FTC files lawsuit against Kochava for harvesting and selling geolocation data

The Federal Trade Commission (FTC) flexed its muscle on August 29, 2022, when it filed a lawsuit against Kochava, Inc., for harvesting, aggregating, collating, and then selling the “precise geolocation data” of millions of individuals in violation of the FTC Act.

FTC complaint: Data allows tracing individuals to and from sensitive locations

The FTC explains that Kochava acquires the location data, which originated from individuals’ mobile devices, from an array of data brokers. Kochava then creates customized data feeds and markets these feeds to commercial clients. Their client’s rationale for paying up to $25,000 per feed, according to the FTC, is to “know where consumers are and what they are doing.” Kochava is “then selling of geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations.” The FTC identified “reproductive health clinics, places of worship, homeless and domestic violence shelters, and addiction recovery facilities” as the type of locations that could be identified as having been visited by individuals.

The FTC continues in its complaint that Kochava is allowing others, through the sale of the data which tracks people, to “identify and expose them to threats of stigma, stalking, discrimination, job loss, and even physical violence.” The FTC complaint calls for a permanent injunction against Kochava’s sale of the sensitive geolocation data and the deletion of the data it has collected.

It is clear from reading the complaint that Kochava was aware that its data aggregation was creating a direct link between a given location and an identifiable individual as they leveraged the data they acquired from data brokers.

FTC had given a fair warning

The FTC noted in its press release how, the commission was “exploring rules to crack down on harmful commercial surveillance practices that collect, analyze and profit from information about people.” On July 11, 2022, the FTC issued a warning that sensitive categories include information about an individual’s precise location and information about their health. They went on the highlight how the FTC believes that data points acquired from “smartphones, connected cars, wearable fitness trackers, “smart home” products, and the browser you’re reading this on are capable of directly observing or deriving sensitive information.”

In January 2021, Flo Health reached a settlement with the FTC about its sharing of sensitive health information derived from their “Flo Period and Ovulation” app to third parties, including Google and Facebook. Similarly, in September 2021, the FTC tightened breach notification requirements for health apps and connected devices, requiring those who are responsible for health apps to comply with the Health Breach Notification Rule. This notification specifically called out “When a health app … discloses sensitive health information without users’ authorization, this is a ‘breach of security under the Rule.”

How Kochava aggregates and markets sensitive data

It is this latter point that seems to tie up Kochava as its discrete aggregation specific to sensitive locations and the ability to market a consumer’s “precise location.”

The data provided by Kochava to its clients included “timestamped latitude and longitude coordinates for locations associated with the mobile devices.” The FTC noted how the location and time data were then associated with a “Mobile Advertising ID (MAID) which is a unique identifier assigned to a consumer’s device. Kochava, claims that they can “deliver raw latitude/longitude data with volumes around 94B+ geo transactions per month, 125 million monthly active users, and 35 million daily active users, on average observing more than 90 daily transactions per device.”

The FTC was able to acquire a data sample, as of July 2022, from the Kochava AWS depository by merely requesting a copy of the sample from Kochava, which contained information on over 61 million devices. It was only when a purchase was made was the purchaser warned that the data contains “sensitive categories of information.”

Their review of the data showed that it was possible to “identify a mobile device that visited a women’s reproductive health clinic and trace that mobile device to a single-family residence.” The data then revealed that that same device visited a specific location for three evenings in a given week, which the FTC intimated as indicative of tracking the individual’s routine.

Takeaways for CIOs and CISOs

Product leads in conjunction with their CIOs and CISOs should go to school on this lawsuit filed by the FTC and ensure that their product suite obfuscates sensitive data in a manner so as not to be in violation of the FTC Act. The FTC lawsuit, when parsed, effectively provides a useful roadmap for those wishing to avoid the Kochava or Flo Health experience.

• Employ technical means to prohibit customers from identifying consumers or tracking them to sensitive locations. This may include the use of a blacklist that “obfuscates or removes data concerning sensitive locations (medical care, reproductive care, religious worship, mental health, temporary shelters, shelters for the homeless, domestic violence survivors or other at-risk populations, and addiction recovery.”
• If data is collected from the consumer, ensure the consumer is aware of how the data is collected and used. The consumer should not have to wade through 100-page privacy and use the statement to locate the instances where the app their using is “sharing” their data. Additionally, consumers should not be blindsided to learn that their information is being used by third parties with whom they have had no interaction and who are able to track their life’s movements. The key, for product managers, is to ensure that the consumer may take “reasonable steps” to not have their data used in this manner.