FTC Presses To Proceed With Privacy Complaint Against Kochava

Striking back against mobile data broker Kochava, the Federal Trade Commission argues it should be allowed to proceed with a claim that the company engages in an unfair business practice by allegedly selling consumers' precise location data.

Kochava “discloses to third parties data that reveals consumers who are making or have made some of the most sensitive decisions in their lives,” the FTC argues in papers filed with U.S. District Court Judge B Lynn Winmill in Idaho.

“Such disclosures are a 'substantial injury' to consumers’ privacy,” the agency writes, adding that the information “expose consumers to additional injuries, including stigma, discrimination, physical violence, and emotional distress.”

The FTC is urging Winmill to reject Kochava's bid to dismiss a complaint filed in August, when the agency sued Kochava for allegedly selling information about people's precise locations -- including data that could reveal visits to sensitive locales.

The complaint includes allegations that Kochava's data -- which is obtained from other companies -- can be used to identify "consumers who have visited an abortion clinic and, as a result, may have had or contemplated having an abortion," as well as "medical professionals who perform, or assist in the performance, of abortion services.”

The FTC said Kochava sells “timestamped latitude and longitude coordinates showing the location of mobile devices,” as well as mobile advertising IDs -- unique identifiers that persist, unless consumers reset them.

While the mobile advertising identifiers are pseudonymous, the FTC alleged that they can reveal people's actual identities. For example, the FTC said, some data brokers advertise the ability to match mobile identifiers with names and physical addresses. Also, even without that type of matching service, location data in itself can lead to inferences that would identify people, the FTC wrote in the complaint.

The agency is seeking an injunction prohibiting Kochava from engaging in unfair practices.

Earlier this month, Kochava urged Winmill to dismiss the lawsuit, arguing that the agency's allegations, even if proven true, wouldn't show the company had engaged in unfair conduct.

Among other arguments, Kochava contended that practices can only be deemed unfair if they violate an established legal policy, or are harmful or oppressive.

"The complaint contains no mention of an existing law, rule, regulation or policy specifically prohibiting the alleged conduct related to geolocation data,” Kochava wrote.

The FTC counters in its filing that the company's practices “impermissibly injure” people's privacy.

“As the facts alleged in the complaint demonstrate, Kochava’s practices invade consumers’ privacy on a massive scale,” the FTC writes.

“Kochava’s data ... reveals, among other private details, where a consumer seeks medical help, what medical conditions the consumer suffers from (e.g., visits to an oncologist’s office reveal the consumer is seeking treatment for cancer), where the consumer worships and how often, and whether the consumer identifies as LGBTQ+,” the agency writes. “Disclosing such sensitive information, Kochava invades consumers’ privacy and causes substantial injury to them.”

Kochava also argued the FTC lacks grounds for an injunction, given that the company already rolled out a “privacy block” feature that removes known health services locations from its marketplace.

The FTC counters in its recent papers that even if “privacy block” limits some location disclosures, “a permanent injunction would still be warranted.”

“Kochava continues to assert that its conduct is not illegal and has made no assurances that it will stop its misconduct in the future,” the FTC writes.

The FTC brought its complaint against Kochava two weeks after the company sued the FTC, in an attempt to stave off the agency's case.

Kochava claimed in its initial court papers, filed August 12, that it doesn't “uniquely identify users,” but merely links the mobile advertiser identification to “hashed emails and primary IP addresses.”

The company also argued that consumers could have refused to allow their locations to be collected by app developers. 

"The consumer agreed to share its location data with an app developer," Kochava wrote. "As such, the consumer should reasonably expect that this data will contain the consumer’s locations, even locations which the consumer deems is sensitive.”
Next story loading loading..