FTC bans data broker Kochava from selling sensitive location info

The Federal Trade Commission (FTC) and data broker Kochava said they agreed to a settlement in which the company and its subsidiary Collective Data Solutions would be blocked from selling, sharing or disclosing sensitive location data without consumers’ explicit consent.

Kochava had been found to be illegally obtaining and selling consumers’ yearly incomes, mobile device IDs, app usage and nearly real-time geolocation data within 10 meters, according to a 2023 FTC complaint. 

The FTC has said that Kochava sold precise geolocation data showing consumers visiting houses of worship and health care clinics without their consent or awareness, an alleged violation of a law barring companies from engaging in unfair and deceptive practices.

The FTC initially sued Kochava in August 2022 when the Biden-appointed chair of the FTC Lina Khan was running the agency.

The proposed order does not impose a fine on Kochava.

The deal is notable because the Biden FTC took the relatively rare step of waging a court battle with Kochava over its practices.

The FTC settlement requirements will have relatively few substantial new effects. Kochava already agreed to stop sharing or selling sensitive location data as part of a class-action lawsuit settlement in November.

As part of that settlement, Kochava also agreed to no longer make money from sales of location data that it gleaned from software development kits contained in apps. It said at the time that it would create an opt-out mechanism allowing consumers to easily delete their data from the company’s holdings and place themselves on a list barring future collection and sharing of their information.

A spokesperson for Kochava said the company is “pleased to have reached this proposed settlement and to take this next step toward resolving the FTC matter.”

“While the settlement remains subject to the Court’s review and approval, it reflects Kochava’s ongoing commitment to privacy and responsible data practices, and formalizes the practical safeguards around privacy and compliance.”

Under the settlement deal, Kochava must additionally create a sensitive location data program that catalogues sensitive locations to ensure that they are not sold or shared. It also is required to establish a “supplier assessment” program that will be used to confirm consumers have consented to the collection and use of all location data collected by Kochava and its subsidiary.

Additionally, the data broker will be required to alert the FTC if it learns that a third party has disclosed consumers’ precise location data in violation of the settlement terms, provide consumers with the names of businesses or individuals to which it has sold their precise location data and allow consumers to easily withdraw consent for the sale of their precise locations.

It also must establish a “data retention schedule” that will mandate consumers’ data be deleted in a predetermined time frame.