• by Wendy Davis , 5 hours ago

The data broker Kochava has agreed to refrain from selling or disclosing certain sensitive location data without consumers' affirmative consent, in order to settle privacy charges brought by the Federal Trade Commission.

If approved, the settlement will resolve claims by the FTC that Kochava sold the type of geolocation data that could expose information such as visits to doctors' offices or religious institutions.

The agreement, filed Monday with U.S. District Court Judge Lynn Winmill in Idaho, defines "sensitive" location data as "precise location data" associated with medical facilities, religious organizations, sites that predominantly provide education or childcare to minors, homeless shelters, domestic violence shelters, and military or federal law enforcement sites.

The settlement also defines "precise" location data as highly specific information such as Global Positioning System coordinates, combined with unique identifiers -- like a mobile advertising identifier, or Apple's "identifier for advertisers."

The agreement states that Kochava does not admit or deny the FTC's allegations.

A Kochava spokesperson said the company “is pleased to have reached this proposed settlement and to take this next step toward resolving the FTC matter."

"While the settlement remains subject to the Court’s review and approval, it reflects Kochava’s ongoing commitment to privacy and responsible data practices, and formalizes the practical safeguards around privacy and compliance," the spokesperson added.

If accepted, the deal will bring an end to a lawsuit dating to August 2022, when the FTC alleged that Kochava sells precise geolocation data as well as mobile advertising IDs -- unique identifiers that persist, unless consumers proactively reset them.

The suit came several months after the Supreme Court issued Dobbs v. Jackson Women's Health Organization, which overturned Roe v. Wade and cleared the way for states to ban abortion. As a result of that ruling, Democratic lawmakers and others expressed concerns that law enforcement authorities in states with anti-abortion laws will attempt to harvest commercially available location data to bring prosecutions relating to abortion.

The agency's initial complaint included allegations that Kochava's data can be used to identify not only "consumers who have visited an abortion clinic and, as a result, may have had or contemplated having an abortion," but also "medical professionals who perform, or assist in the performance, of abortion services.”

Earlier in the proceedings, Kochava sought to have the charges dismissed, arguing that location data tied to mobile ad identifiers wasn't "personally identifiable," and that the allegations against it -- even if proven true -- wouldn't violate the FTC Act's prohibition on "unfair" business practices. 

Winmill dismissed the FTC's first complaint, but allowed the FTC to beef up its allegations and bring an amended complaint.

The FTC did so and Winmill ruled in February 2024 that the agency could proceed. He essentially said at the time that the allegations, if proven true, could support the claim that Kochava engaged in unfair conduct -- meaning activity that could cause “substantial injury” to consumers, and wasn't reasonably avoidable or outweighed by benefits.

“Kochava allegedly provides its customers with vast amounts of essentially non-anonymized information about millions of mobile device users’ past physical locations, personal characteristics (including age, ethnicity, and gender), religious and political affiliations, marital and parental statuses, economic statuses, and more,” he wrote.

“This alleged invasion of privacy -- which is substantial both in quantity and quality -- plausibly constitutes a 'substantial injury' to consumers,” he added.

The proposed deal also requires Kochava to establish and maintain a privacy program, among other terms.