• by Wendy Davis  @wendyndavis, August 29, 2022

The Federal Trade Commission on Monday sued mobile analytics company Kochava for allegedly selling information about people's locations, including information that could reveal visits to abortion clinics.

“In numerous instances, defendant has sold, licensed, or otherwise transferred precise geolocation data associated with unique persistent identifiers that reveal consumers’ visits to sensitive locations, including, among others, locations associated with medical care, reproductive health, religious worship, mental health, temporary shelters, such as shelters for the homeless, domestic violence survivors, or other at-risk populations, and addiction recovery,” the FTC alleges in a complaint filed in U.S. District Court in Idaho.

The agency claims that the company violated Section 5 of the FTC Act by engaging in an unfair business practice. The FTC voted 4-1 in favor of filing the complaint, with Republican Commissioner Noah Joshua Phillips dissenting.

The complaint specifically includes allegations that Kochava's data can be used to identify not only "consumers who have visited an abortion clinic and, as a result, may have had or contemplated having an abortion," but also "medical professionals who perform, or assist in the performance, of abortion services.”

The complaint comes as advocates, Democratic lawmakers and others are increasingly concerned that law enforcement authorities in states with anti-abortion laws will attempt to harvest commercially available location data to bring prosecutions relating to abortion.

Among other allegations, the FTC says Kochava sells “timestamped latitude and longitude coordinates showing the location of mobile devices,” as well as mobile advertising IDs -- unique identifiers that persist, unless consumers proactively reset them.

Those identifiers, combined with geolocation coordinates "may be used to track consumers to sensitive locations, including places of religious worship, places that may be used to infer an LGBTQ+ identification, domestic abuse shelters, medical facilities, and welfare and homeless shelters," the complaint alleges.

While the mobile advertising identifiers are pseudonymous in themselves, the FTC says they can reveal people's actual identities in at least two ways.

For one, the agency says some data brokers advertise the ability to match mobile identifiers with names and physical addresses.

Also, even without that type of matching service, location data in itself can lead to inferences that would identify people, the FTC writes.

“For example,” the complaint says, “the location of a mobile device at night likely corresponds to the consumer’s home address.”

The FTC's lawsuit comes two weeks after Kochava went to court in an apparent attempt to preempt the agency's lawsuit.

In papers filed in U.S. District Court in Idaho on August 12, Kochava claimed that the FTC had no legal grounds to pursue an enforcement action against the company, essentially arguing that the agency had never issued regulations prohibiting the transfer of geolocation data.

The company wrote in its complaint against the FTC that the agency “has yet to issue any rule or statement with legal force and effect describing the specific geolocation data practices it believes Section 5 prohibits or permits."

Kochava also said in its filing that it doesn't “uniquely identify users,” but merely links the mobile advertiser identification to “hashed emails and primary IP addresses.”

“Kochava does not collect, then subsequently sell data compilation that allows one to track a specific individual to a specific location,” the company claims.

Kochava added that consumers don't have to agree to data collection.

“Even if an injury to the consumer did indeed occur, it is reasonably avoidable by the consumer themselves by way the opt-out provision to allow the data collection,” Kochava wrote. “In other words, the consumer agreed to share its location data with an app developer. As such, the consumer should reasonably expect that this data will contain the consumer’s locations, even locations which the consumer deems is sensitive.”

The company added that on August 10, it announced a “privacy block” feature that removes known health services location from its marketplace.

The FTC is seeking a permanent injunction that would prohibit Kochava from engaging in allegedly unfair practices.

Kochava Collective general manager Brian Cox said through a spokesperson that the lawsuit “shows the unfortunate reality that the FTC has a fundamental misunderstanding of Kochava’s data marketplace business and other data businesses.”

He added that the company “operates consistently and proactively in compliance with all rules and laws, including those specific to privacy.”

“Real progress to improve data privacy for consumers will not be reached through flamboyant press releases and frivolous litigation,” Cox stated. “It’s disappointing that the agency continues to circumvent the lawmaking process and perpetuate misinformation surrounding data privacy.”

The agency has brought numerous privacy cases in the past, but most appear to have included allegations that a company deceived consumers by violating promises in its privacy policy. The complaint against Kochava alleges only that the company engaged in an unfair practice.

It's not clear how courts will respond to that claim. Many prior privacy cases brought by the FTC resulted in settlements -- which means there aren't a huge number of court opinions interpreting the limits of the FTC's authority over data practices.

Santa Clara University law professor Eric Goldman says the FTC “seems to have made a number of aggressive moves” in its complaint against Kochava.

“They don't actually allege that anyone has actually been harmed by this data,” Goldman says, adding that the complaint “reflects that the FTC is moving into uncharted territory.”