Governance & Risk Management , Privacy , Standards, Regulations & Compliance
FTC Sues Firm That Collects, Sells Sensitive Location DataAgency's Lawsuit Against Kochava Follows Firm's Preemptive Legal Action Against FTC
The U.S. Federal Trade Commission has sued a data broker, alleging the company sells sensitive location data collected from hundreds of millions of mobile devices, including data that could be used to identify individuals who have visited abortion clinics, mental health providers and other sensitive locations.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
Idaho-based Kochava Inc. sells location data paired with a time stamp and unique identifier known as a Mobile Advertising ID that allows purchasers to detect the actual identity of the device owner, the agency says in its complaint. That amounts to an unfair marketplace practice, the FTC says.
Kochava earlier this month filed its own lawsuit in the same Idaho federal court as the FTC in a bid to preemptively counter the federal agency (see: Lawsuit Against FTC Intensifies Location Data Privacy Battle).
Kochava in court documents acknowledged collecting Mobile Advertising Identifiers and latitude and longitude information generated by smartphones but said it doesn't connect that data to consumers or to places. The data comes from apps for which consumers agreed to share location data, the company also said. "In other words, the consumer agreed to share its location data with an app developer. As such, the consumer should reasonably expect that this data will contain the consumer's locations, even locations which the consumer deems is sensitive," the company wrote.
The FTC lawsuit comes in the wake of a July executive order from President Joe Biden encouraging the agency to take action to protect privacy around reproductive healthcare services.
The Supreme Court in June overturned a constitutional guarantee to abortion embodied in the five-decade-old precedent of Roe v. Wade. Since then, a dozen states have implemented full bans on abortion, and additional states have imposed partial bans or are seeking to implement new restrictions on reproductive health. The bans, especially when paired with state legislative attempts to enforce abortion restrictions on women who travel to a state where it is still legal, sparked fears that mobile devices could be used for surveillance.
There is precedent suggesting the concerns aren't unwarranted. In 2017, the Massachusetts attorney general reached a settlement with an advertising company that used smartphone location to target women near reproductive health centers and methadone clinics with anti-abortion ads with titles including "Pregnancy Help," "You Have Choices" and "You’re Not Alone."
The FTC alleges that in addition to visits to healthcare facilities, Kochava's data can reveal individuals' visits to a slew of sensitive locations, such as places of worship and shelters for homelessness and domestic violence.
"By selling data tracking people, Kochava is enabling others to identify individuals and exposing them to threats of stigma, stalking, discrimination, job loss, and even physical violence," the FTC says in a statement.
Among other claims, the FTC alleges that Kochava's customized data feeds allow purchasers to identify and track specific mobile device users. "For example, the location of a mobile device at night is likely the user's home address and could be combined with property records to uncover their identity. In fact, the data broker has touted identifying households as one of the possible uses of its data in some marketing materials," the FTC alleges.
The agency's lawsuit seeks to stop Kochava's sale of sensitive geolocation data and require the company to delete the location data it has collected.
The lawsuit doesn't address a putative defense Kochava raised in its preemptive lawsuit - namely, that the company introduced earlier this month a new feature dubbed Privacy Block, which removes health services location data from its marketplace. It's probably too little, too late, says regulatory attorney Rachel Rose, who is not involved in the case.
”Kochava should have had this in place already," Rose says. A judge could view the measures as a subsequent remedial measure. Federal courtroom rules don't permit litigants to use remedial measures put in place after the alleged injury as evidence of negligent or culpable conduct, but they do permit them as evidence for other purposes.
The FTC could argue "that the company was noncompliant with a plethora of laws from the outset by getting evidence before the August 2022 enactment of the Privacy Block and use that without even referencing the Privacy Block," she says.