FTC sued by firm allegedly selling sensitive data on abortion clinic visits

Among the first location data brokers to publicly come under fire by the Federal Trade Commission for allegedly selling sensitive reproductive health data is Kochava, Inc. In a lawsuit filed by the adtech company this week, Kochava asked a federal court to intervene and stop the FTC from an alleged overreach.

Kochava’s complaint revealed for the first time how the FTC might act to protect consumer data from being used to support abortion prosecutions in post-Roe America. In it, Kochava described a proposed FTC complaint against Kochava that alleges that the company’s data collection practices make it possible for third parties and bad actors to track users’ sensitive location data. The FTC suggests that mobile phone users weren’t reasonably informed that they were sharing this data with Kochava, making the practice unfair or deceptive and allegedly in violation of the Federal Trade Commission Act.

In a statement to Ars, Kochava defended its data collection practices: “Kochava operates consistently and proactively in compliance with all rules and laws, including those specific to privacy. Nevertheless, Kochava has been threatened by the FTC with a lawsuit and a proposed settlement, the merits of which are not accurate. This is a manipulative attempt by the FTC to give the appearance that it is protecting consumer privacy despite being based on completely false pretenses.” Suing the FTC to block its lawsuit, Kochava in its complaint noted that the FTC has up to 60 days—by mid-October—to answer a court summons.

What did Kochava allegedly do?

According to its company website, Kochava is the “largest independent data marketplace for connected devices.” Based in Idaho, Kochava’s primary business is designing app-developer tools to track, organize, and visualize marketing data, often purchasing and selling third-party mobile device data to its customers under a secondary business called Kochava Collective.

The FTC alleges that Kochava customers can “license premium data,” which it says dangerously includes the “precision location of a consumer’s mobile device,” sharing “timestamped latitude and longitude coordinates showing the location of mobile devices.” This, the FTC says, could allow bad actors, law enforcement, or anyone with access to track consumers visiting sensitive locations such as “therapists’ offices, addiction recovery centers, medical facilities, and women’s reproductive health clinics.”

The FTC has alleged that Kochava’s data collection methods are “unfair or deceptive acts or practices in or affecting commerce,” because “they cause or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves.” The FTC also says that the FTC Act applies because there is no critical or universal benefit to consumers or the competitive market from collecting sensitive data.

Kochava says in his complaint that the FTC is wrong and does not understand their technology, claiming that it already employs “technical controls to prohibit its customers from identifying consumers or tracking” third-party users at sensitive locations. The company says the lawsuit is a waste of time, primarily because the “FTC still has yet to issue any rule or statement with legal force and effect describing the specific geolocation data practices it believes” it has the authority to prohibit or permit. Absent that specific rulemaking, the FTC makes it hard for firms to comply with the law, Kochava suggests.

Kochava also says that allowing the FTC to tie up the adtech company in a lengthy legal proceeding would inflict “irreparable and significant harm upon Kochava.”

The FTC declined Ars’ request to comment.

Is the FTC overreaching?

Kochava says in his complaint that the FTC sent its proposed complaint around July or August. Shortly after, the company announced a new policy that would seemingly address the FTC’s complaint by installing what it calls a “Privacy Block” that “removes health services location data from the Kochava Collective marketplace.” The feature is employed regardless of whether users consent to data sharing, and it also allows anyone in the health sector to register to block their location.

In a press release, Kochava Collective’s general manager, Brian Cox, suggested that Kochava was now ahead of US regulators in building a very necessary “health services location block list” that puts user privacy first by putting the power to protect all staff and patients back in the health services industry’s hands.

“We believe it’s important for the industry to be proactive and to collaborate on a unified health services location block list,” Cox wrote, noting that “there is no federal regulation or federal database which catalogs these locations to protect consumer privacy.”

A Kochava spokesperson declined to tell Ars if the “Privacy Block” feature was prompted by the FTC’s proposed lawsuit or already in the works.

However, because Kochava has changed his ways, the complaint urges the federal court to agree that the FTC has no authority to “seek injunctive relief for past conduct that has ceased, absent evidence that it is likely to recur.” Kochava also asked the court to consider “fundamental disagreements” on the interpretation of the FTC Act that largely forms the basis of the FTC’s proposed complaint. Kochava alleges that the FTC’s proposed lawsuit would be an improper application of the FTC Act, which it says doesn’t specify how its data collection practices are “unfair” or “deceptive.” Kochava also suggests that his due process rights have been violated by a presidential overreach urging the FTC to pursue such lawsuits in the absence of explicit legislation regulating health data collection.

Leave a Comment

Your email address will not be published.