A newly unsealed, refiled FTC lawsuit against a location data broker underscores the damage of selling consumers’ location data.
The U.S. District Court for the District of Idaho recently unsealed the Federal Trade Commission (FTC) lawsuit against location data broker Kochava. This news is only the latest in this months-long saga: The FTC originally sued Kochava in August 2022 to stop its sale of, and compel its deletion of, sensitive geolocation data. The court dismissed the lawsuit in May, citing a failure to demonstrate a significant risk of concrete harm, and gave the FTC the opportunity to refile. The FTC submitted a new complaint in June, which is now public.
The case has received considerable attention in the privacy community but less so in the broader policy space. First and foremost, it is a major case against a data broker engaged in compiling geolocation data from consumers’ mobile devices, aggregating and packing the data, linking it to consumers’ identities, and then selling it. The FTC has led years of casework and investigations into the multibillion-dollar data brokerage ecosystem, but it has not previously focused as much on the sale of location data, which continues to explode. This lawsuit exemplifies how companies’ (especially data brokers’) data-gathering practices could constitute unfair trade practices when they violate consumer privacy at such scale and with such obfuscation that it is virtually impossible for consumers to avoid. And the refiled, newly unsealed complaint in particular underscores—amid broader debates about data privacy, security, and U.S. technological and economic competitiveness—the need for U.S. federal privacy laws that substantially empower agencies like the FTC to enforce against harmful uses of Americans’ data.
Several major differences stand out between the FTC’s original complaint and the refiled, now-unsealed complaint: an increased emphasis on the identifiability of the data; specific examples of the data Kochava infers from location data and links to location data for sale; and new information about Kochava’s lack of controls to screen potential customers. These data activities include Kochava offering the ability to identify specific people behind location data points—and selling data on consumers grouped into “Cancer,” “Bereavement,” “Eldercare,” “Special Needs Kids,” “Pregnancy,” “Judaism,” and “Islam,” among others. While the case is still unfolding, the inclusion of this information significantly bolsters the FTC’s complaint against the data broker.
The Refiled Complaint
Both the FTC’s original and amended complaints against Kochava allege that the broker is engaging in unfair business practices in violation of Section 5(a)(1) of the FTC Act, which states that “[u]nfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.” Yet several major changes to the original complaint stand out in the new document. For example, the FTC places an increased emphasis on the identifiability of the data and the fact that Kochava—despite knocking its competitors for selling precise geolocation data—itself sells precise geolocation data tied to specific individuals. The FTC has added in many specific examples of the additional data points that Kochava infers from people’s locations, such as health conditions and home addresses, and the kinds of data it pairs with location data for sale, including information about gender, ethnicity, race, income, marital status, political affiliation, and education level. And the FTC has included new information about Kochava’s lack of controls to screen potential customers. In some cases, the broker would even accept “business” as a description of a company’s intended use of geolocation data, without asking any more questions.
Companies are prohibited from engaging in unfair or deceptive acts or practices under Section 5 of the FTC Act. In this case, the FTC is arguing that Kochava’s actions are unfair—that is, under the FTC’s definition, the injury is substantial, not outweighed by offsetting benefits to consumers or competition, and not reasonably avoidable by consumers. The FTC makes this unfairness argument with respect to Kochava selling geolocation data. It also makes this argument vis-a-vis Kochava selling other data, such as information about religious practices and health conditions, alongside and on top of the geolocation data.
The first major change in the new complaint is the FTC’s increased emphasis on Kochava selling identifiable location data. In the original complaint from August 2022, the FTC stated that Kochava’s location data is not anonymized and that it is possible to combine geolocation data with other information to identify a mobile device owner. In the newly unsealed document, the FTC elaborates that Kochava sells precise geolocation data—which “includes timestamped latitude and longitude coordinates” over time—and pairs each set of coordinates with a mobile advertising ID (MAID), which is a persistent identifier widely used by data brokers, marketing companies, advertisers, and others to identify and target individual people. If that were not enough to identify a person (which it is), Kochava additionally “sells data that directly links MAIDs to individual consumers’ identifying information, and Kochava expressly encourages its customers to use this data.” Pairing persistent identifiers with other identifying data is clearly a way to attach people’s names to location data points (for example, timestamped longitude-latitude coordinates). The FTC’s point is underscored further by Kochava advertising data points “to connect to and securely solve for identity” and its linking of multiple MAIDs with a single consumer. Kochava’s Collective data marketplace, the company states, “can tie the IDs to a single user by using a match key (e.g., email address, phone number, mobile advertising ID, cookie, addresses, etc.) for one-to-one advertising.”
