Healthcare , HIPAA/HITECH , Industry Specific
FTC Alleges Data Broker Sells Vast Amounts of Sensitive Data
Agency Details Accusations Against Idaho Firm in Unsealed Amended ComplaintThe Federal Trade Commission in an amended lawsuit complaint unsealed Friday detailed how Idaho-based data broker Kochava allegedly violated federal law by collecting and disclosing to third parties "enormous" amounts of geolocation and other sensitive information about consumers.
See Also: Using the Netskope HIPAA Mapping Guide
The 33-page amended complaint unsealed by an Idaho federal court in the FTC's ongoing data privacy dispute with Kochava alleges the company "itself concedes" that the precise geolocation data it collects from individuals' mobile devices is not anonymous, "but rather can be, and is, used to track and identify individual consumers."
The FTC’s original lawsuit complaint, filed in August 2022, was only 11 pages long and did not include many of the details contained in the agency's amended complaint regarding the FTC's allegations against Kochava (see: FTC Sues Firm That Collects, Sells Sensitive Location Data).
The FTC filed its amended complaint after an Idaho federal judge on May 4 dismissed the agency's first complaint, writing that the FTC had relied too much on an inference that consumers are injured by the data broker's business model (see: FTC Files Amended Lawsuit Against Data Broker Kochava).
In his May ruling, District Judge B. Lynn Winmill of the US. District Court for the District of Idaho said the agency could try again with an amended complaint within 30 days, writing that "the privacy concerns raised by the FTC are certainly legitimate."
The FTC accepted the judge's offer and filed the amended complaint against Kochava on June 5 under seal, citing possible objections by Kochava to a public airing of material the company asserted is proprietary. The seal was lifted on Nov. 3.
The FTC is seeking a permanent injunctive order and other relief for Kochava's acts or practices in violation of section 5 the FTC Act.
Amended Complaints' Allegations
Kochava’s collection, use and disclosure of precise geolocation data invade consumers' privacy, the FTC alleges. The company's collection of mobile geolocation data reveals consumers' "movements throughout a day, week, month, year, or even more, including their visits to sensitive locations - for example, locations associated with medical care, reproductive health, religious worship, mental health, temporary shelters, such as shelters for the homeless, domestic violence survivors, or other at-risk populations, and addiction recovery," the FTC alleged.
In many cases, Kochava directly links this precise geolocation data to other sensitive identifying information about individual consumers, the FTC alleges.
"In addition to precise geolocation data, Kochava amasses and discloses a staggering amount of sensitive and identifying information about consumers," the FTC alleges.
That includes names, addresses, phone numbers, email addresses, gender, age, ethnicity, yearly income, "economic stability," marital status, education level, political affiliation, "app affinity" - or the apps consumers have installed on their phones, app usage, "interests and behaviors," plus, a Mobile Advertising ID, or MAID.
Kochava's MAIDs are assigned by a mobile device's operating system to allow companies to track a consumer's mobile activity and are used to send targeted advertisements, the FTC alleged.
Kochava collection, use and disclosures of geolocation and the other "enormous amounts" of additional private and sensitive information about consumers invade consumers' privacy and cause or are likely to cause consumers substantial injury, the FTC alleged.
The data broker collects and sells data in several different forms in their "Kochava Collective" product offering to customers. This include precise geolocation data, comprehensive profiles of individual consumers, tracking consumers' uses of mobile apps on their devices, and categorizing consumers based on identified sensitive and personal characteristics and attributes.
"This ability to target consumers on such granular facts about them is precisely the point of the Kochava Collective, as Kochava makes clear to potential customers," the FTC alleged.
In the amended complaint, the FTC offers various examples alleging how the company is collecting and selling these detailed collections of consumer data, including individuals' sensitive medical visits, such as reproductive healthcare.
"Kochava's precise geolocation data can be used to identify consumers who have visited an abortion clinic and, as a result, may have had or contemplated having an abortion," the FTC alleged.
"In fact, in just the data Kochava made available in the Kochava Data Sample, [the FTC] identified a mobile device that visited a women's reproductive health clinic and traced that mobile device to a single-family residence," the FTC alleged.
"The data set also reveals that the same mobile device was at a particular location at least three evenings in the same week, suggesting the mobile device user's routine. The data can also be used to identify medical professionals who perform, or assist in the performance, of abortion services."
The FTC declined Information Security Media Group's request for comment on the agency's amended complaint against Kochava.
Kochava did not immediately respond to ISMG's request for comment on the FTC's allegations.
'Compelling Narrative'
Regulatory attorney Daniel Kaufman of the law firm BakerHostetler said the FTC's amended complaint "tells a far more compelling narrative about the breadth of data that was allegedly being sold or shared with third parties."
That said, "the FTC is relying on its unfairness authority in this case, and it remains to be seen whether this more detailed narrative will be sufficient to demonstrate the likelihood of substantial injury to consumers," said Kaufman, who is the former acting director of the FTC's Consumer Protection Bureau and who is not involved in the Kochava case.
"The court's initial decision in this case was a very important decision for the agency and held that privacy harms can be an unfair practice but also made it clear that there is a high burden that the agency has to meet when alleging that practices are unfair," he said.
Given the absence of comprehensive federal privacy legislation, the FTC remains the primary federal law enforcer and clearly has great concerns about the broad collection and sharing of consumer location data and other sensitive data, Kaufman said.
But "the FTC's primary tool to address a lot of these issues is not ideally suited to the task and there remain real challenges as to whether the agency can realistically address all of the privacy challenges that it wants to address," he said.
"As someone who spent a long time at the agency, this amended complaint demonstrates that the FTC is fully invested in this case and is making a strong effort to get this case to proceed," Kaufman said.
"Unfairness is not an easy tool to use in law enforcement and, for better or worse, it is a primary tool that that the agency will be using to address current privacy concerns."