Judge unseals FTC complaint against Kochava alleging ‘staggering’ data broker practices
An Idaho federal judge on Friday unsealed a Federal Trade Commission complaint alleging the data broker firm Kochava illegally obtains and sells a shocking amount of highly sensitive information about consumers including their mobile device IDs, yearly income, app usage and nearly real-time geolocation within 10 meters.
The court also denied a Kochava request for sanctions against the FTC’s attorneys, which the court rejected by saying there is some evidence for the agency’s claims, allowing the case to move forward.
In August 2022, the FTC filed an initial complaint claiming Kochava’s business practices violated Section 5 of the FTC Act, which bars companies from using unfair or deceptive practices. In May, the judge ruled the FTC had not provided sufficient evidence in its complaint, but gave the agency an opportunity to build more evidence and file an amended complaint once it had done so. The FTC filed that amended complaint in June.
Friday’s ruling to unseal the complaint and dismiss sanctions against the FTC is a promising turnaround in a landmark FTC action against a major data broker, experts say.
The quickly expanding data broker industry is under increasing scrutiny for gathering exceptionally sensitive data on vast numbers of consumers with little regulation.
“We’re cautiously optimistic that the unsealed complaint will persuade the court of the serious privacy injuries that Kochava routinely inflicts on consumers,” John Davisson, director of litigation at the Electronic Privacy Information Center, said via email.
Davisson called Kochava’s motion for sanctions a “desperate attempt to conceal the details of its harmful business model and punish the FTC for daring to push back against data brokers.”
Kochava, which is based in Sandpoint, Idaho, did not respond to a request for comment. Its website’s media page did not include a press release addressing the FTC’s claims.
Among the additional information Kochava collects and sells are non-anonymized individual home addresses, phone numbers, email addresses, gender, age, ethnicity, yearly income, “economic stability,” marital status, education level, political affiliation and “interests and behaviors,” compiling and selling dossiers on individuals marketed as offering a “360-degree perspective,” the FTC said.
According to the FTC, this image from Kochava marketing materials sells its ability to connect individual consumers to a variety of “data points” — including their geolocation, email, demographics, devices, households and "channels."Kochava’s granular geolocation data includes “timestamped latitude and longitude coordinates showing the location of mobile devices over time,” the complaint alleges. The FTC said Kochava packages these coordinates with individual consumers’ mobile advertising IDs enabling companies to monitor a consumer’s mobile activity to send targeted advertisements, providing no anonymity when doing so. . “As a result, Kochava’s customers can learn sensitive information about individual consumers who are identifiable without inference or additional steps,” the complaint said.
According to the FTC, Kochava’s data can identify women who visit reproductive clinics by name and address along with, for example, when they visit particular buildings, their names, email and home addresses, number of children, race and app usage.
The geolocation data is collected from a mobile device’s GPS coordinates and even WiFi, the FTC said.
Kochava marketing materials tell customers it offers “rich geo data spanning billions of devices globally” and that its location data feed “delivers raw latitude/longitude data with volumes around 94B+ geo-transactions per month, 125 million monthly active users, and 35 million daily active users, on average observing more than 90 daily transactions per device.”
The company additionally markets a “Database Graph” which it says identifies more than 300 million unique individuals in the U.S. with up to “300 data points that can be tied to those profiles.”
The complaint alleges that as a result Kochava’s Database Graph “encompasses nearly the entire United States, which has a population of 330 million individuals.”
The complaint also alleges that the company has lax procedures for determining who it is selling data to, saying purchasers are allowed to use a generic personal email address, label an alleged company as “self” and explain they plan to use the data for “business.”
Kochava has allegedly approved such requests in the span of a single day “without any additional inquiries or requesting additional information about the purchaser or their intended use,” the complaint said.
Davisson said the court ruling provides an eye-opening look into the largely unregulated data broker industry.
“The unsealed complaint confirms Kochava’s shocking appetite for the most sensitive details of lives and the ways the company uses that data to profile, target, discriminate, and profit,” he said.
“It's no wonder that Kochava wanted to bury it,” he added.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.