The US Federal Trade Commission (FTC) has moved to permanently restrict data broker Kochava and its subsidiary from selling precise location data.
This resolves allegations that the companies exposed the movements of millions of mobile users without their knowledge or consent.
The announcement follows a lawsuit the FTC initially filed in August 2022 against Idaho-based Kochava. The complaint accused the company of collecting and monetizing precise geolocation data tied to hundreds of millions of mobile devices, allowing third parties to infer users’ movements and routines. According to the FTC, this data included signals that could reveal visits to healthcare facilities, places of worship, and other sensitive venues. The agency argued that consumers were neither aware of nor able to meaningfully consent to this data collection and sharing, leaving them exposed to potential misuse.
Under the terms of the proposed settlement, Kochava and its subsidiary, Collective Data Solutions (CDS), will be barred from selling, licensing, or otherwise distributing sensitive location data unless they obtain explicit, affirmative consent from users. Even when consent is granted, the data may be used only to provide a service directly requested by the consumer, sharply limiting its commercial exploitation.
Kochava is a US-based data analytics and attribution company that has historically provided mobile app analytics, advertising measurement, and data brokerage services. Its subsidiary, CDS, now handles much of its data brokerage operations.
The FTC’s order introduces a series of compliance requirements to tighten controls over location data handling. Kochava and CDS must implement a program to identify and block the transfer of data associated with sensitive locations, as well as establish a supplier verification system to ensure that any collected data is backed by valid user consent. The companies are also required to report incidents of third-party misuse of location data in violation of contractual terms.
Additionally, the order mandates greater transparency and user control. Consumers will be able to request a list of entities that have received their location data and must be provided with a straightforward mechanism to revoke consent for future data sharing. The companies are also obligated to implement a data retention policy that enforces the timely deletion of collected information.
For users concerned about location privacy, limiting app permissions, disabling unnecessary location services, and reviewing app data-sharing practices are effective measures.
Leave a Reply