On November 6, the U.S. District Court for the District of Idaho unsealed an amended complaint that the Federal Trade Commission (FTC) had filed in June against data analytics company Kochava Inc. The FTC initially sued Kochava in August 2022, claiming that Kochava collected and sold geolocation data from hundreds of millions of mobile devices in a format that allowed the purchasers of the data to track consumer movements. The complaint alleged that data purchasers could track customer movements to and from locations that raised sensitive privacy concerns, such as locations associated with individuals' medical care, reproductive and mental health, or religious worship, as well as travel to and from temporary shelters. We previously discussed the FTC's initial complaint in our September 27, 2022 Enforcement Edge post.
In May 2023, the District Court dismissed the FTC's initial complaint without prejudice, finding that the FTC had failed adequately to allege a likelihood of substantial consumer injury (a required element of the FTC's claims). In its order of dismissal, the Court opined that (1) although it was plausible that third parties could use Kochava's geolocation data to track consumers' past movements to sensitive locations and make inferences based on that information, the FTC had failed to allege that consumers are suffering, or are likely to suffer, any secondary harms such as "stigma, discrimination, physical violence [and] emotional distress" and (2) the adverse impact of the disclosure of consumers' sensitive location information was not sufficiently severe to constitute a substantial injury.
The Amended Complaint
The FTC's 35-page amended complaint paints a more detailed picture of Kochava's data collection and disclosure practices. According to the FTC, Kochava has amassed and disclosed "a staggering amount" of sensitive data, including consumers' names, genders, ages, ethnicities, incomes, economic stability, political affiliation, and "interests and behaviors." Allegedly, Kochava connects this information with an individual's precise geolocation data, including timestamped latitude and longitude coordinates.
The amended complaint asserts that these practices cause substantial injury because the information collected and sold not only includes sensitive characteristics such as gender identity, medical conditions, ethnicity, and religious activity, but also private information about a consumer's family, such as marital status, number of children, and whether those children may have special needs. Particularly offensive, the complaint alleges, is Kochava's tracking and sale of data related to women's uses of pregnancy, ovulation, and menstruation apps. The FTC describes this comprehensive look into consumers' private lives, which it claims cannot be obtained through observing individuals in public spaces, as "unprecedented."
Regarding secondary harms to consumers, which the district court found inadequately alleged in the FTC's initial complaint, the amended complaint describes in detail Kochava's collection of precise geolocation data as well as data associated with a persistent identifier known as a Mobile Advertising ID (MAID). According to the amended complaint, Kochava sells data in a way that can link a MAID directly to an individual, and the primary purpose of a MAID is to target individual consumers. To substantiate its claim that such targeting causes substantial harm, the FTC uses an example of a Catholic priest who was forced to resign from his position based on location data collected from his phone. The FTC further cites a 2018 enforcement action by the Massachusetts Attorney General against a data broker who sent targeted ads about abortion alternatives to a segment of individuals it classified as "abortion-minded women" based on their precise geolocation data.
The FTC's second attempt to bar Kochava's data collection and usage further underscores the agency's concerns about how companies may use, or misuse, precise geolocation data. Although the amended complaint provides additional detail and insight into Kochava's alleged data collection practices, the FTC still does not make any specific allegations of actual instances of harm resulting from Kochava's use, collection, and disclosure of consumer data.
It remains to be seen whether the FTC's revisions to its complaint will be sufficient to convince the district court that Kochava's disclosure of sensitive information constitutes unfair conduct under Section 5 of the FTC Act. We will continue to monitor the FTC's case against Kochava on Enforcement Edge, as well as the FTC's evolving approach to data privacy and security protections.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.