FTC Sues Data Broker for Sharing Sensitive Info

WASHINGTON — The Federal Trade Commission Monday sued the data broker Kochava accusing it of selling highly personal identifiable geolocation information showing “visits to reproductive health clinics, places of worship, homeless and domestic violence shelters, and addiction recovery facilities.”

“Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a statement. “The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”

The commission’s lawsuit against the Idaho-based data broker alleges it allowed “anyone with little effort to obtain a large sample of sensitive data and use it without restriction” until June 2022. The company’s General Manager Brian Cox said in a statement the commission has a “fundamental misunderstanding” of the company’s business and is engaging in “frivolous litigation.”

“Kochava operates consistently and proactively in compliance with all rules and laws, including those specific to privacy,” he said, adding the company created a specific product to further shield individual’s locations at health care facilities earlier this month.

Kochava pairs timestamped “raw latitude/longitude” coordinates with a Mobile Advertising ID, also known as a MAID, that is a unique identifier on every cell phone, according to the lawsuit.

“The location data provided by Kochava is not anonymized. It is possible to use the geolocation data, combined with the mobile device’s MAID, to identify the mobile device’s user or owner. For example, some data brokers advertise services to match MAIDs with ‘offline’ information, such as consumers’ names and physical addresses,” the lawsuit states.

And while a typical subscription to that data is thousands of dollars a month, the company made the information “publicly available with only minimal steps and no restrictions on usage” through a free sample it used to entice customers, according to the lawsuit.

“The company’s data allows purchasers to track people at sensitive locations that could reveal information about their personal health decisions, religious beliefs, and steps they are taking to protect themselves from abusers. The release of this data could expose them to stigma, discrimination, physical violence, emotional distress, and other harms,” according to the commission.

This lawsuit comes as activists raise the alarm that health care geolocation information is particularly vulnerable as states attempt to prohibit or even criminalize abortion access in the wake of Roe v. Wade being overturned. And earlier this month the commission announced a plan to crack down on those exposing American’s data by creating new privacy rules.

The United States has no specific online data privacy law. And while health care information is covered by the Health Insurance Portability and Accountability Act, that protects information between doctors’ offices and patients, not geolocation information captured by cell phone applications.

There is bipartisan consensus on a data privacy law that passed through the House Committee on Energy and Commerce by a 53-2 vote. However, it has yet to be voted on by the full House.

Prior to the lawsuit, Kochava had been working to “educate the FTC on the role of data, the process by which it is collected and the way it is used in digital advertising,” Cox said.

“We hoped to have productive conversations that led to effective solutions with the FTC about these complicated and important issues and are open to them in the future. Unfortunately, the only outcome the FTC desired was a settlement that had no clear terms or resolutions and redefined the problem into a moving target,” he said.

The lawsuit was approved in a bipartisan 4-1 vote with Commissioner Noah Joshua Phillips the solitary no vote.

Madeline can be reached at [email protected] or @ByMaddieHughes