On August 29, 2022, the Federal Trade Commission (“FTC”) filed a lawsuit against Kochava, Inc. (“Kochava”), alleging the data broker sold the geolocation of “hundreds of million mobile devices” that could be used to “trace the movements of individuals to and from sensitive locations.” Below is a summary of Kochava’s initial lawsuit against the FTC, the agency’s subsequent action against Kochava, and some principal takeaways.

Background

Earlier this month, Kochava filed its own lawsuit against the FTC, stating that the agency was wrongfully threatening to sue for Kochava’s marketing geolocation data. In its complaint, Kochava alleged the FTC’s proposed suit reflected a “lack of understanding of Kochava’s services.” Kochava argued that it did not “uniquely identify consumers” but rather collected their Mobile Advertising Identifier information and linked it to hashed emails and primary IP addresses. It also claimed that, despite receiving specific longitude and latitude, a consumer’s IP address, and their advertising ID, it did not receive the information “until days after” rather than immediately. The company highlighted that information is only collected once a consumer agrees to share its location data with an app developer, and that such consent can be revoked by opting-out of such collection.

The FTC’s inquiry into Kochava’s data collection focuses on the identification of individuals at “sensitive locations, such as therapists’ offices, addiction recovery centers, medical facilities, and women’s reproductive health clinics.” Sensitive geolocation data is under particular scrutiny in light of the Supreme Court’s decision to overturn Roe v. Wade, as such data could expose consumers to legal liability should information regarding their visits to reproductive health clinics be revealed. It could also be used to identify the providers of such services, likewise exposing them to legal liability or personal harm. The protection of such data was the subject of a recent Presidential executive order which directed the FTC to “consider taking steps to protect consumers’ privacy when seeking information about and provision of reproductive health care services.”

FTC Lawsuit

Despite Kochava’s allegations that the FTC was mistaken in characterizing the data as being capable of identifying individuals and tracking them to specific locations, the FTC’s lawsuit outlines how Kochava’s data, coupled with publicly available map data, could allow the identification of individuals who had visited sensitive locations. And, because the geolocation data was time stamped, according to the FTC, it was possible to determine the exact time an individual had visited such a clinic. The same is true of other sensitive areas such as addiction recovery centers, places of worship, and shelters for the homeless or domestic violence survivors.

The FTC alleges that the dataset could allow the identification of someone’s home. For example, the location of a mobile device at night (which could be gleaned through the location’s timestamp) would likely respond to the consumer’s home address. Public records could then be used to identify the owner or resident of the address. In fact, “household mapping” was a use case suggested by Kochava itself.

According to the complaint, Kochava also failed to place any technical controls or use restrictions such as a  blacklist that removes data set location signals around sensitive locations or set any limits on the use of its data.

Although Kochava argued in its own lawsuit that consumers were aware of the tracking of their location, the FTC stated that consumers are not aware of who collects their data or how it is used. Consumers, according to the FTC, do not “typically know how or understand that the information collected about them can be used to track and map their past movements and that inferences about them and their behaviors will be drawn from this information” and are therefore unable to take steps to avoid such tracking.

Takeaways

  • “Sensitive Information” Is An Area of Significant Scrutiny

Earlier this month, we saw the FTC issue an Advanced Notice of Proposed Rulemaking where it posed questions regarding regulations and limits around sensitive data or data about protected categories. The statements from the Commissioners also highlighted the proliferation of sensitive data collection, stating that the “modes by which sensitive information can be discovered, derived, and disclosed have only grown in number and complexity.”

The American Data Privacy and Protection Act, the first federal privacy bill to garner bipartisan support, also focuses on sensitive information. For example, the draft legislation bans targeted advertising based on “sensitive data,” including health information and precise geolocation.

  • Companies Are Testing The Limits of FTC Power

In its earlier lawsuit against the FTC, Kochava argued that FTC was “attempting to create . . . law that only the legislative power of Congress could adopt” rather than prescribing administrative rules. Citing Axon Enterprise, Inc. v. Federal Trade Commission, a case set for argument at the Supreme Court later this year, Kochava questions whether “the FTC’s structure violates Article II of the Constitution” and “whether Kochava’s due process rights would be violated” through the administrative action process. 

With the FTC’s increased focus on consumer privacy, and the general resistance from the current Court to uphold federal agency power, it is likely we will continue to see pushback against agency regulation from companies in the coming months.