3rd Party Risk Management , Breach Notification , Governance & Risk Management
Lawsuit Against FTC Intensifies Location Data Privacy Battle
Analytics Firm Says FTC Is Overstepping Its AuthorityA lawsuit by an Idaho-based data marketing and analytics vendor against the U.S. Federal Trade Commission is the latest legal dispute spotlighting growing privacy concerns related to the tracking and collection of consumers' healthcare-related and location data.
See Also: Third-Party Privileged Access: Seamless. Efficient. Secure.
In the weeks preceding and following the Supreme Court's June ruling overturning Roe v. Wade, which ended guaranteed nationwide access to abortion, reproductive health and privacy experts have warned that data brokers and law enforcement in certain states may attempt to collect information about abortions and other sensitive healthcare through location tracking and other digital footprints left online and in smartphones.
In the latest related case, Kochava Inc. alleged in an Idaho federal court complaint Friday that the FTC is attempting to unjustly take legal action against the company with "wrongful" allegations about Kochava's data collection practices.
The agency claims the company's collection of "latitude and longitude, IP address and mobile advertising identifier information associated with a consumers' devices" violates the FTC Act, Kochava says. In a proposed FTC complaint against Kochava, the agency is seeking a permanent injunction against the company to prevent future violations of the FTC Act, Kochava says in court documents.
'Setting Precedent'
"The FTC alleges - and Kochava denies - that the Kochava Collective's data can be used to identify people and track them to sensitive locations," says Kochava's complaint against the FTC.
Kochava describes the company's Kochava Collective as an aggregator of mobile device data provided by third parties that Kochava makes available to clients through a proprietary data marketplace.
"Specifically, the FTC claims that the Kochava Collective's precise geolocation data is associated with mobile advertising identifier information, and this combination makes it possible to track consumers' sensitive locations, such as therapists' offices, addiction recovery centers, medical facilities and women’s reproductive health clinics."
Kochava also alleges that the FTC wrongly claims that the company offers no technical controls to prohibit customers from identifying consumers or tracking them to sensitive locations.
In fact, on Aug. 10, Kochava announced a new capability, "Privacy Block," that allows the company's clients, such as mobile app developers, to shut off the collection of sensitive health services location data from the Kochava Collective marketplace, the company says.
"Kochava operates consistently and proactively in compliance with all rules and laws, including those specific to privacy," says attorney Craig Joel Mariam of the law firm Gordon Rees Scully Mansukhani LLP, which is representing Kochava in its lawsuit against the FTC.
"Kochava has been threatened by the FTC with a district court lawsuit and a proposed settlement, the merits upon which are not accurate. This is a manipulative attempt by the FTC to give the appearance that it is protecting consumer privacy despite being based on completely false pretenses," Mariam says in a statement provided to Information Security Media Group.
The alleged dispute between Kochava and the FTC also comes in the wake of an executive order by President Biden in July, following the Supreme Court Roe v. Wade ruling. Among other actions, the executive order directed the FTC to consider options "to address deceptive or fraudulent practices, including online, and protect access to accurate information" (see: Biden Order Seeks to Protect Reproductive Data Privacy).
Kochava claims the government is making the company a scapegoat. "The FTC's hope was to get a small, bootstrapped company to agree to a settlement - with the effect of setting precedent across the adtech industry and using that precedent to usurp the established process of Congress creating law. Kochava disagreed with this scheme and asked the federal court in Idaho to intervene," Mariam says.
Also, among other allegations, Kochava's lawsuit claims the FTC’s proposed enforcement action would overstep its legal authority related to enforcing the FTC Act.
The FTC declined ISMG's request for comment on the Kochava dispute.
"Some interesting constitutional issues are raised, so that is the first item to be addressed," says regulatory attorney Rachel Rose. Also, with many states enacting "California Consumer Privacy Act-like laws," these kinds of data privacy disputes will remain a hot issue, she says.
Similar Disputes
The litigation between Kochava and the FTC is the latest in a recent series of data privacy disputes that have emerged in the weeks following the Supreme Court's Roe v. Wade ruling (see: The Mounting Threats to Sensitive Data After Roe v. Wade).
Last month, at least two proposed class-action lawsuits were filed in federal courts against Facebook parent company Meta, alleging the company through its Pixel tracking tools is collecting millions of individuals' sensitive health data from healthcare provider websites and patient portals without patients' knowledge or consent (see: Facebook Slapped With Another Health Data Privacy Lawsuit).
One of those lawsuits alleges that at least 664 U.S. hospitals or medical providers deploy Meta Pixel tracking technology, which is a snippet of JavaScript code embedded by developers into webpages (see: Lawsuit: Facebook Is Collecting Patient Data of Millions).
The complaint alleges that anytime a patient undertakes an action on a website embedded with Pixel - such as scheduling a medical appointment - Pixel transmits patient data, including health condition information, to Facebook. The lawsuit alleges that Pixel gathers data whether or not a person is logged in to his or her Facebook account.
Pixel Breach
This week, Novant Health, an integrated healthcare delivery system in South Carolina, began notifying individuals of a health data breach involving the entity's use of Meta Pixel on its website and MyChart patient portal. The Winston-Salem Journal reports the Novant Health incident affected 1.3 million individuals.
In a notification statement, Novant Health says that it placed Meta Pixel on its websites in May 2020 as part of "a promotional campaign" to better connect with patients during the COVID-19 pandemic.
But on June 17, Novant determined that "an incorrect configuration of Pixel" in the healthcare provider's website and patient portal may have allowed individuals' private information to be transmitted to Meta, Novant Health says.
Potentially affected data includes patients' demographic information such as email address, phone number, computer IP address, contact information, appointment type and date, and physicians.
"The information did not include Social Security numbers or other financial information unless it was typed into a free text box by the user," Novant Health says. For those individuals, Novant Health says it will provide credit monitoring.
Novant Health did not immediately respond to ISMG's request for comment.
Other Concerns
Privacy attorney David Holtzman of the consulting firm HITprivacy LLC says Novant's claim that data was transmitted to Meta due to a Pixel misconfiguration raises other related concerns.
"The [HIPAA] security rule requires HIPAA-covered entities like Novant Health to have policies and procedures in place to ensure that changes or updates made to its information systems do not result in the unauthorized use or disclosure of protected health information," Holtzman says.
"In this case,” he adds, “it is a reasonable inference that Novant did not follow standard industry practices to test the performance of the Pixel application to ensure data provided by patients was not disclosed to Meta."
The dispute between Kochava and the FTC also centers on controls the analytics firms had in place to prevent third parties from accessing and using patients' data without their permission.