On November 3, a federal court in the District of Idaho unsealed an amended complaint that the Federal Trade Commission (FTC) had filed in June 2023 against Kochava. The complaint alleges that Kochava engaged in unfair acts or practices in violation of Section 5 of the FTC Act by collecting and using vast amounts of sensitive consumer personal information — including, for example, precise geolocation data and app browsing activity — and selling that information to its own customers, all without the knowledge or consent of consumers.
The unsealing of this amended complaint is the latest step in litigation that began with the FTC’s filing of an initial complaint against Kochava in August 2022. In May 2023, the court granted Kochava’s motion to dismiss, finding that the FTC had failed to adequately allege “a likelihood of substantial consumer injury,” and therefore failed to state a claim under Section 5. The court, however, also granted the FTC leave to amend its complaint. The FTC promptly filed its amended complaint in June 2023. The next month, Kochava filed a motion to dismiss this amended complaint. That motion remains pending before the court.
The fact that this complaint was filed against Kochava is consistent with recent federal and state efforts to more effectively regulate the activities of data brokers. Viewed in this light, the Kochava complaint thus serves as a convincing sign that data brokers should expect heightened regulatory and legislative scrutiny in the near term. However, the Kochava complaint’s relevance should not be cabined only to data brokers. Rather, as we have noted in other contexts, the FTC’s willingness to adopt a broad view of what constitutes an “unfair” act or practice under Section 5 — to include data practices that violate consumer privacy — means that all companies that handle consumer personal information should pay close attention to whether their data practices are sufficiently protective of consumers (and align with the FTC’s evolving standards).
In this post, we summarize key elements of the FTC’s complaint against Kochava and highlight notable takeaways for companies seeking to understand how this enforcement action should inform their privacy compliance efforts. To stay updated on the latest developments in this evolving area of law, be sure to subscribe to the WilmerHale Privacy and Cybersecurity Law Blog.
Kochava is an Idaho-based data broker that, like most data brokers, collects and analyzes consumer personal information and sells that information to its own customers, who can then use this information for their own purposes. What makes Kochava unique, the FTC alleges, is the breadth and sensitivity of the personal information that the company collects and sells, coupled with the company’s failure to incorporate consumer consent, data anonymization, and distribution controls into its data practices.
Specifically, the complaint alleges the following:
- Vast Collection of Sensitive Personal Information. Much of the complaint focuses on the sheer breadth of the personal information collected by Kochava. The complaint describes, for example, Kochava’s use of precise geolocation data, which it collects from other data brokers. Here, the complaint notes that the location data collected by Kochava “includes timestamped latitude and longitude coordinates showing the location of [consumers’] mobile devices over time.” These location histories can stretch back more than a year and reveal consumers’ travels to various sensitive locations (e.g., locations associated with reproductive health or religious worship). The personal information collected by Kochava, however, is not limited to location data. Indeed, the complaint highlights the range of other sensitive and identifying information that the company collects about consumers, including “names, MAIDs [Mobile Advertising IDs], addresses, phone numbers, email addresses, gender, age, ethnicity, yearly income, ‘economic stability,’ marital status, education level, political affiliation, ‘app affinity’ …, app usage, and ‘interests and behaviors.’” Kochava, moreover, both amasses raw data points about consumers and uses those data points to generate analytical products, such as “audience segments” that Kochava customers can use to “identify and target consumers based on identified sensitive and personal interests or characteristics” (such as “Expecting Parents”).
- Lack of Data Anonymization. The complaint goes on to assert that the consumer data collected by Kochava is not anonymized. In many cases, Kochava’s data is tied to a consumer’s Mobile Advertising ID (MAID), an identifier “assigned by a mobile device’s operating system to allow companies to track a consumer’s mobile activity and … send targeted advertisements.” MAIDs, the complaint observes, are “regularly link[ed]” by many businesses to other identifying information about a given consumer, such as their name or address. Moreover, the complaint argues that, even if MAIDs were not directly linked to a consumer’s identifying information, consumer identities could still be revealed through the linkage of MAIDs to other, seemingly “anonymized” data. For example, MAIDs linked with a collection of precise geolocation data could reveal a consumer’s identity by, for example, indicating a consumer’s likely home address (based on the location that an individual associated with a particular MAID typically spends their evening hours).
