FTC Sues Data Broker Kochava, Inc. for Selling Allegedly Sensitive Geolocation Data
The Federal Trade Commission (FTC) filed a lawsuit on August 29, 2022 against Kochava Inc. (“Kochava”), a mobile data broker, alleging that the company’s practice of selling precise geolocation data from “hundreds of millions of mobile devices” is an “unfair” act or practice in violation of Section 5 of the FTC Act. The agency alleges that such information allows entities to track consumers who visit reproductive health centers, domestic abuse and homeless shelters, addiction treatment facilities, and other “sensitive” locations. The agency voted 4-1 to file the complaint, with Commissioner Noah Phillips voting against it. In a series of tweets, Commissioner Alvaro Bedoya asserted that the bipartisan vote would “protect the most sensitive information imaginable—precise data on our movements.”
The FTC’s lawsuit follows on the heels of the President’s recent executive order urging Chair Lina Khan to protect consumers’ privacy when seeking information about reproductive health services, and a recent blog post from Kristin Cohen, Acting Associate Director of the FTC’s Division of Privacy and Identity Protection, asserting that the FTC remains committed to protecting consumers’ sensitive health and geolocation data. The lawsuit is the latest signal that Chair Khan’s FTC will use aggressive interpretations of its authority to try to protect consumers’ sensitive location and health information, including through rulemaking on commercial surveillance and data security and through creative interpretations of existing rules, like the FTC’s Health Breach Notification Rule. The complaint also asserts a somewhat novel theory of unfairness under the FTC Act, a risky move that demonstrates how the current FTC is determined to push the boundaries of its authority.
The FTC’s Complaint Alleges Sales of Precise Geolocation Data to “Sensitive Locations” Is “Unfair”
The FTC’s complaint alleges that Kochava acquired consumers’ precise geolocation data and then sold it in a way that allows entities to “track . . . consumers’ movements to and from sensitive locations.” Kochava allegedly collects information about consumers and their mobile devices by purchasing data from other data brokers. It then creates customized data fields that it sells to clients for various purposes, such as targeted advertising and analyzing foot traffic in retail stores and other locations, among other things.
The complaint alleges that Kochava sells timestamped precise latitude and longitude coordinates that reveal the location of consumers’ mobile devices. These coordinates are associated with unique device identifiers that can be used to track a consumer’s device over time. The complaint alleges that the data includes “sensitive locations,” including places of religious worship, places that may be used to infer a consumer’s sexual orientation or affinity, domestic abuse shelters, medical facilities, and welfare and homeless shelters. Moreover, according to the allegations, the location information is not anonymous because it can easily be tied to individual consumers, either through third-party services or by inferring a consumers’ residence by plotting recurring geolocation points on a map.
The complaint implies what makes the sale of geolocation data “unfair”: it alleges that Kochava failed to employ any technical controls that would prevent its customers from identifying consumers or tracking them to sensitive locations, such as through a blacklist that would hide location signals around sensitive locations.
Pushing the Boundaries of Unfairness
The FTC’s complaint contains a single count alleging that it is an unfair practice to sell precise geolocation information associated with unique persistent identifiers that reveal consumers’ visits to various sensitive locations. Notably, the FTC has not alleged any misrepresentations about the anonymity of the data, despite recent statements by agency officials that it is frequently deceptive to claim that data “is anonymous” or “has been anonymized.” While a deception case is relatively straightforward for the FTC to prove, the remedies it affords are limited: companies that deceive consumers are simply ordered to stop making the deceptive statements. Here, by pursuing an unfairness case, the FTC sets the stage to intervene more aggressively in the business models for data brokerage companies: it is seeking remedies such as deletion of all the data Kochava has collected and mandatory blacklists of sensitive locations.
While various FTC cases have highlighted that precise geolocation information may be sensitive and warrants additional protections, the agency has never previously claimed that it is per se unfair to sell such data if it reveals sensitive locations. Under Section 5(n) of the FTC Act, the FTC must establish that unfair practices cause or are likely to cause substantial injury to consumers, which is not reasonably avoidable by consumers themselves, and is not outweighed by countervailing benefits to consumers or competition. The FTC’s complaint alleges that the challenged practices are likely to cause injury because such data “may be used” to identify consumers who have visited an abortion clinic and “could be used” to track consumers to various other sensitive locations, resulting in potential “exposure to stigma, discrimination, physical violence, emotional distress, and other harms.” The injury issue will likely be heavily litigated here because the FTC has not alleged any actual instances of the data resulting in this sort of injury, nor does the complaint include any allegations about the likelihood that the data will be abused in this way. Furthermore, injuries like “stigma” and “emotional distress” do not necessarily amount to substantial injury under the statute. A judgment that the FTC has not met its burden to prove that such practices cause or are likely to cause substantial injury could have a significant impact on the FTC’s privacy enforcement in many other contexts.
The FTC’s complaint reflects the agency’s aggressive enforcement posture under Chair Lina Khan and demonstrates that the agency is willing to push the boundaries of its “unfair or deceptive acts or practices” authority. Businesses that collect and use sensitive consumer information, particularly health data and precise geolocation information, would be well advised to review their compliance measures and take steps to safeguard the disclosure and use of such data through technical or administrative controls, contractual limitations on downstream use, and obtaining consumer consent where appropriate or required. If you have questions about these or other privacy or security issues, the Baker Botts Privacy and Data Security team can help.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.