September 6, 2023

The (ongoing) Kochava case and what it forecasts for 2024


In July 2022, the FTC released a statement indicating it would focus enforcement on sensitive data, specifically warning apps and platforms using location and health data. The announcement followed the Dobbs case, which overturned Roe v. Wade, as well as a call from President Joe Biden for the FTC to protect consumers in lieu of the law. Soon after, the FTC began a rulemaking process on commercial surveillance and data security. The Kochava case is the agency’s promise fulfilled. While there are many FTC cases we could consider in looking ahead to 2024, Kochava’s got everything in there: data brokers, location data, and health data, making it a great use-case for our purposes.

The FTC filed a complaint against Kochava in 2022 for selling precise location data, tied to mobile-ad IDs, in places like Amazon’s AWS data marketplace. The FTC alleged the data could be linked to individuals, and captured sensitive locations, such as abortion clinics, places of worship, drug treatment centers, and domestic violence shelters. The agency said Kochava’s selling of that data exposed individuals to “threats of stigma, stalking, discrimination, job loss, and even physical violence.” Alleging the data sales amounted to unfair conduct under Section 5 of the FTC Act, the FTC said its lawsuit “seeks to halt Kochava’s sale of sensitive geolocation data, and delete the sensitive geolocation data it has collected so far.”

The case hasn't yet been resolved.

The judge did find that selling sensitive location information to ill-intentioned parties could put people
at risk of suffering secondary harms – but he said the FTC didn’t provide sufficient evidence that
individuals were suffering, or likely to suffer, substantial harm. Now, the FTC has 30 days to refile its

Studying the Kochava case for takeaways, we see that the FTC is focused on enforcing new norms around sensitive data, especially location information, and health information. And in cases when that information can be cobbled together to create a robust dossier on a person, the FTC is hyper-focused.

How to avoid repeating Kochava’s mistakes

In this post-Dobbs era, the FTC will continue to bring enforcement cases where sensitive data is used in ways the agency considers to be unfair.

As mentioned, in the Kochava case, the agency alleged the data broker was selling information that could disclose users’ locations, including at places of worship or doctor’s offices. But there are ways Kochava could have prevented some of this risk. Notably, the FTC alleged that Kochava acted unfairly because its users couldn’t reasonably avoid the harm inflicted by the company’s data practices. But there were ways to avoid that.

TerraTrue’s Head of Privacy, Anthony Prestia, said the Kochava case indicates the importance of having holistic visibility on what's happening with the data your organization is collecting and processing, as well as conversations with your teams about how you're presenting that information to users.

The FTC's gripe that users couldn't have reasonably avoided the harm done by Kochava's practices is “where you can work with product teams to make sure users are in control,” Prestia said, adding your users should understand “what data is being collected, how it’s being shared, and they should have meaningful choices about what’s happening there.” If the FTC comes after you for an enforcement action, having put those provisions in place may help you fight back a bit on the unfairness angle.

“Outside of saying, ‘Hey, we don't think this harm is substantial,’ you can also just say, ‘Hey, look, users could reasonably control the behavior here, and they understood what was going on.”

Looking ahead, Prestia said Kochava, among other cases (GoodRX, Pre-mom, BetterHelp) indicates the FTC’s plan to continue its enforcement work on health data entering the advertising ecosystem, as well as how commercial companies are using the information and sharing it with one another.

To avoid FTC scrutiny in 2024, TerraTrue's COO, Chris Handman, agreed it’s essential now more than ever to disclose the ways you’re collecting and using data. "There are real-world consequences when this type of data is being used in indiscriminate and promiscuous ways. As a practitioner, what you have to be aware of is the need to get your data right. There is this renewed sense of why privacy matters and the importance of really understanding your data taxonomies, your data flows, the APIs, and the SDKs that your data flows to.

“The headline for conversations with your C-suite should be: ‘This is the year where we need to make sure we're going to say what we do, and we're going to do what we say,’” he said.

That requires a comprehensive understanding of the data types you’re using, all the ways you’re using data, and the places your data is flowing, so you can create a taxonomy and identify where your risks are.

For example, if you say in your privacy policy, “We never share your sensitive information,” then it’s essential that you have a grip on those data flows and can back that statement up. What about any SDKs or APIs? When are you sharing information there?

For more on the Kochava case and its major takeaways, download our whitepaper here.