FTC’s case against Kochava puts ‘fairness’ of data broker industry to the test

The collecting and selling of health services location data by ad-tech firms — and its impact on consumers — lies at the crux of the unusual suit.

Justice System stock art imafge

The data broker industry has yet to see legislation curbing the sale of consumer healthcare data. But a lawsuit by the Federal Trade Commission may be an early test of the agency's ability to enforce rules around one of the ad-tech sector's most common practices. 

At issue in the case against data broker Kochava is whether the firm, which acquires geolocation data and sells it in formats that allow others to track consumers' movements to and from locations associated with medical care, violates FTC regulations. 

The complaint states that "Kochava's data can reveal people's visits to reproductive health clinics, places of worship, homeless and domestic violence shelters and addiction recovery facilities."

The case comes on the heels of the Supreme Court's June decision in Dobbs v. Jackson Women's Health Organization, which overturned Roe v. Wade and the Constitutional right to an abortion. All data brokers have come under fresh scrutiny, with the worry being that their product offerings may not just be leveraged by advertisers. Such data, in a post-Roe world, may also be weaponized by states with abortion bans

In fact, the Kochava suit may have been a vehicle for the FTC to respond to Dobbs in a way that "protects consumers from the misuse of data in ways that could impact their reproductive freedoms," said Cobun Zweifel-Keegan, managing director of the Washington, D.C. chapter of the International Association of Privacy Professionals (IAPP).

But the case is also "representative of the FTC's overall concern with data brokers," he added, and could help establish some "bright line restrictions" around the way they collect and sell information. 

The suit, filed August 29, charges Kochava with the "unfair sale" of sensitive data in violation of the FTC Act, which prohibits "unfair or deceptive acts or practices in or affecting commerce." 

Kochava's precise geolocation data is collected from consumers' mobile devices at exact times, right down to latitude and longitude coordinates, per the lawsuit. Those data are paired with the unique identifiers assigned to a consumer's mobile device. Kochava then sells the data to clients, who use it to assist in advertising and in analyzing foot traffic at stores or other locations, among other purposes. 

In an open letter posted to Kochava's website, CEO Charles Manning countered that his firm "operates consistently and proactively in compliance with all rules and laws, including those specific to privacy."

Kochava, he acknowledged, sources 100% of its precision geo data in its marketplace from third parties but said the company doesn't sell this data to entities or individuals that use it for the "nefarious reasons" theorized in the FTC's lawsuit, which Manning said is based on "hypothetical scenarios."

But the FTC argues that, because the location data provided by Kochava is not anonymized, it's possible to combine it with a mobile device's unique identifier (known as a MAID) to identify the mobile device's user or owner. Some data brokers advertise services to match MAIDs with "offline" information, such as consumers' names and physical addresses.

Kochava's marriage of geo data and MAIDs isn't the norm. Other data brokers create their own proprietary, unique I.D. so that it can't be combined with other data sets, Zweifel-Keegan noted. 

To the extent that companies are taking different approaches, this case may result in a new set of standards. Organizations are already starting to be mindful of the different sensitivities of locations people visit.

Google, for instance, recently changed its timeline and map functions to automatically delete locations that phones mark as having been visited. Period-tracker app Flo, which settled with the FTC in 2021 over concerns its privacy policy misled consumers, is developing an "anonymous" mode that strips out personal identifiers. Others in the data broker business have begun creating blacklists that remove or obfuscate location signals around sensitive locales from their data sets.

Kochava employs no such blacklist, the FTC argues. The company said, however, that a feature designed to remove health services location data from its marketplace is set to go into effect by later this year.

As far as the legal bar the FTC must clear, "unfairness" is a little tricky due to the challenges that come with proving it, Zweifel-Keegan said. He added that this is the first time an unfairness claim has appeared by itself in an FTC complaint in the context of privacy.

"Basically, what you're looking for in unfairness, on a high level, is that a company is acting outside the realm of practices that consumers are expecting when it comes to their privacy," he explained. "That means violating people's trust by doing things that they wouldn't otherwise expect you to be doing with their data."

FTC argues that, in just the free sample of Kochava's location data feed – made publicly available with only minimal steps and no restrictions on usage from its website until June 22 – it's possible to identify a mobile device that visited a women's reproductive health clinic and trace that mobile device to a single-family residence. 

"The data set also reveals that the same mobile device was at a particular location at least three evenings in the same week, suggesting the mobile device user's routine," notes the complaint. "The data may also be used to identify medical professionals who perform, or assist in the performance, of abortion services."

Ditto for visits to places of worship, domestic violence or homeless shelters, addiction recovery centers or locations that may be used to infer an LGBTQ+ identification, the agency contends.

The FTC must prove that the practices in question can potentially harm consumers and that such harm is not outweighed by other benefits to consumers or competition, said Zweifel-Keegan.

"In principle we agree with the FTC that blocking sensitive locations is a good idea, but there is no specificity on what is defined as 'sensitive' and what locations meet that criteria," Manning wrote.

But the FTC has yet to provide the industry with clear guidance on the specifics, he said. The agency is just now starting a privacy working group designed to answer such questions. 

"Given this, it seems premature for the FTC to litigate for potential violations for rules that are not even established," noted Manning, who characterized the suit as "a political fight." 

The FTC will need to think through these types of sensitive locations and the issues of potential identification versus the benefits.

"It's unusual for a case to end up in this posture from the FTC where now it's going to be very publicly fought," Zweifel-Keegan continued. If the two sides fail to settle out of court, we’re likely to see “a court wrestling with these questions of what unfairness, and the test of unfairness, looks like in the privacy context."

That's never really happened before, he said. Obviously the agency has internally applied that test, “But now we might get to see it in practice."


This article originally appeared on MM+M.


Have you registered with us yet?

Register now to enjoy more articles and free email bulletins

Register
Already registered?
Sign in