Siding against data broker Kochava, a federal judge has again rejected the company's request to throw out privacy charges brought by the Federal Trade Commission.
“The FTC has plausibly pled that Kochava’s practices are unfair within the meaning of the FTC Act,” U.S. District Court Judge B. Lynn Winmill in Idaho said in a ruling issued Monday.
The ruling comes in a battle dating to August 2022, when the FTC alleged that Kochava wrongly sells the type of geolocation data that could expose sensitive information -- such as whether people visited doctors' offices or religious institutions.
The agency specifically alleged that Kochava sells precise geolocation data as well as mobile advertising IDs -- unique, 32-character identifiers that persist, unless consumers proactively reset them.
Kochava countered that this data isn't “personally identifiable,” and that the agency's allegations -- even if proven true -- wouldn't amount to “unfair” conduct.
advertisement
advertisement
Winmill dismissed the FTC's first complaint, but allowed the FTC to beef up its allegations and bring an amended complaint.
The FTC did so and Winmill ruled in February 2024 that the agency could proceed. He essentially said at the time that the allegations, if proven true, could support the claim that Kochava engaged in unfair conduct -- meaning activity that could cause “substantial injury” to consumers, and wasn't reasonably avoidable or outweighed by benefits.
“Kochava allegedly provides its customers with vast amounts of essentially non-anonymized information about millions of mobile device users’ past physical locations, personal characteristics (including age, ethnicity, and gender), religious and political affiliations, marital and parental statuses, economic statuses, and more,” he wrote.
“This alleged invasion of privacy -- which is substantial both in quantity and quality -- plausibly constitutes a 'substantial injury' to consumers,” he added.
The FTC in July amended its complaint by adding the subsidiary Collective Data Solutions as a defendant.
Kochava (and its subsidiary) then urged Winmill to throw out that amended complaint, renewing the contention that the allegations, even if proven true, wouldn't support the conclusion that the company engaged in “unfair” conduct.
Among other arguments, Kochava said an “intangible harm such as an invasion of privacy,” isn't the type of “substantial injury” that can support a charge of unfair conduct.
Kochava also submitted called attention to a then-unpublished law review article by Douglas Meal, a cybersecurity litigation professor who teaches at Cleveland State University College of Law and Boston College Law School. Meal -- who previously represented LabMD in its successful battle with the FTC over cybersecurity -- argues in that article that an “intangible” privacy harm can't in itself be a “substantial injury.”
Winmill disagreed with Kochava's argument.
“If Congress intended to limit the FTC’s authority to tangible consumer injuries, it could have said so,” he wrote.
A Kochava spokesperson says the company "has always operated consistently and proactively in compliance with all rules and laws, including those specific to privacy and consent."
"While we are discouraged by this recent ruling, we will continue to vigorously defend ourselves against the FTC’s unmoored attempts to expand its authority as a policy setter and circumvent Congress," the spokesperson stated.
The ruling comes several days after Kochava, which obtains location data from smartphone users' apps, said it would revise some privacy practices to settle a class-action lawsuit by consumers. Among other revisions, Kochava promised to implement a feature aimed at blocking the sharing or use of raw location data associated with health care facilities, schools, jails and other sensitive venues.