The FTC said that any person or entity with this data could use it to target certain groups of individuals, such as abortion-seekers, religious groups, or sexual minorities. The Commission said that the company’s data security practices violate Section 5(a) of the FTC Act, which prohibits American entities from engaging in unfair or deceptive practices. “The FTC alleges that by selling data tracking people, Kochava is enabling others to identify individuals and exposing them to threats of stigma, stalking, discrimination, job loss, and even physical violence,” the FTC’s press release reads. The lawsuit seeks not only to stop Kochava’s sale of geolocation and other sensitive data, but also require that the company delete what it has already collected.
What is Kochava?
Kochava is a data solutions company based in Idaho. It provides clients with a variety of services, including real-time data analytics, and the ability to map advertisement performance. According to the FTC, the company also collects vast troves of geolocation data to create data feeds. Kochava sells these feeds to its customers who use them to analyze foot traffic at their stores, and for information on advertising. The FTC alleges that Kochava buys this information from other sources, and its network spans hundreds of millions of devices. Furthermore, customers are often not aware that their data is being shared and collected by the company. Earlier this month, the FTC announced its intention to clamp down on commercial surveillance, a closely-related practice. In this case, the FTC says that any party which purchases Kochava’s data feeds can use it to identify and track specific mobile device users. “For example, the location of a mobile device at night is likely the user’s home address and could be combined with property records to uncover their identity. In fact, the data broker has touted identifying households as one of the possible uses of its data in some marketing materials,” the FTC stated.
FTC Says Kochava Put Abortion-Seekers at Risk
The Commission flagged that the company also made a huge data set available to the public, with very few restrictions to access it. Until June 2022, the company offered the Kochava Data Sample on AWS Marketplace — a sample of the paid data feed. The FTC examined the sample and found that it contained information from over 61 million unique mobile devices. Anyone could access the sample with a free AWS account, and search the Marketplace for “Kochava.” The FTC said Kochava did not anonymize its information. Therefore, a third party could potentially combine it with other sources and identify the people to whom it belongs. The FTC observed that anyone could use the dataset to target and track people at sensitive locations. The commission specifically mentioned reproductive health clinics, places of worship, homeless and domestic violence shelters, and addiction recovery centers.
Kochava Says FTC on an Agenda
In response to the lawsuit, Kochava stated that it invested a lot of time in trying to explain its practices to the commission. The company said it was in the process of rolling out a new feature called Privacy Block, which removes sensitive location data from the marketplace, thereby addressing a key part of the FTC’s complaint. Brian Cox, Kochava’s general manager, said the company complies with all laws and privacy regulation and accused the commission of pursuing frivolous litigation. “Unfortunately the only outcome the FTC desired was a settlement that had no clear terms or resolutions and redefined the problem into a moving target,” Cox said. In the aftermath of the U.S. Supreme Court overturning Roe v Wade, many women have begun to question not only data collection practices in general, but specific apps as well — such as apps that track menstrual cycles. If you were wondering whether period tracking apps are safe to use, you can check our detailed guide on their privacy risks.
