FTC sues data broker for selling sensitive information, including abortion clinic visits
'Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder.'
The Federal Trade Commission announced yesterday that it is suing Kochava, an Idaho-based data marketing and analytics company, for selling millions of consumers’ private mobile device data. This data often contains sensitive geolocation information such as visits to reproductive health clinics, places of worship, as well as homeless and domestic abuse shelters. In the complaint, the FTC accuses Kochava of knowingly marketing and subsequently selling customized consumer data troves to third party businesses that include targeted information like timestamped longitude and latitude coordinates—details which could potentially be used to track, stalk, or even physical harm intended victims.
“Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”
Kochava claims its data caches allow businesses to better advertise and analyze their consumer demographics based on info like foot traffic, but as the FTC notes, its selling points go far beyond potentially improving sales numbers. For instance, observing a mobile device’s location at night likely infers its owner’s home address—when paired with property records, one could easily determine exactly who lives at the residence. This information could identify a person’s medical visits, if they attend religious services, and various other personal details. “In fact, the data broker has touted identifying households as one of the possible uses of its data in some marketing materials,” the FTC adds.
The complaint notes that until at least June 2022, Kochava “allowed anyone with little effort to obtain a large sample of sensitive data and use it without restriction,” including timestamped location data of more than 61 million unique mobile devices in a single week. In a statement provided to NBC News, the general manager of Kochava’s online data marketplace countered that, “real progress to improve data privacy for consumers will not be reached through flamboyant press releases and frivolous litigation.”
[Related: How data brokers threaten your privacy.]
The lawsuit is a first for the FTC in the wake of the Supreme Court’s historic overruling of federal abortion access previously enshrined in Roe vs. Wade, and signals the agency’s desire to enshrine citizens’ data privacy rights. Earlier this summer, it was revealed that Facebook recently provided Nebraska law enforcement with a mother and daughter’s private direct message conversations pertaining to their planning and carrying out an abortion past the state’s legal time limit. Just two weeks ago, Kochava filed its own lawsuit against the FTC in advance of today’s announcement, claiming the agency was “wrongly threatening” the company with legal action.