The Federal Trade Commission's newly unsealed privacy complaint against mobile data broker Kochava alleges that location data sold by the company is “not anonymized” and is “linked or easily linkable” to individual consumers.
“Kochava collects consumers’ precise geolocation information that is obtained from their mobile devices and that is associated with a persistent and individual identifier,” the FTC alleges in its amended complaint, which was filed in June but kept under seal until Friday.
“Kochava itself concedes that this data is not anonymous, but rather can be, and is, used to track and identify individual consumers,” the FTC continues. “In many cases, Kochava provides data that directly links this precise geolocation data to identifying information about individual consumers, such as names, addresses, email addresses, and phone numbers.”
The agency cited Kochava's marketing materials in the amended complaint, writing that Kochava “emphasizes its ability to connect each individual consumer to multiple 'data points' in order to ensure that its customers are able to continuously track consumers and connect consumers’ activities with historic and new data.”
The agency added that Kochava “advertises being able to connect precise geolocation data with email, demographics, devices, households, and channels.”
The FTC also alleged that Kochava “directly links” mobile ad identifiers with other identifying information, such as names, email addresses, home addresses, and phone numbers.
The company's marketing materials elaborate that it determines people's home locations by looking at “the resting lat/lon of a given device between the hours of 10 p.m. and 6 a.m. and omit known business locations,” the FTC alleged.
The amended complaint comes in a lawsuit brought by the FTC last year, when it claimed Kochava engages in an unfair business practice by selling the kind of precise geolocation data that could expose sensitive information, such as whether people visited doctors' offices or religious institutions.
Among other allegations, the FTC said Kochava sells precise geolocation data as well as mobile advertising IDs -- unique, 32-character identifiers that persist, unless consumers proactively reset them.
Kochava countered last year that the data it sells isn't “personally identifiable,” and that the agency's allegations -- even if proven true -- wouldn't amount to “unfair” conduct. Kochava specifically argued that practices are only unfair if they violate an established legal policy, or are harmful or oppressive. The company added that no current law or regulation prohibits the sale of location data, and such sales don't in themselves harm consumers.
In May, U.S. District Court Judge B. Lynn Winmill in Idaho threw out the complaint, ruling that the FTC's allegations, even if proven true, wouldn't show that Kochava created a “significant risk” of harm to consumers.
His ruling allowed the FTC to beef up its allegations and bring the claims again.
The FTC did so earlier in June, but filed the revised complaint under seal.
Kochava argued the amended complaint should remain sealed, and also sought sanctions against the FTC. Federal procedural rules allow judges to sanction attorneys who file papers that are “frivolous, legally unreasonable, or without factual foundation,” or “brought for an improper purpose.”
On Friday, Winmill ordered the amended complaint publicly released, and also rejected Kochava's request for sanctions.
“Kochava argues that ten paragraphs in the FTC’s amended complaint contain allegations that are 'knowingly false,'” Winmill wrote. “However, after reviewing each of those allegations, the court cannot identify a single one that appears false or misleading.”
While Kochava's motion for sanctions is itself sealed -- for now -- Winmill describes the company's criticism of the complaint in his new decision.
For instance, Kochava took issue with allegations that its sale of geolocation data and mobile ad identifiers (shorthanded as MAIDs in the court papers) enabled third parties to track consumers to sensitive locaitons.
The company argued that those allegations were false because it implented a feature that prevents the spread of location data associated with sensitive locations, and because its location data is “anonymized.”
But Winmill said that Kochava's new feature does not "automatically moot the FTC’s suit for injunctive relief.”
He also said he wasn't “persuaded by Kochava’s characterization of its location data as 'anonymized.'”
“The FTC plausibly asserts that, although anonymous on its face, Kochava’s location data is linked to MAIDs in a way that enables third parties to identify specific individuals by plotting the coordinates on a map,” he wrote.