The Federal Trade Commission (FTC) is suing data broker Kochava Inc, alleging that it sold geolocation data from hundreds of millions of mobile devices that can be used to trace individuals’ movements to and from “sensitive locations.”
The agency announced the lawsuit in a press release on Aug. 29.
It claims that data from Idaho-based Kochava is formatted to “reveal people’s visits to reproductive health clinics, places of worship, homeless and domestic violence shelters, and addiction recovery facilities.”
According to its website, Kochava is the “industry leader for mobile app attribution and mobile app analytics.”
The FTC, which is an independent agency of the federal government, says the location data broker “provides its customers massive amounts of precise geolocation data collected from consumers’ mobile devices” and that through its services, customers can “[l]icense premium data,” including the “precision location” of a consumer’s mobile device.
According to the agency’s lawsuit, this includes “time-stamped latitude and longitude coordinates showing the location of mobile devices.”
The data are not anonymized, according to the FTC, which noted that the geolocation data, combined with the mobile device’s mobile advertising ID (MAID), “can be used to identify the mobile device’s user or owner.”
Data Collected From Millions of Devices
The FTC alleges that Kochava “fails to adequately protect its data from public exposure” and that until at least June of this year, Kochava granted users access “with little effort” to “time-stamped location data collected from more than 61 million unique mobile devices.”
“Kochava typically charges a monthly subscription fee of thousands of dollars to access its location data feed, but has also offered a free sample (the “Kochava Data Sample”),” the lawsuit states. “Kochava has made the Kochava Data Sample publicly available with only minimal steps and no restrictions on usage.”
The lawsuit states that Kochava has also asserted that it offers “rich geo data spanning billions of devices globally” and that its location data feed “delivers raw latitude/longitude data with volumes around 94B+ geo transactions per month, 125 million monthly active users, and 35 million daily active users, on average observing more than 90 daily transactions per device.”
According to the FTC, by selling the data tracking people, Kochava is “enabling others to identify individuals and exposing them to threats of stigma, stalking, discrimination, job loss, and even physical violence.”
The FTC’s lawsuit says that Kochava’s actions “cause or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition.”
The agency claims that Kochava’s actions violated a section of the FTC Act that prohibits unfair deceptive practices in commerce.
It also noted that Kochava could have installed safeguards to ensure the data was removed and that consumer information was protected.
“No Clear Terms or Resolutions”
The lawsuit seeks to halt Kochava from selling sensitive geolocation data and to ensure that the company deletes the sensitive geolocation information it has already collected.
“Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”
However, Kochava fired back over the lawsuit in a statement to CNBC.
“This lawsuit shows the unfortunate reality that the FTC has a fundamental misunderstanding of Kochava’s data marketplace business and other data businesses,” Kochava Collective General Manager Brian Cox said. “Kochava operates consistently and proactively in compliance with all rules and laws, including those specific to privacy.”
Cox added that prior to the FTC’s lawsuit, the company had enabled location data blocking from sensitive locations and that it had explained its data-collection process to the FTC in an effort to find “effective solutions” with the agency.
“Unfortunately, the only outcome the FTC desired was a settlement that had no clear terms or resolutions and redefined the problem into a moving target,” Cox said. “Real progress to improve data privacy for consumers will not be reached through flamboyant press releases and frivolous litigation. It’s disappointing that the agency continues to circumvent the lawmaking process and perpetuate misinformation surrounding data privacy.”
The lawsuit comes after the agency vowed earlier this month to crackdown on “harmful commercial surveillance and lax data security.”