FTC sues data broker over privacy concerns

The Federal Trade Commission is suing Idaho-based data broker Kochava for selling the geolocation data of hundreds of millions of mobile devices that could be used to track the physical location of consumers, including to and from sensitive areas like reproductive health clinics, churches and addiction recovery facilities.

The lawsuit, filed Monday, alleges Kochava failed to add basic privacy protections to the location data it collected, much of it without users’ knowledge.

Kochava called the lawsuit “frivolous” and said the FTC was operating under a “fundamental misunderstanding” of its data marketplace business and other data businesses.

The Supreme Court in June overturned the constitutional right to an abortion in its decision in Dobbs v. Jackson Women’s Health Organization. In the wake of that ruling, concerns have mounted that consumer data could be used to prosecute those who receive abortions, especially given that digital records like text messages, browser histories and emails have been used to prosecute pregnancy-related criminal charges in the past.

The FTC said in July it would crack down on medical and location data sharing, following an executive order from President Joe Biden calling on the agency to help protect the privacy of people seeking abortions. That includes heightened scrutiny of mobile data brokers that collect and resell data from consumer’s smartphones — including Kochava, which has now found itself in the crosshairs of the FTC.

In a statement provided to Healthcare Dive, Kochava General Manager Brian Cox said the company has been in talks with the government for weeks over its data collection practices, and recently announced it was building a function to remove geolocation data from sensitive locations from its marketplace.

However, the FTC’s lawsuit is looking to stop Kochava’s sale of sensitive geolocation information and require Kochava to delete the information it has already collected.

The FTC alleges that Kochava buys huge amounts of location data from other brokers that it then packages into customized data to sell to clients, including companies looking for assistance in advertising or help analyzing foot traffic to their stores.

The Kochava data reviewed by the FTC included precise and timestamped location data collected from more than 61 million mobile devices in one week, according to the lawsuit. The data is highly specific, including latitude and longitude coordinates showing the precise location of mobile devices and other information like IP address and device type.

The scope of the data Kochava handles is immense. The lawsuit says Kochava offers clients “raw latitude/longitude data with volumes around 94B+ geo transactions per month, 125 million monthly active users, and 35 million daily active users, on average observing more than 90 daily transactions per device.”

The app analytics firm didn’t adequately protect this data from public exposure, according to the FTC. Until at least June, anyone could obtain a large sample of sensitive data with “little effort… and use it without restriction,” the agency said in a release on the suit.

Kochava offers a free trial for its services, with “minimal steps and no restrictions on usage” — despite its services typically costing thousands of dollars, the government said. That sample allowed the FTC to identify a user who visited a reproductive health clinic, then link it to a home address that would likely pinpoint the user’s identity.

The data could also be used to identify medical professionals who perform abortions, according to the FTC.

The Biden administration has been leaning on multiple levers to try and protect access to abortion in states that have restricted or plan to restrict access to the procedure. Earlier this month, the FTC said it was exploring new rules that would enact stricter protections for Americans’ data privacy by cracking down on businesses that collect and sell consumer data.

Such businesses are also facing a congressional investigation. In July, the House Oversight Committee began investigating how the business practices of reproductive health apps and data brokers could potentially weaponize consumer’s private information following the fall of Roe v. Wade.

A number of data brokers and tech companies have announced plans to stop selling access to geolocation data around reproductive health clinics or other sensitive areas.

Following pressure, data brokers SafeGraph and Placer.ai committed to stop the practice, while Google pledged to automatically delete location data showing whether consumers visited an abortion clinic. Healthcare Dive