The Federal Trade Commission sued Kochava on Monday for allegedly selling visitation data tied to abortion clinics, mental health facilities, places of worship, domestic abuse shelters and other sensitive locations.
The FTC’s complaint (click here to read it in full) claims that Kochava acquires and sells precise geolocation data associated with mobile ad IDs “in a format” that allows entities to track a person’s movements to and from these locations.
According to the FTC, the geolocation data provided by Kochava is not anonymized, which means that combining it with a mobile ad ID and offline information could serve to identify a specific device owner.
But even if that doesn’t happen, the FTC claims that the location data in Kochava’s marketplace typically includes multiple time-stamped signals for each mobile ad ID, and that by plotting these signals on a map it would be possible to make inferences about a device owner.
If a phone spends eight hours each night in a certain location, for example, it’s likely the person lives there.
By the same token, the complaint says that by using a publicly available map program to plot the latitude and longitude coordinates included in Kochava’s marketplace, it would be possible to know whether and at what times a mobile device visited, say, a reproductive health clinic.
Although the FTC’s complaint talks about tracking visits to “sensitive locations” in general and there’s no specific mention of the recent overturn of Roe v. Wade in the suit, it’s hard to imagine that the Dobbs decision isn’t one of the main motivators here.
Although Kochava charges a monthly subscription fee for access to its data, the FTC suit points out that it has also offered a free “data sample” that was relatively easy to access in just a few steps.
Until June 2022, for instance, anyone with a free AWS account could get a subset of licensed data covering a rolling seven-day period formatted as a text file that included information corresponding to more than 61,803,400 unique mobile devices.
Suit yourself
Kochava was aware that this suit was coming.
Two weeks ago, Kochava preemptively sued the FTC claiming that the agency was wrongfully threatening to sue the company for selling sensitive geolocation data.
The FTC sent a copy of its proposed complaint to Kochava in advance, according to The Wall Street Journal.
In a statement on Aug. 15, Kochava called the commission’s then-as-yet unfiled suit a “manipulative attempt by the FTC to give the appearance that it is protecting consumer privacy despite being based on completely false pretenses.” Kochava also told the Journal that the FTC doesn’t seem to understand how Kochava’s business works.
Just a few days before that, in early August, Kochava released a new feature it calls “Privacy Block” that excludes any health services-related location data from its data marketplace.
Kochava is not the only company to come under fire recently for privacy concerns related to sensitive location data.
Vice’s Motherboard found that it was able to buy location data from SafeGraph showing who visited Planned Parenthood facilities, including how long they stayed and where they went before and after. MobileWalla was called out in 2020 for tracking mobile devices to collect data on Black Lives Matter protesters. And Gravy Analytics allegedly contracted with Homeland Security during the Trump administration to track the location of people crossing the US-Mexico border.
Kochava did not respond in time for publication to a request from AdExchanger for comment on the FTC’s lawsuit.
