A Federal Trade Commission (“FTC”) complaint against data broker Kochava unsealed and published in early November reveals shocking new information about the company’s handling of extremely sensitive personal information pertaining to hundreds of millions of people in the United States. Among the explosive revelations: according to the FTC, Kochava maintains a dossier on virtually every living American adult.
The complaint is the latest government filing in litigation the FTC initiated against the Idaho-based data broker in August 2022, alleging that the company violated the FTC Act because it engaged in unfair or deceptive acts or practices surrounding the collection, use, and disclosure of personal information. Since then, Kochava filed and won a motion to dismiss the lawsuit. While the court agreed that the FTC’s theories of consumer injury were legally plausible, it held that the factual allegations in the original complaint were insufficient. But instead of dismissing the case entirely, the court gave the federal agency 30 days to file an amended complaint. The FTC filed its amended complaint in June 2023, providing more details about the company’s operations and resulting privacy harms.
Among other disturbing revelations, the complaint describes in detail how the FTC obtained a free sample of cellphone location data from Kochava, and how FTC analysts were able to use that information to track someone who visited an abortion clinic back to their home.
The FTC case against Kochava focuses on the following key aspects of the company’s operations and the harm they cause to consumers:
- Surveillance and tracking of people seeking health care: In a significant part of the amended complaint, the FTC reveals that location data sold by Kochava can be used to identify consumers who have visited abortion clinics. In one instance, Kochava’s data traced the same mobile device to a reproductive health clinic and then to a single-family residence.
- Location data collection, use, and sale: The FTC’s allegations against Kochava center on the company’s acquisition, use, and sale of “precise geolocation information.” Kochava does not interact directly with individual consumers but acquires consumers’ precise geolocation data from other companies, such as app developers. This geolocation data, which can pinpoint a consumer’s location to less than 10 meters, includes data that tracks consumers’ movements for at least the past year and is updated regularly. The FTC emphasizes that Kochava’s location data allows any purchaser to track people visiting sensitive locations associated with medical care, reproductive health, religious worship, mental health, shelters for at-risk populations, and addiction recovery. Indeed, the FTC itself obtained a sample of Kochava’s location data and used it to do just that.
- Collection, categorization, and sale of personal data: As a data broker, Kochava collects, categorizes, and sells the personal data of a staggering 300 million individuals across the country. These data include names, addresses, phone numbers, email addresses, gender, age, location data, ethnicity, yearly income, “economic stability,” marital status, education level, political affiliation, “app affinity” (i.e., what apps consumers have installed on their phones), app usage, and “interests and behaviors.” Kochava does not collect this information directly from consumers, but rather purchases it from other companies and repackages it for resale to other companies.
- Substantial injuries to consumers: By using and disclosing personal information, particularly precise geolocation information, Kochava injures individuals. The FTC argues that the level of detail of the personal information collected not only invades consumers’ privacy, exposing aspects of a consumer’s life that are private and sensitive, but also opens them up to suffer from stigma, discrimination, physical violence, emotional distress, and other harms. Kochava offers location data that directly identifies or is easily linkable to individual consumers, and the company doesn’t even hide it. On the contrary, the company actively markets these capabilities, enticing customers with Kochava’s products’ ability to link geolocation data with individuals. This includes revealing consumers’ real names, addresses, email addresses, phone numbers, and sensitive information, such as gender, marital status, and age. The FTC observes that this linking of detailed location information with personal information identifying cellphone users is a critical aspect of Kochava’s commercial practices. The FTC alleges that Kochava sells location data directly linking MAIDs—Mobile Advertising IDs, numbers assigned by a mobile device’s operating system—to individual consumers and expressly encourages customers to use these data. This is how Kochava’s customers can learn where identified individuals have been without other inferences or investigative steps. (Importantly, the FTC reminds the court that even if Kochava did not link MAIDs to information like names or addresses, when MAIDs are combined with precise geolocation in Kochava’s data feeds, these location records would nonetheless allow a purchaser to put names to those data.)
Fighting Back in Massachusetts
As the FTC’s litigation continues, we can’t rely on federal agencies to police every privacy violation under the sun. That’s why the ACLU has joined with reproductive justice partners Reproductive Equity Now and Planned Parenthood, as well as a coalition of other groups, to fight for legislation to protect all people in Massachusetts from this shady industry. The Location Shield Act, filed by Representative Lipper-Garabedian in the House and Senator Creem in the Senate, would stop the sale of cellphone location information, ensuring it never ends up in a database like Kochava’s.
The core provision of the Location Shield Act is an outright prohibition of the sale, lease, or trade of cellphone location data pertaining to people physically present within the state of Massachusetts. The bill protects our privacy and personal autonomy. Its provisions would help ensure that individuals visiting sensitive locations such as those associated with medical care, reproductive health, religious worship, addiction recovery, and more are not unwittingly tracked, or their data sold to harm them.
Importantly, the Location Shield Act doesn’t propose a blanket ban on all collection or use of location data. It allows companies to collect and process this data for legitimate purposes, such as providing mapping services or weather forecasts, but only with privacy-preserving data minimization and consent provisions in place. The legislation therefore strikes a balance between protecting privacy and enabling the beneficial uses of location data.
The FTC’s action against Kochava is a step in the right direction and should be applauded. But we can’t rely on federal agencies to police privacy violations after the fact. If we want to live in a free and open society, we must pass laws that recognize privacy as a fundamental right supporting our other basic rights: freedom to access health care, to worship our religion, and to be safe in our communities. It’s time to pass the Location Shield Act to make Massachusetts a global privacy leader. Take action now to join the movement.