• by Wendy Davis  @wendyndavis, October 5, 2023

Mobile data broker Kochava must face some claims in a privacy class-action complaint over the alleged sale of location data, a federal judge in Idaho has ruled.

U.S. District Court Judge B. Lynn Winmill -- who previously dismissed the Federal Trade Commission's complaint against the company -- said this week that consumers can proceed with claims that Kochava violated California laws.

Specifically, Winmill ruled that the allegations in the complaint, if proven true, could support a claim that Kochava violated the state's Data Access and Fraud Act, which prohibits anyone from taking or using computer data without permission. He also ruled that the allegations could support a claim that Kochava violated California's unfair competition law.

Winmill dismissed several other claims, but is allowing the plaintiffs to reformulate those counts and bring them again.

Kochava declined to comment on the decision.

The ruling comes in a class-action complaint filed this year by residents of California and Washington state -- Cindy Murphy, Scott Connelly, Jenny Watson and Adrian Ingram -- who alleged Kochava sells people's precise geolocation data along with their mobile ad identifiers (typically alphanumeric strings).

Murphy and the others alleged that precise location data, when combined with mobile ad identifiers, “may be used to track consumers to sensitive locations, including places of religious worship, places that may be used to infer an LGBTQ+ identification, domestic abuse shelters, medical facilities, and welfare and homeless shelters.”

They claimed Kochava, which obtains geolocation data from app developers, violated various statutes in California and Washington.

Their lawsuit -- as well as separate class-actions in Massachusetts and California -- came shortly after the Federal Trade Commission sued Kochava for allegedly engaging in an unfair business practice by selling location data, including information that could reveal visits to sensitive locales like abortion clinics.

Kochava has said that the data it allegedly provides to third parties isn't personally identifiable. The company has also argued that location data doesn't in itself reveal the reasons why someone visited a particular address.

Kochava urged Winmill to dismiss the Idaho consumers' potential class-action at an early stage. Among other arguments, Kochava said the consumers lacked “standing” to proceed in federal court, arguing that their complaint didn't spell out “a concrete and particularized injury to themselves that resulted from the alleged violations.”

Winmill rejected that argument, writing that privacy violations are “the kind of intangible harm that can constitute concrete injury.” (That language came from a 2016 Supreme Court decision allowing people to sue in federal court over harms that are “intangible” but “concrete.”)

Kochava also said the allegations didn't support claims that the company violated California's data-access law, arguing that consumers consented to the collection and use of their data by app developers.

“Plaintiffs ... voluntarily downloaded 'a third party application' on their mobile devices and therefore, if any data was collected by these third party applications, it was because plaintiffs and class members consented to any data collection and failed to opt out of the data collection or disable location tracking settings on their mobile devices,” the company wrote in a motion urging Winmill to dismiss the complaint.

Winmill rejected that argument, essentially ruling that people can agree to share data with an app developer without necessarily consenting to Kochava's alleged use of that data.

He noted in the ruling that U.S. District Court Judge Cynthia Bashant in San Diego, who presides over the California litigation, recently rejected Kochava's bid for a fast dismissal. In that matter, as in Idaho, Kochava argued that the allegations, if true, show consumers consented to the data collection by app developers, and could have opted out of having their data collected.

While Winmill allowed the consumers to move forward with some claims, he previously dismissed the FTC's complaint on the grounds that the allegations, if proven true, wouldn't show Kochava created a “significant risk” of harm to consumers.

The FTC subsequently amended its complaint, and Winmill is still considering whether to allow the agency to proceed with the revised complaint.