In the weeks since the Federal Trade Commission sued Kochava in late August for allegedly selling sensitive geolocation data, some have wondered: Why Kochava?
Kochava isn’t the only ad tech company with a location data business. And it arguably has (well, had) a lower profile than SafeGraph, for example, which has been excoriated in the press for selling information tied to abortion clinic visits.
After the FTC filed its suit, Jessica Lee, a partner at the law firm Loeb & Loeb and chair of its privacy, security and data innovations practice, made the point on Twitter that the FTC’s complaint against Kochava read like “an indictment of the business model more than an indictment about the specific practices of one business.”
As in, an indictment of ad tech.
Earlier this week, AdExchanger asked FTC Commissioner Alvaro Bedoya during his keynote at the NAD’s conference on advertising law in Washington, DC, why the commission decided to focus on Kochava rather than any other ad tech company with a location data business.
And, according to Bedoya, Kochava was singled out for a reason.
“I suspect you’re right, that other companies engage in the same practices, but not all of them engage in the practices described in that complaint,” Bedoya said. “That is one of the reasons … I was eager to support our action against that company.”
The FTC’s reasoning
One of the main assertions in the FTC’s complaint is that the data Kochava lists in its data marketplace, known as the Kochava Collective, isn’t anonymized – and raw data isn’t good for your health.
The FTC contends that Kochava failed to adequately protect its data from public exposure and that, until at least June 2022, the company allowed anyone with an AWS account to easily obtain a free data sample and access to more data containing information tied to tens of millions of mobile ad IDs.
This data could then be combined with other data (like someone’s home address from public records or an inference based on the fact that a specific mobile phone spends every night in the same physical place) to identify individuals and track their visits to sensitive locations, including addiction recovery facilities, reproductive health clinics and places of worship.
What the complaint doesn’t say is whether this was actually happening – but the potential for harm was enough for the FTC to take action.
And there is precedent for the FTC taking a stand against the use or potential use of sensitive data in a way that consumers wouldn’t reasonably expect.
This is consistent with other FTC cases like Sears and Vizio where the FTC has said that *sensitive* data carries heightened protections — secondary processing unrelated to the transaction and not at the direction of the consumer may be per se illegal. https://t.co/HfZMA4Dk9V pic.twitter.com/tf1z0W3qPL
— Justin Brookman (@JustinBrookman) August 29, 2022
Setting an example
And speaking of precedent, that’s another reason why Bedoya voted in favor of filing the complaint against Kochava. (The end vote was 4-1 in favor, with outgoing FTC Commissioner Noah Phillips as the only dissenting opinion.)
Although FTC Chair Lina Khan sets the commission’s overall strategy, Bedoya said that he’s “particularly interested in” cases like Kochava “where precedents could be established that could inform industry as a whole.”
Bedoya couldn’t say much more, because the Kochava case is actively in litigation, but he did say that when cases with the potential to create precedent land on his desk, “those are the ones I spend the most time on, the most time studying and the most time talking to [FTC] staff about.”
For more articles featuring Alvaro Bedoya, click here.
