by Shoba Pillay, Madeleine V. Findley, Ann M. O’Leary, Anne Cortina Perry, Dawn L. Smalls, Alison Stein, and Philip B. Sailer
The Federal Trade Commission (FTC) recently filed a complaint against a data broker alleging that the collection and sale of precise location data significantly harms consumers, especially if the data contains information regarding travel to and from specific sensitive locations, such as reproductive healthcare clinics. The outcome of the case could have a substantial impact on the FTC’s authority to enforce consumer protection laws and will likely inform how companies handle consumer data to which they have access. The FTC’s complaint follows guidance the Biden administration issued to federal agencies, including the FTC, to take actions to protect consumers’ privacy in connection with reproductive healthcare services after the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization (“Dobbs”)[1]. The outcome of the case could have a substantial impact on the sale and collection of consumer location data and the FTC’s authority to enforce consumer privacy protections.
The FTC and Dobbs
The Dobbs decision and its impact have significantly increased the Biden administration’s regulatory focus on and public awareness of the ways in which precise geolocation data may be used to identify and track consumers in all aspects of their lives, including patients and healthcare providers at reproductive healthcare locations. In July, after the Supreme Court issued its opinion in Dobbs, the FTC published a post on its website warning that the potential intrusions on consumers’ privacy because of this ruling were not merely a figment of a “dystopian fiction.” Rather, according to the FTC, consumers needed to understand the “unprecedented intrusion” that could result from the collection and monetization of their data. In its blog post, the FTC identified the specific harms caused by, “products that track women’s periods, monitor their fertility, oversee their contraceptive use, or even target women considering abortion,” including “discrimination, stigma, and mental anguish,” and the significant impact the intrusion could have on “personal reproductive matters.” The agency underscored its commitment to protecting consumers’ location, health, and other “highly sensitive data” from illegal use and sharing.[2]
FTC Complaint Against Kochava
On August 29, 2022, the FTC filed a complaint[3] against data broker Kochava Inc. (“Kochava”) in a federal district court in Idaho, alleging that Kochava collected, packaged, and sold sensitive consumer data, including, “geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations” in violation of Section 5(a) of the FTC Act, which prohibits companies from engaging in unfair or deceptive business practices.[4] The FTC is seeking an injunction against Kochava and a requirement that it delete consumers’ sensitive location data, including information associated with travel to or from reproductive healthcare clinics, and prohibiting the collection and sale of similar data in the future.
Kochava is a data broker that purchases large volumes of precise geolocation data derived from consumers’ mobile devices. It packages this data into feeds that provide the information to advertisers so these firms can better optimize the services they provide to their own customers. According to its website, Kochava is the “industry leader for mobile app attribution and mobile app analytics.”
According to the complaint, Kochava advertises that its data-rich feed contains “raw latitude/longitude data” from almost 100 billion geotransactions per month, 125 million monthly consumers, and more than 90 daily transactions per device. In September 2016, Kochava began making a data sample publicly available for free on its platform and required only minimal registration information from a user before permitting a download. The free data sample contained information from over 61 million unique mobile devices, including information flagged as “sensitive,” at no cost. According to the FTC’s complaint, as of June 2022, Kochava no longer offers a free version of its services.[5]
Specifically, the complaint alleges that Kochava collects consumer data, including precise geolocation data linked to a consumer device’s Mobile Advertising ID (MAID). The MAID is a unique identifier assigned in a mobile device and allows marketers to use targeted ads to advertise to specific consumers based on data Kochava collects and sells.[6] The complaint alleges that it is possible to use geolocation data that is associated with the device’s identifier to identify the device owner. In fact, the complaint states that other data brokers advertise services that do just that. Even without such services, precise geolocation data showing a device’s presence in a particular location at regular daily or nightly intervals may identify a consumer’s work and home addresses, and this information may be used to identify the consumer’s name.
The FTC alleges that as a result, Kochava and its customers can “track the consumers’ movements to and from sensitive locations, including, among others, locations associated with medical care, reproductive health, religious worship, mental health, temporary shelters, such as shelters for the homeless, domestic violence survivors, or other at-risk populations, and addiction recovery.” The FTC also alleges Kochava failed to incorporate protections into its platform that would safeguard the consumers’ geolocation data, identity, and privacy, such as providing less precise location data, removing timestamps, and proactively notifying users when their data is collected and/or sold.
Without incorporating necessary protections for consumers’ most sensitive data, the FTC alleges, Kochava’s business practices represent an “unwarranted intrusion into the most private areas of consumers’ lives and cause[] or is likely to cause substantial injury to consumers,” including “stigma, discrimination, physical violence, emotional distress, and other harms.”
