The Federal Trade Commission (FTC) will ban data broker Kochava and its subsidiary Collective Data Solutions (CDS) from selling location data without consumers’ explicit consent to settle charges brought nearly four years ago.
The FTC sued Idaho-based Kochava in August 2022, alleging it collected and sold precise geolocation data from hundreds of millions of mobile devices. This information allowed Kochava’s clients to track the mobile users’ movements to and from sensitive locations, including mental health and addiction recovery facilities, reproductive health clinics, places of worship, and shelters for the homeless and domestic violence survivors.
According to the complaint, the company provided clients who paid a $25,000 subscription fee with access to this data through a user-friendly data feed via the Amazon Web Services (AWS) Marketplace, claiming it delivered “rich geo data spanning billions of devices worldwide.”
Kochava also claimed that its location data feed “delivers raw latitude/longitude data with volumes around 94B+ geo transactions per month, 125 million monthly active users, and 35 million daily active users, on average observing more than 90 daily transactions per device.”
The Commission said at the time that the affected consumers were unaware of and had not consented to the data sharing, leaving them with no means to avoid resulting harms, including stalking, discrimination, and physical violence.
Kochava also sued the FTC for overreaching and said (one day before filing the complaint against the U.S. consumer watchdog) that it would introduce “Privacy Block”, a “privacy-first approach to block health services locations from the Kochava Collective marketplace” to address the privacy issues pointed out by the FTC.
Under the proposed order filed in the U.S. District Court for the District of Idaho, Kochava and its subsidiary (which has since taken over Kochava’s data broker business) will be prohibited from selling, licensing, transferring, or disclosing precise location data unless they have affirmative express consent, and the data is used to provide a service that the consumers directly requested.
Beyond the sales prohibition, the companies must also establish a sensitive location data program, implement a supplier assessment program to verify consumer consent, allow consumers to request disclosure of who received their data and withdraw consent, submit incident reports to the FTC when third parties misuse location data, and create a data retention and deletion schedule.
This proposed order will carry the force of law upon approval by the District Court judge.
The FTC also announced in August 2022 that it was exploring new rules to crack down on businesses engaged in mass commercial surveillance, in which consumers’ information is collected, analyzed, and monetized. One month earlier, the Commission warned that it would enforce the law if companies illegally shared or used consumers’ sensitive information.
More recently, in 2024, the agency banned data brokers InMarket Media, Outlogic (formerly X-Mode Social), Gravy Analytics, and Mobilewalla from harvesting and selling Americans’ location tracking data.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
