them at an increased risk of suffering secondary harms, such as stigma, discrimination, physical violence and emotional distress. And second, by invading their privacy," Winmill said in his ruling. "The FTC has alleged facts sufficient to proceed under both theories," he said, allowing the FTC legal action to move forward.
Complex Issues
This latest decision in the Kochava saga "is a very significant win for the FTC," said regulatory attorney Daniel Kaufman of the law firm BakerHostetler.
"As the FTC continues to address complex privacy issues, particularly issues involving the use of geolocation or health data, the FTC is increasingly relying on its ability to challenge practices that are unfair under the FTC Act," he said.
"Although there is a well-established test used to determine whether something is unfair, there is very little case law on what, practically speaking, is unfair," he said.
"We are seeing numerous FTC privacy settlements that rely upon unfairness as a legal theory, but it is much more significant when a court is closely reviewing allegations and finding that the FTC's theory of potential unfairness liability are sustained."
The FTC has been actively pursuing several similar data privacy cases involving the alleged unlawful collection and sale of sensitive information to third parties. Last month, the FTC issued orders prohibiting data broker Outlogic, formerly X-Mode Social, and data aggregator InMarket Media from sharing or selling sensitive location data with third parties (see: Groups Urge FTC to Scrutinize Google Location Data Practices).
As for the Kochava ruling, "although there is a pretty low bar when a court is reviewing a complaint at this early stage, the decision is still important for the agency and for industry," Kaufman said.
"Although the FTC continues - through no fault of its own - to address thorny, complex privacy issues using a decades-old statue, it is clear that the agency will continue to aggressively use the tools that it has."
Rose predicts the recent enforcement cases against data brokers, including the Kochava case, will move other companies to review their data collection and sharing practices.
"The first step is for data brokers to consider what laws apply to them. From there, informed choices should be made to construct a compliance program and work with competent legal counsel to navigate this area of the law and balance it with consumer protections," she said.
"One item is obtaining consumer consent in a way that it is prominent and not buried, so it creates a contract of adhesion."
It's critical for a company to disclose upfront that it is aggregating data and selling it to third parties for a profit, she said. That's because, besides the FTC Act, other laws, including HIPAA, "may be implicated if the consumer is also a patient and the data is stemming from a covered entity or business associate's cite or app."
Kochava Statement
Kochava said it is confident that it will ultimately prevail on the merits of its defense. "This case is really about the FTC attempting to make an end run around Congress to create data privacy law. The FTC's salacious hypotheticals in its amended complaint are mere scare tactics," the company told Information Security Media Group.
"Kochava has always operated consistently and proactively in compliance with all rules and laws, including those specific to privacy," the company said.
Prior to the FTC's litigation, Kochava announced Privacy Block, a sensitive location-blocking solution, the company said.
"Through Privacy Block, Kochava has been blocking over 2.1 million locations from its data products on an ongoing basis. Never in a million years did we imagine that as a small, law-abiding company we'd find ourselves in the ring on behalf of an entire industry. We're here, we have the truth in our corner, and we're in it to win it. We look forward to proving our case."
The FTC's Take
The FTC said in a statement to ISMG that it is pleased with the court's ruling, "which will lend further momentum to our efforts to combat unlawful sharing of consumers' sensitive location data and other revealing information."
"With our case against Kochava and recent settlements with X-Mode Social/Outlogic and InMarket Media, companies are on notice that the era of unchecked monetization and surveillance of consumers' most sensitive data is over."
Kochava in 2022 filed a preemptive lawsuit against the FTC to prevent the agency from taking its proposed enforcement action against the company involving "wrongful" allegations about Kochava's data collection practices. Winmill in June 2023 granted the FTC's motion to dismiss that case (see: Lawsuit Against FTC Intensifies Location Data Privacy Battle).