FTC’s Authority Challenged
The FTC’s complaint comes after the company filed a preemptive suit[7] against the FTC alleging that the agency’s request for injunctive relief would violate the company’s constitutional due process rights. In its suit, Kochava alleges that the FTC is only authorized to seek injunctive relief for ongoing or potential unlawful conduct, not for past conduct that is unlikely to recur, and argues the agency lacks authority to require disgorgement remedies. In August, Kochava announced a “Privacy Block,” an update that is intended to remove consumer health service location data from its platform. The company also argued that the FTC’s investigation has not identified “any rule or statement with legal force and effect describing the specific geolocation data practices” the FTC is attempting to enforce, and that Kochava will be harmed by proceedings that could take “years” and “render[] any post hoc review of any administrative decision, if any at all, meaningless.”
A key legal question in the FTC’s case against Kochava will be scope of the agency’s enforcement authority under the FTC Act, which the Supreme Court limited in AMG Capital Management, LLC v. FTC, decided in 2021.[8] Other companies have similarly challenged the FTC’s investigative process and authority, including in a case currently pending at the Supreme Court between the FTC and a payday loan servicing company that allegedly violated the FTC Act by charging borrowers excessively high interest rates.[9] The Supreme Court will soon hear arguments over whether companies that are being investigated by the FTC can challenge the validity of the FTC’s actions before the completion of the agency’s internal administrative procedures. Whether the Supreme Court allows early judicial intervention during the agency’s investigations could have a substantial impact on Kochava’s ability to head-off FTC enforcement.
***
The FTC’s complaint reflects its increasing focus on privacy and security of consumer data, particularly consumer health data, in recent years.[10] Recently, as we discussed in a prior client alert, the FTC voted to publish a wide-ranging Advanced Notice of Proposed Rulemaking on consumer data collection and data security.[11] The outcome of the FTC’s case against Kochava will likely provide further valuable insight into the FTC’s regulatory approach to enforcing consumer privacy protections and how further enforcement could impact the collection and sale of consumer location data moving forward.
Footnotes
[1] Exec. Order No. 14076, 87 F.R. 133 (2022), https://www.govinfo.gov/content/pkg/FR-2022-07-13/pdf/2022-15138.pdf.
[2] Kristin Cohen, Location, health, and other sensitive information: FTC committed to fully enforcing the law against illegal use and sharing of highly sensitive data, FEDERAL TRADE COMMISSION BUSINESS BLOG (July 11, 2022), https://www.ftc.gov/business-guidance/blog/2022/07/location-health-other-sensitive-information-ftc-committed-fullyenforcing-law-against-illegal-use.
[3] Complaint, F.T.C. v. Kochava, Inc., No. 2:22-cv-00377-DCN (D. Idaho Aug. 29, 2022), ECF 1, https://www.ftc.gov/system/files/ftc_gov/pdf/1. Complaint.pdf.
[4] Press Release, FTC Sues Kochava for Selling Data that Tracks People at Reproductive Health Clinics, Places of Worship, and Other Sensitive Locations, FEDERAL TRADE COMMISSION (August 29, 2022), https://www.ftc.gov/newsevents/news/press-releases/2022/08/ftc-sues-kochava-selling-data-tracks-people-reproductive-health-clinics-placesworship-other. See also The Federal Trade Commission Act §5, 15 U.S.C. § 45(a).
[5] Complaint at ¶ 13, F.T.C. v. Kochava, Inc., No. 2:22-cv-00377-DCN (D. Idaho Aug. 29, 2022), ECF 1, https://www.ftc.gov/system/files/ftc_gov/pdf/1. Complaint.pdf.
[6] Complaint at ¶ 10, F.T.C. v. Kochava, Inc., No. 2:22-cv-00377-DCN (D. Idaho Aug. 29, 2022), ECF 1, https://www.ftc.gov/system/files/ftc_gov/pdf/1. Complaint.pdf.
[7] Complaint, Kochava Inc. v. F.T.C., No. 2:22-cv-00349-BLW (D. Idaho August 12, 2022), ECF 1.
[8] AMG Cap. Mgmt., LLC v. F.T.C., 141 S. Ct. 1341 (2021).
[9] See e.g., Axon Enter., Inc. v. F.T.C., 986 F.3d 1173 (9th Cir. 2021), cert. granted in part, 142 S. Ct. 895 (2022).
[10] See, e.g., Flo Health Inc., 86 F.R. 7382 (F.T.C. June 17, 2021). https://www.ftc.gov/system/files/documents/cases/192_3133_flo_health_decision_and_order.pdf (settling company for targeted advertising, despite promising to keep users’ data private).
[11] Trade Regulation Rule on Commercial Surveillance and Data Security
Shoba Pillay, Madeleine V. Findley, Ann M. O’Leary, Anne Cortina Perry, Dawn L. Smalls, Alison Stein are partners, and Philip B. Sailer is an associate, at Jenner & Block.
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statement made on this site and will not be liable for any errors, omissions or representations. The copyright for this content belongs to the author(s) and any liability with regard to infringement of intellectual property rights remains with the author(s).