Sep 2, 2022 9 min read

FTC sues Sandpoint data broker, alleging sale of location data puts people at risk

A gray modern-looking building with a red pillar and a sign that says "KOCHAVA" with a red star next to it.
The Kochava headquarters in Sandpoint. Photo by Ben Olson.

The company, Kochava, calls the suit ‘frivolous litigation’ but the FTC alleges the information could be used to disclose and trace people who use abortion clinics. Advertising industry observers call it “a warning over data practices for the entire ad industry,” that “puts the rest of the ad world on notice.”

EDITORS NOTE: We’re in the very early days of understanding the true impact of the end of Roe v. Wade, and on Monday, the Federal Trade Commission opened up an entirely new front in the conflict: the role of corporate surveillance and data gathering in potentially identifying and prosecuting people who have abortions — and they did it right in our backyard, by suing the Sandpoint-based data broker Kochava.

The lawsuit made international news, but the deepest piece we’ve seen yet is from our friends at the Sandpoint Reader. What follows is long and has a lot of legal language, but I highly encourage you to dig in. The implications are vast and potentially affect all of us.

The Reader is going to be following this story closely and we’ll keep you posted as we all learn more. Have a great weekend. — Luke

By Zach Hagadone, The Sandpoint Reader

Kochava Inc. drew international headlines Aug. 29 when the Federal Trade Commission announced a lawsuit aimed at the Sandpoint-based data broker and analytics company, alleging geolocation data sold by Kochava to its clients can be used to track people’s visits to sensitive locations, including reproductive health clinics.

“The FTC alleges that by selling data tracking people, Kochava is enabling others to identify individuals and exposing them to threats of stigma, stalking, discrimination, job loss and even physical violence,” the agency stated in its announcement. “The FTC’s lawsuit seeks to halt Kochava’s sale of sensitive geolocation data and require the company to delete the sensitive geolocation information it has collected.”

While the complaint was officially filed at the end of August, the FTC had approached Kochava about these potential problems with its data a month earlier, “in or about July and August 2022,” according to a pre-emptive lawsuit Kochava filed against the FTC.

The company, through its Kochava Collective marketplace, purchases mobile device location data from third-party suppliers, then aggregates it and sells it in customized feeds to clients so they can track the success of targeted marketing campaigns, monitor how effective advertising is in generating foot traffic to specific physical stores or other locations, and assess how well billboard advertising works.

According to Kochava, data suppliers collect that geolocation information from users who have consented to making it available via mobile operating systems such as Apple iOS and Google Android, as well as apps and websites.

Some of those consent prompts are more obvious than others, but, “Mobile devices cannot track location without first gaining consent from the consumer,” Kochava Collective General Manager Brian Cox stated in a news release Aug. 10, announcing the company’s new “Privacy Block” capability, which is intended to remove location data related to health care services from the marketplace.

“Today, there are millions of locations that could be categorized as health care services locations in the U.S. and mobile devices pass in and out of the boundaries of these locations,” Cox stated. “There is no federal regulation or federal database which catalogs these locations to protect consumer privacy.”

That’s why Kochava stated it is putting Privacy Block in place, inviting its data suppliers to register to participate and provide their definitions of what constitutes a “health services location” so those locations can be blocked from further acquisition. Health services providers themselves are also able to register with the Kochava Collective marketplace to have their locations removed and blocked.

“We believe it’s important for the industry to be proactive and to collaborate on a unified health services location block list,” Cox stated.

Privacy Block was announced before the lawsuit, but after the FTC initially contacted the company with its concerns. As of publication, the service is not yet active.

In its complaint, filed in U.S. District Court in Idaho, the FTC stated that the availability of exactly that kind of geolocation data poses a risk to individuals. In certain hands, the agency alleged, that information could be used to disclose and trace people at abortion clinics, as well as places of worship, homeless and domestic violence shelters, and addiction recovery facilities. Such data can also be used to infer LGBTQ+ identification, the agency stated.

Additionally, the FTC alleged that geolocation information — including latitude and longitude coordinates, as well as timestamps — can be combined with a device’s “mobile advertising identifier” (MAID) to reveal the identity of its owner, making it possible in turn to associate that user with a physical home address.

The agency contended that it was able to track individuals using a sample data set made available by Kochava through the Amazon Web Services Marketplace until this past June. The FTC complaint alleged that one day’s worth of data in the sample corresponded to nearly 62 million unique mobile devices.

“[I]n just the data Kochava made available in the Kochava Data Sample, it is possible to identify a mobile device that visited a women’s reproductive health clinic and trace that mobile device to a single-family residence,” the FTC stated in the complaint.

“The data set also reveals that the same mobile device was at a particular location at least three evenings in the same week, suggesting the mobile device user’s routine. The data may also be used to identify medical professionals who perform, or assist in the performance, of abortion services.”

According to a statement from Samuel Levine, director of the FTC’s Bureau of Consumer Protection, “Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder.”

The agency has alleged that by selling such data, Kochava is in violation of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce,” defining “unfair acts” as causing or “likely to cause substantial injury to consumers that [they] cannot reasonably avoid themselves and this is not outweighed by countervailing benefits to consumers or competition.”

In a statement Kochava provided to the Reader, Cox characterized the FTC’s complaint as “a fundamental misunderstanding” of the functioning of data brokers. He stated that the company had spent the weeks prior to the complaint working to illustrate to the agency how data is collected and used in digital advertising.

“We hoped to have productive conversations that led to effective solutions with the FTC about these complicated and important issues and are open to them in the future,” Cox stated. “Unfortunately the only outcome the FTC desired was a settlement that had no clear terms or resolutions and redefined the problem into a moving target.

