The case against Kochava: A look at the FTC's amended complaint

Last week, an Idaho District Court unsealed the Federal Trade Commission (FTC)’s amended complaint against Kochava, a company that the FTC describes as a “location data broker” that sells “massive amounts of precise geolocation data collected from consumers’ mobile devices.”

The court dismissed the FTC’s original complaint in April – but gave the agency a month to strengthen its allegations about the intrusive nature of Kochava’s data and try again. Here’s the backstory, and a look at how the FTC’s arguments have evolved since the spring.

What is Kochava?

Kochava, according to Kochava, is “the industry leader for mobile app attribution and mobile app analytics”.

According to the FTC, “Kochava is a data broker, and its business is to sell information about consumers.”

What types of data does Kochava sell?

The FTC summarizes the type of data sold by Kochava as follows:

• Precise geolocation data
• “Comprehensive profiles of individual consumers” (known as the “Database Graph”)
• Information about how individual consumers use mobile apps (known as the “App Graph”)
• Audience segments: Groups of consumers categorized by their inferred characteristics.

For the most part, Kochava buys this data third parties and sells it to other third parties.

Having purchased data from Kochava, the FTC claims it would be possible to identify the following information about, for example, a specific woman:

• Her name
• Her email address
• Her home address
• The location of a building she regularly visits
• The fact that she is African-American
• How many children she has
• The fact that she has an app installed on her phone that is used to identify cancer symptoms

The complaint pays particular attention to the nature of the geolocation data that Kochava sells.

What’s special about Kochava’s geolocation data?

According to the FTC, Kochava’s commercially available geolocation data:

• Can track people’s movements throughout a “day, week, month, year, or even more”
• Is accurate to within 10 meters
• Is regularly updated by Kochava
• Can reveal people’s visits to locations associated with:
  • Medical care
  • Reproductive health
  • Religious worship
  • Mental health
  • Temporary shelters for homeless people, domestic violence survivors, people recovering from addiction, other vulnerable populations

Why was this complaint sealed?

The FTC’s amended complaint was sealed back in June at the request of Kochava. Five months later, having reviewed the complaint, the court found that not “a single one” of the FTC’s claims appeared “false or misleading”. The court unsealed the complaint on 3 November.

Kochava also asked the court to sanction the FTC for making false claims in a frivolous lawsuit, but the court refused to do so.

Last summer, the FTC accused Kochava of violating the FTC Act by putting consumers at risk of “substantial injury”.

In response, Kochava promised to implement new controls over health-related data, but also preemptively filed a lawsuit arguing that the FTC lacked jurisdiction to regulate its activities.

The court disagreed with Kochava and allowed the FTC to bring a complaint against the company last August. In May, the judge dismissed the complaint but gave the FTC 30 days to amend and resubmit it.

What was wrong with the FTC’s original complaint?

The judge agreed with some of the FTC’s original arguments but found that the agency had not demonstrated a direct link between Kochava’s activities and consumer harm.

The court was persuaded that Kochava’s data could be used to infer sensitive information about individuals. However, the FTC did not make the case that Kochava’s activities, in themselves, created this risk.

“The FTC’s complaint does no more than claim that such secondary harms are theoretically possible,” the court said. “The FTC must go one step further and allege that Kochava’s practices create a ‘significant risk’ that third parties will identify and harm consumers.”

What’s changed in the FTC’s new complaint?

In its recently unsealed amended complaint, the FTC seeks to persuade the court that a person could identify an individual via Kochava’s commercially available data alone.

The complaint describes how Kochava sells mobile advertising IDs (MAIDs) together with the GPS coordinates and timestamps that can reveal an individual’s location over time.

“It is possible to use the geolocation data, combined with the mobile device’s MAID, to identify the mobile device’s user or owner,” the FTC argues.

“For example, some data brokers advertise services to match MAIDs with ‘offline’ information, such as consumers’ names and physical addresses.”

“Even without such services, however, location data can be used to identify people,” the FTC claims, in an attempt to strengthen the link between Kochava’s activities and risks to individuals.

“The location data sold by Kochava typically includes multiple timestamped signals for each MAID. By plotting each of these signals on a map, much can be inferred about the mobile device owners,” the FTC alleges.

Will the FTC win?

The court may or may not be persuaded by the FTC’s amended analysis of Kochava’s location data. Either way, data brokers across the US will be watching the case against Kochava very closely.

The data brokerage industry took a hit in September with the passage of California’s Delete Act. The law will establish a fast-track, centralized process enabling California residents to request the deletion of their personal information by every data broker operating in the state at once.

The US Supreme Court’s repeal of the abortion case Roe v Wade last June appeared to spur the country’s legislators and regulators into action. Twelve US states have now enacted comprehensive privacy laws, all of which have major implications for data brokers.

Even the threat of enforcement led Kochava to make significant changes to its operations. A victory for the FTC would be another blow to the entire business of buying and selling personal data.