• by Wendy Davis  @wendyndavis, July 31, 2023

Mobile data broker Kochava must face a privacy lawsuit over the alleged sale of people's location data, a federal judge has ruled.

In a decision issued last week, U.S. District Court Judge Cynthia Bashant in San Diego ruled that if the allegations in the class-action complaint against Kochava were proven true, they could support a claim that its data practices “amount to an egregious breach of social norms.”

While Bashant dismissed some of the counts in the complaint, she said Kochava must face others -- including a claim that the company violated the the right to privacy as enshrined in California's constitution.

The ruling comes in a class-action complaint filed by David Greenley last year, shortly after the Federal Trade Commission claimed the company engaged in an unfair business practice by allegedly selling location data -- including information that could reveal visits to sensitive locales like abortion clinics. Kochava allegedly obtained the data from app developers.

Kochava has said it collects latitude and longitude, IP addresses and mobile advertising identifiers (pseudonymous alphanumeric strings), but doesn't identify the consumer associated with the identifier.

But Greenley, as well as the FTC, alleged that geolocation data, when combined with mobile advertising identifiers, can be enough to identify individuals.

The FTC said in its complaint against Kochava that data brokers sometimes advertise the ability to match mobile identifiers with names and physical addresses. Even without that type of service, location data alone can be used to identify people, according to the FTC. For example, a mobile device is typically located at the owner's home address overnight, the FTC alleged.

A federal judge in Idaho dismissed the FTC's complaint earlier this year, but allowed the agency to reformulate its allegations and bring them again. The FTC did so last month, but the amended complaint isn't yet available to the public.

Kochava urged Bashant to dismiss the California lawsuit at an early stage as well. Among other arguments, Kochava said the allegations, if true, show that consumers both consented to the data collection by app developers, and could have opted out of having their data collected.

Bashant rejected that argument, at least for now.

“Even if the court accepts that plaintiff consented to a third-party app developer collecting his data and that he could have contacted defendant to request the deletion of his data, defendant’s argument is still deficient,” Bashant wrote.

“Even if plaintiff gave full consent to third-party app developers to collect his data, consent to that specific conduct does not extend to defendant’s collection of plaintiff’s data through backdoors built into apps or to defendant’s dissemination of that information for profit,” Bashant added. “Likewise, the failure to opt-out does not demonstrate consent, particularly when users are unaware of the data collection practices.”

She also rejected -- for now -- Kochava's argument that the allegations, if proven true, wouldn't show the kind of serious privacy violation that would violate the state's constitution.

Instead, she ruled, questions about the seriousness of the alleged privacy violation should be resolved based on evidence that would come out at trial, or through depositions or other evidence.

“Intrusions on privacy exist on a spectrum,” she wrote. “ For this reason, courts hesitate to decide the issue at the pleadings stage.”

Greenley isn't the only one suing Kochava. The company also has been hit with class-action complaints in Idaho and Massachusetts. Those matters are still pending.