Data broker allegedly selling de-anonymized info to face FTC lawsuit after all

The Federal Trade Commission has succeeded in keeping alive its first federal court case against a geolocation data broker that's allegedly unfairly selling large quantities of data in violation of the FTC Act. On Saturday, US District Judge Lynn Winmill denied Kochava's motion to dismiss an amended FTC complaint, which he said plausibly argued that "Kochava’s data sales invade consumers’ privacy and expose them to risks of secondary harms by third parties." Winmill's ruling reversed a dismissal of the FTC's initial complaint, which the court previously said failed to adequately allege that Kochava's data sales cause or are likely to cause a "substantial" injury to consumers. The FTC has accused Kochava of selling "a substantial amount of data obtained from millions of mobile devices across the world"—allegedly combining precise geolocation data with a "staggering amount of sensitive and identifying information" without users' knowledge or informed consent. This data, the FTC alleged, "is not anonymized and is linked or easily linkable to individual consumers" without mining "other sources of data." Kochava's data sales allegedly allow its customers—whom the FTC noted often pay tens of thousands of dollars monthly—to target specific individuals by combining Kochava data sets. Using just Kochava data, marketers can create "highly granular" portraits of ad targets such as "a woman who visits a particular building, the woman’s name, email address, and home address, and whether the woman is African-American, a parent (and if so, how many children), or has an app identifying symptoms of cancer on her phone." Just one of Kochava's databases "contains 'comprehensive profiles of individual consumers,' with up to '300 data points' for 'over 300 million unique individuals,'" the FTC reported. This harms consumers, the FTC alleged, in "two distinct ways"—by invading their privacy and by causing "an increased risk of suffering secondary harms, such as stigma, discrimination, physical violence, and emotional distress." In its amended complaint, the FTC overcame deficiencies in its initial complaint by citing specific examples of consumers already known to have been harmed by brokers sharing sensitive data without their consent. That included a Catholic priest who resigned after he was outed by a group using precise mobile geolocation data to track his personal use of Grindr and his movements to "LGBTQ+-associated locations." The FTC also pointed to invasive practices by journalists using precise mobile geolocation data to identify and track military and law enforcement officers over time, as well as data brokers tracking "abortion-minded women" who visited reproductive health clinics to target them with ads about abortion and alternatives to abortion. "Kochava’s practices intrude into the most private areas of consumers’ lives and cause or are likely to cause substantial injury to consumers," the FTC's amended complaint said. The FTC is seeking a permanent injunction to stop Kochava from allegedly selling sensitive data without user consent. Kochava considers the examples of consumer harms in the FTC's amended complaint as "anecdotes" disconnected from its own activities. The data broker was seemingly so confident that Winmill would agree to dismiss the FTC's amended complaint that the company sought sanctions against the FTC for what it construed as a "baseless" filing. According to Kochava, many of the FTC's allegations were "knowingly false." Ultimately, the court found no evidence that the FTC's complaints were baseless. Instead of dismissing the case and ordering the FTC to pay sanctions, Winmill wrote in his order that Kochava's motion to dismiss "misses the point" of the FTC's filing, which was to allege that Kochava's data sales are "likely" to cause alleged harms. Because the FTC had "significantly" expanded factual allegations, the agency "easily" satisfied the plausibility standard to allege substantial harms were likely, Winmill said. Kochava CEO and founder Charles Manning said in a statement provided to Ars that Kochava “expected" Winmill's ruling and is "confident" that Kochava "will prevail on the merits." "This case is really about the FTC attempting to make an end-run around Congress to create data privacy law," Manning said. "The FTC’s salacious hypotheticals in its amended complaint are mere scare tactics. Kochava has always operated consistently and proactively in compliance with all rules and laws, including those specific to privacy." In a press release announcing the FTC lawsuit in 2022, the director of the FTC’s Bureau of Consumer Protection, Samuel Levine, said that the FTC was determined to halt Kochava's allegedly harmful data sales. “Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” Levine said. “The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”

Kochava’s privacy solutions

According to the FTC, there are steps that Kochava could be taking "at a reasonable cost and expenditure of resources" to protect consumers' privacy better, but the data broker has been financially motivated to overlook those steps. "Kochava could implement safeguards to protect consumer privacy, such as blacklisting sensitive locations from its data feeds or removing sensitive characteristics from its data," the FTC's amended complaint said. "However, far from protecting consumers’ privacy, Kochava actively promotes its data as a means to evade consumers’ privacy choices." In his statement, Manning said that "prior" to the FTC's litigation, "Kochava announced Privacy Block—a sensitive location blocking solution." "Through Privacy Block, Kochava has been blocking over 2.1 million locations from its data products on an ongoing basis," Manning said. However, Winmill said that Kochava could not defeat the FTC complaint based solely on the timing of introducing this new feature. He wrote in his order that "Kochava’s implementation of a new Privacy Block feature"—which blocks "geolocation data near healthcare facilities, places of worship, shelters for the unhoused, and recovery centers"—occurred "after the FTC initiated its investigation" and "does not summarily foreclose the FTC’s request for injunctive relief." It's possible, though, that Kochava's introduction of this tool will help lighten any potential penalties the company may face should the FTC win. In an order denying Kochava's motion to sanction the FTC, the court indicated that “more factual development is necessary to determine the impact the Privacy Block feature may have on the FTC’s request for an injunction.” So far in 2024, the FTC has won two settlements with data brokers, including what FTC Chair Lina Khan confirmed was the agency's "first-ever ban on the use and sale of sensitive location data." In both settlements—won through the FTC's administrative complaint process rather than in federal court—the FTC required data brokers to delete previously collected data. Moving forward, data brokers who settled must also ensure that all users give informed consent for data collection, can easily trace where their data has been sold, and have easy paths to withdraw consent. These appear to be solutions that the FTC agrees protect consumers from allegedly harmful data sales by companies like Kochava. Kochava was founded in 2011 and boasts on its website that it sells data in major markets worldwide, providing marketers with "visibility into and management of billions of data points, millions of users, and hundreds of millions of dollars in lifetime value." The FTC said it filed its lawsuit in federal court to stop Kochava from "enabling others to identify individuals and exposing them to threats of stigma, stalking, discrimination, job loss, and even physical violence." So far, Kochava has denied causing any harms to consumers, arguing that the alleged consumer injury triggering the FTC's complaint “is not caused by Kochava but instead by some unknown third parties.” "Never in a million years did we imagine that as a small, law-abiding company we’d find ourselves in the ring on behalf of an entire industry," Manning said. "We’re here, we have the truth in our corner, and we’re in it to win it. We look forward to proving our case.” But the FTC will not have to prove that Kochava directly causes harms, the court cautioned Kochava as it builds its defense. Under the FTC Act, Kochava could be found to be causing substantial injury merely by creating "a significant risk of concrete harm." As the FTC continues cracking down on data brokers, a win against Kochava could ultimately trigger a wave of class-action complaints from consumers who have reached their limit when it comes to tolerating unending invasive data collection. "Consumers have expressed concern about the amount of personal information various entities—like advertisers, employers, or law enforcement—know about them and about how such entities use their personal data," the FTC's amended complaint said. "Consumers are increasingly reluctant to share their personal information, such as digital activity, emails, text messages, and phone calls, especially without knowing which entities will receive it. This is precisely what Kochava does, and its collection, use, and disclosure of consumers’ personal information under such circumstances imposes an unwarranted invasion into consumers’ privacy."