Data & Tech

Lawsuit against Kochava raises serious questions about location data

‘It can be read as an indictment of location-based marketing and even an indictment, more broadly, of the entire data-broker business model,’ a lawyer told us.
article cover

Grant Thomas

· 6 min read

Those who collect and sell location data might have raised an eyebrow last week when the Federal Trade Commission sued Kochava, a data broker, for, well, collecting and selling location data.

The FTC alleged that Kochava was selling data that could be used to “trace the movements of individuals to and from sensitive locations.” Though Kochava argued in its own lawsuit—that was filed in anticipation of the FTC’s suit—that the FTC’s case is baseless, privacy experts told Marketing Brew that the commission’s argument is so broad that it could, theoretically, put the collection and sale of location data under the thumb of regulators.

There are currently no federal laws that regulate the data-broker industry—and Kochava has gone as far as to argue that consumers who agree to share their data should actually expect their data to be bought and sold to third parties. The FTC is trying to make the case that collecting and selling this sensitive data is “opaque to consumers, who typically do not know who has collected their location data and how it is being used.”

The argument that this is unfair and could cause harm to consumers is “untested in court,” Allison Lefrak, SVP of public policy, ads privacy and COPPA compliance at Pixalate, told Marketing Brew.

“It can be read as an indictment of location-based marketing and even an indictment, more broadly, of the entire data-broker business model,” she said. The FTC has an “uphill battle here in proving substantial injury to consumers,” Lefrak said, but if it prevails, the ruling could create a precedent that other data brokers would need to follow.

Industry response

Specifically, the FTC alleged that Kochava shared this data with anyone who applied for a free data sample, with minimum vetting and “no restrictions on usage,” and that Kochava didn’t have any “technical controls to prohibit its customers from identifying consumers or tracking them to sensitive locations,” like a blocklist that could remove or obfuscate “location signals around sensitive locations.”

Those sensitive locations included ones “associated with medical care, reproductive health, religious worship, mental health, temporary shelters, such as shelters for the homeless, domestic-violence survivors, or other at-risk populations, and addiction recovery.”

Since the Supreme Court overturned Roe in June, location data, often collected by mobile apps, has been at the forefront of discussions as some people fear that it could be used to prosecute those seeking abortions or related health services.

In June, President Biden called on the FTC to protect consumers’ data privacy in light of the Roe decision.

So far, some in the industry have responded by saying it’ll aim to avoid this kind of collection. In June, PlaceIQ, Foursquare, and Cuebiq, which all sell location data, agreed to standards proposed by the industry trade group the Network Advertising Initiative to implement “restrictions on the use, sale, or transfer” of location data tied to “religious worship, sensitive healthcare services, military bases, LGBTQ+ identity, and other places.”

Get marketing news you'll actually want to read

Marketing Brew informs marketing pros of the latest on brand strategy, social media, and ad tech via our weekday newsletter, virtual events, marketing conferences, and digital guides.

These standards also require companies to maintain a directory of sensitive locations, which would be subject to annual reviews by the NAI, said David LeDuc, VP of public policy at the NAI, who told Marketing Brew these standards had been in the works since early 2022 and weren’t created as a response to the Roe decision.

“There is a large amount of data downstream, and there are brokers out there that are sharing this data indiscriminately,” he said.

In July, Google said it would automatically delete location data associated with facilities including “domestic-violence shelters, abortion clinics, fertility centers, addiction treatment facilities, weight-loss clinics.”

“Make a good-faith effort”

In August, Kochava said that it created a tool called “Privacy Block” that “removes health services location” data from Kochava’s third-party marketplace, though it’s not clear if this is done automatically or at a client’s request. And though this argument doesn’t appear in its own lawsuit, Kochava CEO Charles Manning wrote in an open letter that there is no “specificity on what is defined as ‘sensitive’ and what locations meet that criteria,” a point echoed by the NIA’s LeDuc to Marketing Brew.

“It came in an action. Companies didn’t know, beyond the warning they put out,” he said.

Lefrak said “one of the clear takeaways…is that the FTC thinks it would be a reasonable data practice” for companies that collect sensitive location data to create blocklists.

Companies collecting this data might want to figure out what data not to collect, said Megan Gray, founder and CEO of GrayMatters Law & Policy and a former FTC attorney.

“Make a good-faith effort—it doesn’t have to be perfect—to filter out sensitive locations. And require people buying access to your database to certify that they are using it for legitimate commercial purposes,” she said, like banking or ad tech. “Definitely not harassing people seeking abortions.”

Easier said than done. Besides the three companies included in the initial announcement, none of the NAI’s other members, including Google, Microsoft, Criteo, and Neustar, have signed on. LeDuc said this was due to complaints that they were too onerous or could welcome unwanted attention. Creating a list of sensitive locations is “ not easy at all. There are millions of these locations as we’ve defined them. There are many, many more if the FTC wants to say any medical facility is included,” he said.

Both Lefrak and Gray said they believed the FTC’s argument would be difficult to prove, but it might not matter, as legislative efforts in Washington are underway to pass federal privacy laws that would strengthen the agency.

Even without help from Congress, the agency has issued a notice of proposed rulemaking centered around commercial surveillance and data security, asking for public comment on whether “new rules are needed to protect people’s privacy and information in the commercial surveillance economy.”

Get marketing news you'll actually want to read

Marketing Brew informs marketing pros of the latest on brand strategy, social media, and ad tech via our weekday newsletter, virtual events, marketing conferences, and digital guides.