“Real progress to improve data privacy for consumers will not be reached through flamboyant press releases and frivolous litigation,” he added. “It’s disappointing that the agency continues to circumvent the lawmaking process and perpetuate misinformation surrounding data privacy.”

The FTC voted 4-1 to move the lawsuit against Kochava forward. Commissioner Noah Phillips, a Trump appointee, was the sole dissenting voice during proposed rulemaking surrounding commercial surveillance and data security, writing on Aug. 11 that, “Reducing the ability of companies to use data about consumers, which today facilitates the provision of free services, may result in higher prices — an effect that policymakers would be remiss not to consider in our current inflationary environment.” Two other Trump appointees, Commissioner Christine S. Wilson and Rebecca Slaughter, voted with two Biden appointees in favor of the suit.

Phillips added that Congress, rather than the agency, should formulate national data privacy policy, and the proposed rulemaking would put the FTC in a position of “banning or regulating conduct the Commission has never once identified as unfair or deceptive.”

Phillips, who announced he will step down from his position this fall, also criticized the FTC’s proposed rules as vague when they came to actually defining “sensitive data,” writing, “Almost as an afterthought, the [rulemaking proposal] asks ‘which kinds of data’ might be subject to any potential rules, but there is no attempt at real engagement on the topic. There is no question asking how ‘sensitive data’ should be defined.”

Finally, in another section of his 11-page dissent, Phillips took the FTC to task for seeming “skeptical that consumers can be trusted to make their own choices” when it comes to providing consent to have their data collected, and called it “paternalistic” to contemplate different standards of consent for individuals who are “‘in crisis’ or ‘especially vulnerable to deception.’”

“Heaven forbid adults make decisions and permit companies to use their data to serve them targeted ads,” he wrote.

Lost among the high-profile coverage of the FTC’s complaint against Kochava is the fact that amid the agency’s rulemaking process, Kochava preemptively sued the FTC in mid-August, filing its own suit in U.S. District Court in Idaho based on the then-proposed complaint.

According to an Aug. 18 report from the Idaho Statesman, Kochava in its lawsuit denied that the information it makes available on the marketplace is identified with specific users. Rather, it pairs encrypted email addresses and IP addresses with Mobile Advertising ID (MAID) information, keeping the data anonymous.

“Kochava does not collect, then subsequently sell data compilation that allows one to track a specific individual to a specific location,” Kochava stated in its filing, according to the Statesman. “Even if an injury to the consumer did indeed occur, it is reasonably avoidable by the consumer themselves by way of the opt-out provision to allow the data collection.”

Several sources familiar with Kochava’s operations, speaking on background in separate conversations with the Reader, alleged that the FTC’s complaint appears to be intended to make an example of the company, noting that there are many other — much larger — firms offering similar data services to advertising clients. Ad Age, a trade magazine, described the complaint as “a warning over data practices for the entire ad industry,” and “puts the rest of the ad world on notice.”

Meanwhile, in July, President Joe Biden signed an executive order intended to protect access to reproductive health services following the U.S. Supreme Court’s overturning of Roe v. Wade. The overturning of Roe had triggered state-level restrictions and outright bans on abortion in a variety of circumstances — including in Idaho — that in many cases place both people who undergo an abortion and health care providers who perform or even assist in obtaining an abortion in dire legal jeopardy.

Among other directives, the order addressed “the transfer and sales of sensitive health-related data,” as well as “combatting digital surveillance related to reproductive health care services.”

While the FTC in its complaint pointed directly to reproductive health service locations as emblematic of the type of sensitive data that shouldn’t be available for purchase or sale, a spokesperson told the Reader in an email Aug. 30 that “since at least 2012,” the agency “has publicly stated that precise location data, of the type sold by Kochava, is sensitive information. The FTC has also long warned about the potential invasion of consumer privacy that such data poses.”

In 2014, then-director of the FTC’s Bureau of Consumer Protection, Jessica Rich, testified before a U.S. Senate panel on privacy, technology and law that precise geolocation data could be used to reveal the answers to such questions as, “Did you visit an AIDS clinic last Tuesday? What place of worship do you attend? Were you at a psychiatrist’s office last week? Did you meet with a prospective business customer?”

The FTC has also brought actions in the past related to improper use of geolocation data, including “stalkerware” cases in 2019 and 2021 that alleged some app developers were deceptively collecting and using consumers’ data or otherwise failing to make that information secure.

“These and other statements and actions by the Commission have made clear to the public the sensitivity of this data,” the agency told the Reader.

U.S. Sen. Mike Crapo, R-Idaho, has been among the members of Congress to address data privacy from a policy level, writing in a 2019 “weekly column” on that while mobile devices, social media and search engines “have become everyday tools … their usage is accompanied by a shocking amount of hidden data collection without individuals’ knowledge or consent.”

On data brokers, in particular, Crapo wrote, “Companies will argue that this data is needed in order to provide customized, free services, but consumers will just as rightly argue that they were never fully informed of such data collection, nor consented to it.”

He called for establishing a clear regulatory framework to protect consumer privacy while providing data collectors, brokers and users with concrete “obligations” and an enforcement structure to make sure consumers’ data is appropriately collected and secured.

Crapo’s office declined to comment on the FTC complaint against Kochava, as it is an ongoing legal matter, but a spokesperson told the Reader that “the column still reflects his overall views.”

For its part, Kochava stressed that the company “sources 100% of the geo data in our data marketplace from third-party data brokers, all of whom represent that the data comes from consenting consumers.”

Edited by Luke Baumgarten. A version of this story originally appeared in the Sandpoint Reader and has been updated to reflect new information that came to light after its original publishing.

RANGE is a reader-supported publication. Help us grow by becoming a paid subscriber.

Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to RANGE Media.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.