Any arguments of “anonymization” or “aggregation” in ways that protect privacy are clearly debunked by the company’s own statements, marketing materials, and data offerings.
This is a highly significant point. In part, the legal issues with the FTC’s originally filed complaint stemmed from the use of words like “could” and the court’s desire for the commission to refer to risks, such as “re-identification,” more concretely. “Here, the FTC has not alleged that consumers are suffering or are likely to suffer” harms from third parties buying their location data, the court wrote in its May dismissal of the original filing; “it only alleges that secondary harms are theoretically possible.” While this view makes less sense from a technical perspective—there is a large and ever-growing body of research detailing techniques to “re-identify” data sets to identify specific people (including with location data), and many companies engage in this practice to target consumers—it was the court’s position that the FTC had to address. The court’s mandate also cited the FTC Act, as the May dismissal noted that “Section 5(n) requires the FTC to allege more than a mere possibility of consumer injury. Rather, the defendant’s acts or practices must actually cause or be likely to cause injury.” Articulating that Kochava advertises consumer-identification capabilities to clients helps answer this question.
The second major change in the refiling is new information about the data Kochava infers from location data and links to location data for sale. In the former case, the FTC states that “Kochava’s audience segments target consumers based on places they have visited, including locations associated with ‘Education,’ ‘Gvt Building,’ and ‘Health.’” (Audience segments refer to packages of data about specific groups of consumers, such as avid coffee-drinkers, religious teenagers, or struggling single parents.) Kochava states in one advertisement that it can “find devices that intersect with important events or locations, or seek out devices that spend time in areas targeted by your campaign” and help its customers to “understand voter visitation to home, work, place of business, government buildings, and more.” Health, spending, and other activity can be inferred from this data. So can information such as home address: Kochava states that “we determine a home location by looking at the resting lat/long of a given device between the hours of 10pm and 6am and omit known business locations.” This analysis could even be conducted on entire families, as Kochava advertises a “Household Mapping” use case where customers could “group devices by dwelling time and frequency at shared locations to map individual devices to households.” The company states that it has already identified “180M+ unique monthly households” with email addresses, phone numbers, and MAIDs, among others.
Once again, the FTC is careful to describe how the data identifies people’s sensitive information in practice. The household mapping use case is one example. Additionally, based on just a sample of Kochava’s data, the FTC:
“identified a mobile device that visited a women’s reproductive health clinic and traced that mobile device to a single-family residence. The data set also reveals that the same mobile device was at a particular location at least three evenings in the same week, suggesting the mobile device user’s routine.”
“identified … mobile devices that were located at Jewish, Christian, Islamic, and other religious denominations’ places of worship.”
“identified … a mobile device that appears to have spent the night at a temporary shelter whose mission is to provide residence for at-risk, pregnant young women or new mothers.”
Much like in the previously discussed examples, none of these actions is technologically novel. But specifically articulating them to the court provides important detail for the FTC’s legal arguments. It also answers the court’s desire for specific instances of location identifiability.
In the latter case—other data that can be paired with location data—the FTC explains that Kochava sells a wide range of non-geolocation data about consumers, linkable to MAIDs (which are also tied to location data). For instance, Kochava sells an “Expecting Parents” audience segment based on consumers’ use of pregnancy and fertility tracking apps. The broker also allows customers to divide audiences by demographic data points such as gender and ethnicity; and characteristics such as “Reproductive Health,” “Cancer,” “Women’s Health,” “Divorce,” “Bereavement,” “Eldercare,” “Adoption and Fostering,” “Special Needs Kids,” “Sexual Conditions,” “Pregnancy,” “Vaccines,” “Judaism,” and “Islam.” It sells a “New Parents/Expecting” audience segment described as people “attending Lamaze, birthing, breastfeeding, new parent support groups, etc. events.” It sells a “Likely Republican Voter” audience segment described as people visiting “Republican focused political events and events and venues affiliated with conservative topics.” It sells data about people using LGBTQ+ dating apps, apps for different religions, and apps that provide health information, including about sexually transmitted infections and cancer. The data available for purchase includes apps’ names, the dates and times of their usage, and users’ in-app activity and spending.
All of this data collection and sale is extremely invasive, in no small part because consumers have no reasonable way of knowing and understanding that mobile apps and other entities are selling their geolocations to Kochava. The invasiveness of this practice—tracking and targeting Americans based on visits to health clinics, political venues, and much more—also substantially bolsters the FTC’s argument that this is an unfair trade practice where injury is substantial and not outweighed by benefits to consumers or competition.