- Lack of Consumer Consent. The complaint also highlights the lack of meaningful consumer consent for Kochava’s collection and use of consumer data, arguing that “consumers do not know that Kochava has collected their information or is disclosing it to third parties.” This reflects a broader problem with the modern data collection ecosystem, the FTC argues, asserting that “once information is collected about consumers from their mobile devices or other sources, the information can be … provided multiple times to companies that consumers have never heard of and never interacted with.”
- Insufficient Data Safeguards. The complaint criticizes Kochava for allegedly failing to adequately control access to the consumer data that it collected. In making this argument, the complaint takes particular aim at the “Kochava Data Sample,” a dataset that the company made available for free via an online marketplace until around June 2022. In particular, the complaint notes that essentially anyone could gain access to this data — an individual only needed to sign up for a free account with the online marketplace, then could obtain the Data Sample by filling out a short form that asked for the purchaser’s name, company, email address, and intended use of the data. And Kochava, the FTC alleges, did minimal vetting of these form responses, sometimes approving requests “in as little as 24 hours without any additional inquiries or requesting additional information.” After clearing those minimal bars, the complaint explains, an individual could gain access to a dataset containing precise location data associated with tens of millions of mobile devices.
- Injury and Harm to Consumers. The complaint details the injuries and potential harms that Kochava’s data practices can cause to consumers. Most prominently, the FTC argues that the amount of data that Kochava holds about consumers — most of it linkable to individuals, as detailed above — amounts to an invasion of consumer privacy, offering an “unprecedented view into a consumer’s personal actions, decisions, and behaviors.” Moreover, the complaint argues, this data can be used to inflict real-world harms on consumers, including stigma, discrimination, physical violence, and emotional distress.
- Violation of FTC Act. The FTC argues that, taken together, Kochava’s collection and use of sensitive personal information amount to an “[u]nfair use and sale of sensitive data” that, in turn, “constitute[s] unfair acts or practices in violation of Section 5 of the FTC Act.”
- Data Brokers Under Scrutiny. Though this particular complaint is focused on the data practices of Kochava, specifically, many of its arguments — such as those related to the risks of collecting large amounts of sensitive personal information and the lack of data anonymization and consumer consent in Kochava’s data use model — are likely applicable to data brokers more generally. Data brokers should thus expect heightened scrutiny of their data practices by the FTC in the near term. And as discussed above, the FTC is not the only body evincing a growing interest in regulating data brokers. The California legislature and the Consumer Financial Protection Bureau, to name two examples, have in recent months taken steps towards increased regulation of data broker practices.
- “Anonymity” of Personal Information. This complaint represents a firm rejection of the notion that personal information can be considered “anonymized” so long as it is not directly linked to identifying information (such as a name or email address). Rather, as discussed above, the FTC’s point of view is that aggregated data, such as a set of precise location data tracked over time, can itself constitute identifying information. Thus, in making claims that personal information is anonymized, companies should carefully consider whether they collect enough data such that seemingly “anonymized” data might, when combined or aggregated, nonetheless reveal a consumer’s personal identity.
- Protecting Personal Information: The complaint’s critique of Kochava’s practice of distributing free samples of its consumer datasets suggests that companies should pay close attention to who has access to the personal information that it collects. Importantly, this complaint indicates that the protection of consumer personal information should account not just for protection against malicious intruders (e.g., through cybersecurity controls), but also for controlling which entities that personal information is distributed to (e.g., by carefully vetting companies to which personal information is transferred).