Governance and risk management , Legislation and litigation , Confidentiality
Agency’s lawsuit against Kochava follows firm’s preemptive lawsuit against FTC
Marianne Kolbasuk McGee (HealthInfoSec) •
August 29, 2022
The U.S. Federal Trade Commission has sued a data broker, alleging the company sells sensitive location data collected from hundreds of millions of mobile devices, including data that could be used to identify people who visited abortion clinics, mental health providers and other sensitive locations.
Idaho-based Kochava Inc. sells location data associated with a timestamp and a unique identifier known as a mobile advertising ID that allows buyers to detect the true identity of the device owner. , says the agency in its complaint. This amounts to an unfair market practice, according to the FTC.
Kochava earlier this month filed its own lawsuit in the same federal court in Idaho as the FTC in an effort to preemptively counter the federal agency (see: FTC Lawsuit Intensifies Location Privacy Battle).
Kochava in court documents admitted to collecting mobile advertising identifiers and latitude and longitude information generated by smartphones, but said it did not connect that data to consumers or locations. The data comes from apps for which consumers have agreed to share location data, the company also said. “In other words, the consumer has agreed to share their location data with an app developer. As such, the consumer should reasonably expect that data to contain the consumer’s locations, even the locations which it deems sensitive,” the company wrote.
The FTC lawsuit follows a July executive order from President Joe Biden encouraging the agency to take steps to protect privacy around reproductive health services.
In June, the Supreme Court struck down a constitutional abortion guarantee embodied in the five-decade-old precedent of Roe v. Wade. Since then, a dozen states have implemented complete abortion bans, and other states have imposed partial bans or are seeking to implement new restrictions on reproductive health. The bans, especially when coupled with state legislative attempts to impose restrictions on abortion for women traveling to a state where it is still legal, have raised concerns that mobile devices could be used for monitoring purposes.
There is precedent to suggest that the concerns are not unwarranted. In 2017, the Massachusetts Attorney General reached a settlement with an advertising company that was using smartphone tracking to target women near reproductive health centers and methadone clinics with anti-abortion ads with headlines like as “Pregnancy Help”, “You Have Choices” and “You’ I’m Not Alone.”
The FTC alleges that in addition to visits to healthcare facilities, Kochava’s data can reveal individuals’ visits to a host of sensitive places, such as places of worship and homelessness and domestic violence shelters.
“By selling people-tracking data, Kochava enables others to identify individuals and expose them to threats of stigma, harassment, discrimination, job loss, and even physical violence,” says the FTC in a statement.
Among other claims, the FTC alleges that Kochava’s personalized data feeds allow buyers to identify and track specific mobile device users. “For example, the location of a mobile device at night is likely the user’s home address and could be combined with ownership records to discover their identity. In fact, the data broker presented the identification of households as one of the possible uses of its data in certain marketing materials,” the FTC alleges.
The agency’s lawsuit seeks to stop Kochava’s sale of sensitive geolocation data and requires the company to delete location data it has collected.
The lawsuit does not address a putative defense that Kochava raised in his pretrial lawsuit — namely that the company earlier this month introduced a new feature called Privacy Block, which strips health service location data from its market. It’s probably too little, too late, says regulatory attorney Rachel Rose, who is not involved in the case.
“Kochava should have already put this in place,” Rose says. A judge could consider the measures as a subsequent remedy. The federal court rules do not allow litigants to use remedial measures put in place after the alleged injury as evidence of negligence or culpable conduct, but they do allow them as evidence for other purposes.
The FTC could argue “that the company failed to comply with a plethora of laws from the outset by obtaining evidence before the August 2022 enactment of the privacy block and using it without even referring to the privacy block” , she says.