US regulator sues data broker over sale of location information
The US Federal Trade Commission has sued adtech group Kochava for allegedly selling location data from “hundreds of millions of mobile devices” that could be used to trace individuals’ movements, sending a warning shot to other data brokers and the broader digital ads industry.
The FTC said Idaho-based Kochava, a data broker that measures the effectiveness of mobile marketing, had violated its policies by acquiring, and then selling, precise geolocation data of smartphone users which could be used to track users to and from sensitive locations — including abortion clinics, other medical locations and religious institutions.
“Kochava is enabling others to identify individuals and exposing them to threats of stigma, stalking, discrimination, job loss, and even physical violence,” the agency said in a press release.
It is seeking to stop Kochava from selling sensitive data and compel it to delete any such information already located.
The lawsuit from the US agency, which is led by prominent Big Tech critic Lina Khan, is part of “a watershed change in how policymakers, law enforcement, and the tech industry approach consumer data and privacy”, said Cory Munchbach, president at customer data platform BlueConic.
She pointed out that in the past two weeks the FTC had announced it was exploring a rulemaking process to “crack down on harmful commercial surveillance” relating to lax data security. Separately, California’s attorney-general last week announced a $1.2mn settlement with Sephora, the beauty store chain, for allegedly failing to tell consumers it was selling their personal information.
“I expect we’re going to see a lot of pearl-clutching from the data broker and ad industries, where the majority of the scrutiny and impact will happen, and a lot of contrite non-apologies from violators on the publisher and marketer side,” Munchbach said.
Kochava, which purchases location data from third-party companies and then makes it available to advertisers to help measure the effect of ads, said in a statement the FTC “has a fundamental misunderstanding” of how its data marketplace operates.
“Kochava operates consistently and proactively in compliance with all rules and laws, including those specific to privacy,” said Brian Cox, general manager at Kochava. He said that “100 per cent” of the geolocation data in the Kochava Collective marketplace comes from third party data brokers via “consenting consumers”.
Mike Audi, founder of Tiki, which helps users take control of their data, said that in going after a relatively small company where it has a good chance of winning, the FTC is establishing a precedent likely to have wide ramifications across the sector.
“The disheartening reality is just how widespread these pseudonymous data practices are,” he said.
Zach Edwards, an independent cyber tech researcher, said the FTC’s action is likely just “the tip of the iceberg” and he applauded the agency for taking this big step.
“It’s crucial for the FTC to start to approach their advertising investigations from a data supply chain perspective — where data about people oftentimes flows from one company, to numerous data broker vendors, and then any additional sharing by those vendors creates a near unlimited sprawl of non-compliant user data sharing,” he said.
Earlier this month Kochava took some pre-emptive steps as the FTC readied its case, announcing on August 10 a “new privacy-first approach” that it said would block health services location data from being shared on its data marketplace, unless consumers explicitly consented first. On August 18 it sued the FTC in an effort to block the case, accusing the agency of over-reach.