FTC Sues Kochava Due to Illegal Gathering and Sale of Sensitive Geolocation Information

The Federal Trade Commission (FTC) is suing the data broker Kochava in Idaho for illegally gathering and peddling the sensitive information of mobile end users, violating the FTC Act. Based on the lawsuit, Kochava might be gathering and peddling the exact geolocation information of consumers together with data that enables the identification of individuals. The location information is supported by a Mobile Advertising ID (MAID), a special identifier that is given to a consumer’s mobile unit for marketing reasons. Although people can alter the MAID, a user must proactively reset the MAID on their mobile unit.

Kochava’s clients can buy a license to get feeds of premium information that consist of timestamped latitude and longitude coordinates that show the location of mobile gadgets together with unique identifiers. The information is utilized for different purposes, such as for promotions and monitoring retail shop visitors. Although Kochava clients should pay for a subscription to get data access, a data sample is given totally free. To get access to the data, it is required to register for a free AWS account and get approval from Kochava to access the sample. There are no restrictions on the use of the sample information. The sample covers a 7-day time frame, with the FTC saying in the suit that one day’s value of information in the free sample contained 327,480,000 rows, 11 columns, and the information gathered from over 61,803,400 exclusive mobile gadgets.

It is possible to know which consumers went to the reproductive health clinic using their mobile devices by plotting the longitude and latitude
coordinates found in the Kochava data stream utilizing a publicly accessible map applicationS. Additionally, since every set of coordinates has a time-stamp, a mobile gadget that has been to the location can be identified. The same techniques may be employed to track consumers’ appointments to other sensitive areas. The FTC states a number of data brokers promote services that complement MAIDS with consumers’ names and physical addresses, even though it is possible to recognize people without utilizing those services according to the dwell time and regularity of visits to some areas and from public information.

The FTC states Kochava has not enforced any technical settings to stop its clients from identifying users or monitoring visits to sensitive places, like utilizing blacklists to take away location information when people go to sensitive areas like abortion hospitals, mental healthcare companies, and addiction treatment facilities. The FTC’s evaluation of the data sample confirmed that one gadget had been to a women’s reproductive health facility and exposed that person’s family home address.

The FTC claims that the selling of sensitive geolocation information represents an unnecessary invasion of the private life of consumers and would probably cause considerable injury. The lawsuit claims Kochava’s business tactics constitute unjust acts or methods that violate Section 5 of the FTC Act, 15 U.S.C. § 45(a), and that users are suffering, have endured, and will still experience substantial injury because of Kochava’s violation of the FTC Act. The lawsuit wants the sale of sensitive geolocation data to end and the removal of all sensitive location information collected by Kochava.

At the beginning of this month, Kochava filed a lawsuit in order to reverse the FTC lawsuit, which mentioned that it had enforced a new function on August 10, 2022, called Privacy Block. This function takes away sensitive location information from its marketplace, which includes location information showing visits to healthcare companies.