The third major change in the refiling is information about Kochava’s lack of controls to screen potential customers for its data. If a buyer pulled up one of Kochava’s data listings online, the FTC said, they would have to fill in a form asking for “the purchaser’s company name, name of the purchaser, email address, and intended use case.” In practice, the complaint continues:
A purchaser could use an ordinary personal email address, identify the company as ‘self,’ and describe the intended use simply as ‘business.’ The request would then be sent to Kochava for approval. Kochava has approved such requests in as little as 24 hours without any additional inquiries or requesting additional information about the purchaser or their intended use.
After Kochava approved the request, “the purchaser was notified by email and then gained unfettered access to the data, along with a data dictionary explaining the categories of data provided.” This is new information compared to the first complaint filed in August 2022. It is also concerning information in the context of alleging unfair business practices. Corporate controls are not an adequate replacement for regulation—they are a supplement to it—but Kochava’s lack of know-your-customer and other controls on its data sales undermines the narrative that the company is somehow responsibly engaged in selling consumers’ location data. (Such a narrative also assumes that a third-party company selling location data about people is not itself invasive and irresponsible.) A lack of strong data broker controls in other areas, on top of weak or virtually nonexistent regulation, has also exacerbated the risks to individuals and society. People search data brokers have, for decades, sold home addresses and other information to stalkers and abusive individuals without bothering to significantly change business practices. In a recent study, my Duke University team was able to purchase sensitive, nonpublic, individually identified data about U.S. military service members from data brokers with almost no vetting. In this case, Kochava’s failure to rigorously screen potential customers substantiates the argument that there is a considerable risk of significant injury to consumers.
While it doesn’t fit neatly into the above three categories—data identifiability, inferred and other data, and lack of controls—the FTC also, importantly, expounds on the exact scale of Kochava’s data collection. Kochava says that its “Database Graph” of consumer profiles identifies “over 300M unique individuals in the US” with up to “300 data points” linkable to each profile. The scale of data collection puts Kochava up there with some of the larger data brokers in the United States that also routinely collect and sell data on hundreds of millions of Americans. It also has troubling implications for any demographic subgroup: Kochava’s “Expecting Parents” audience segment, at one point, had data on at least 11.4 million MAIDs. Millions of pregnant people have their privacy at risk, an even more perilous reality following the overturning of Roe v. Wade. For the case itself, these facts speak to a core component of the FTC’s unfairness test—specifically the prong stating that consumers “could not reasonably have avoided” injury. Location data brokers that gather data from numerous sources about millions of people make it virtually impossible for consumers to avoid having their geolocation data compiled, sold, and exploited.
Well, Now What?
The lawsuit is ongoing, and the coming months could yield an important decision for the FTC and those interested more broadly in how existing federal privacy regulations can apply to the practice of companies brokering consumers’ data. Modifying the original, August 2022 complaint in June to include more information about the identifiability of Kochava’s data, the data Kochava infers and sells, and its lack of customer vetting has significantly bolstered the FTC’s argument that Kochava is engaged in unfair business practices. It also speaks directly to the request made by the judge when the initial complaint was dismissed, with the opportunity to refile, to focus more on specific examples and instances of harm. Demonstrating, for instance, that Kochava explicitly advertises the capability to link location data points to specific individuals does just that.
Looking forward, the law has a long way to go in catching up to the computer science, statistics, and other technical literature on data identifiability and “reidentification.” Steps such as removing names from data sets were never particularly strong privacy measures to begin with, and that is especially the case in today’s data context, with numerous commercially available and large-scale data sets and growing statistical techniques and artificial intelligence technologies to combine and infer data points. Location data is particularly susceptible to reidentification attacks and identity linkage because it corresponds to people’s physical movements—which are typically unique when it comes to combinations of home, work, and other commonly visited locations. The FTC’s case could set an important precedent for emphasizing location data identifiability issues in court. Yet it also speaks to the need for the U.S. legal system to adapt to the reality of today’s data compilation, packaging, brokerage, and identification ecosystem.
– Justin Sherman is a contributing editor at Lawfare. He is also the founder and CEO of Global Cyber Strategies, a Washington, DC-based research and advisory firm; a senior fellow at Duke University’s Sanford School of Public Policy, where he runs its research project on data brokerage; and a nonresident fellow at the Atlantic Council.