It may not be over till it's over, but even Yogi Berra would have to agree it's not looking great for the U.S. Federal Trade Commission's case against Kochava. Yesterday, Idaho federal court Judge B. Lynn Winmill approved Kochava's motion to dismiss the FTC case against it, but granted the agency has the opportunity to amend its complaint to convince the court to proceed. The case has important implications for best practices in the location data industry, while doubling down on the split in how federal courts analyze the elements necessary to establish an effective claim under the FTC's Section 5 authority.
Record scratch. Maybe we should go back to the beginning.
The saga began last year with Kochava's risky gambit to preemptively sue the FTC in U.S. federal court, rather than responding to the FTC complaint via the usual path of negotiating a settlement. In response, the FTC countersued, laying its case on the table with two claims that Kochava was engaging in unfair privacy practices.
According to the FTC, Kochava had been selling precise geolocation data, obtained from mobile apps, in a format that was tied to mobile ad IDs. The inclusion within this dataset of sensitive locations, such as places of worship and reproductive health clinics, allegedly constitutes an unfair practice for two reasons. First, it enables third parties to make sensitive inferences about individuals based on their patterns of behavior, which could potentially result in "stigma, discrimination, physical violence, and emotional distress." Second, the very act of disclosing the sensitive data constitutes an invasion of privacy, an alleged substantial injury in and of itself.
Kochava filed a motion to dismiss the FTC's claims, a common step in civil court proceedings, which requires the judge to consider whether the substantiated facts in the lawsuit articulate a plausible claim for legal relief. As my civil procedure professor described it, this is the "so what?" step of the case. Even if all this stuff you say is true, is it against the law?
Probably not, says the court. In short, the FTC's ability to move to the next step in the lawsuit hinges on moving the needle from "theoretically possible" secondary privacy harms to facts that show a "significant risk" of such harms. Since an unfairness claim requires the FTC to show that activity is causing or "likely to cause" substantial injury to consumers, it requires a higher bar than merely arguing future harm is possible. The judge is even more skeptical of the FTC's second unfairness claim, arguing the type of privacy disclosure alleged does not on its face meet the requirement for "substantial injury." The court does not disagree that merely disclosing sensitive personal information can sometimes cause substantial injury, but believes the severity of the injury on the Kochava facts is lessened because the data is not inherently personal — it requires additional inferences to be made before it is tied to individuals — and it is "generally accessible through other, lawful means."
It's not all bad news for the FTC. Judge Winmill leaves open the possibility for the agency to convince him to move forward with the case, based on an amended complaint alleging additional facts. The court also is careful to distinguish itself from the 11th Circuit LabMD case, which required the FTC to tie claims of unfairness to underlying violations of law or policy. Disparaging this test as an extra-statutory "predicate-violation requirement," Judge Winmill quotes a prior 9th Circuit FTC case: "The three-part test for whether a practice is 'unfair' under the FTC Act, found in the statute itself, is followed without embellishment by courts in this Circuit."
The no-nonsense court order was also quick to dismiss the most farfetched of Kochava's arguments against the FTC. Last month's U.S. Supreme Court decision, Axon Enterprises v. FTC, made it clear parties are allowed to raise constitutional claims directly to a federal court, before being forced to go through any lengthy administrative proceedings.
Even so, no says the court. The 108-year-old agency's enforcement authority does not violate the constitutional mandate that law enforcement powers must be separate from legislative powers; not even considering the more executive-like powers the agency gained in 1973 under its section 13(b) authority. Plus, even if there was a constitutional issue, fixing it would change the structure of the commission — specifically, the way in which commissioners can be removed — rather than change its ability to enforce violations of law.
But what about recent Supreme Court rulings about the limits of agency rulemaking powers? Shouldn't the nondelegation doctrine or the major questions doctrine limit the FTC's powers here? Also no. Limits on the powers of administrative agencies to make new rules don't apply when the agency is simply enforcing a law, even if it's an adaptable law like Section 5 of the FTC Act.
And finally, on the limits of the FTC's injunctive powers, no, just because a company stops a practice willingly does not mean the government can't step in to prohibit the behavior in the future. The FTC is allowed to seek an injunction for a commercial practice, such as selling geolocation data about sensitive locations tied to device IDs, even if Kochava claims it no longer engages in the practice. The court declines to limit the FTC's authority to engage in consumer protection work via threats of injunctions, a core component of its procedural posture in privacy cases.
Regardless of the final outcome here, just across the border from Idaho, Washington state's My Health My Data Act will ban geofencing for the purpose of identifying visits to health-related locations. With an effective date for this provision of 22 July, it may go into effect before the Kochava case is over. To embellish another Yogi-ism, it's true the future ain't what it used to be. But privacy professionals don't have to wait to find out what to do next.
Here's what else I'm thinking about:
- In other court drama, NetChoice's challenge to the California Age-Appropriate Design Code is heating up. The California attorney general filed its response to the NetChoice lawsuit. The Electronic Privacy Information Center filed its own amicus brief in support of the AADC, as part of a coalition of civil society groups. The coalition says that NetChoice's arguments about the law's encroach into the First Amendment and Section 230 "would undermine numerous federal and state laws and undermine the state's compelling interest in protecting the privacy of children."
- Meanwhile, federal kids' privacy and safety bills returned to the public eye. This week saw the reintroduction of the Kids Online Safety Act, the Children and Teens' Online Privacy Protection Act or COPPA 2.0, as well as lesser known initiatives like the Kids Privacy Act. The IAPP's D.C. office collaborated with the Future of Privacy Forum to track the changes to the Kids Online Safety Act, which is supported by more than 30 senators.
- Everyone wants a piece of AI policymaking. Politico reported on the diffuse and varied plans — or, at least, intentions — across Congress to do something to limit the potential harms of advanced algorithmic systems. The White House gathered a cohort of AI CEOs to remind them of their moral obligation to keep their products safe. Side note: do we call it an "emergence" of AI CEOs? And in an op-ed, the chair of the FTC warned about the potential for AI development to further entrench dominant economic actors.
- The FTC asserted its authority to modify Meta's 2020 consent order based on changes in the underlying facts. Meta has 30 days to respond to the "order to show cause why the Commission should not modify the order and enter the proposed new order," at which point the FTC may schedule a hearing. The changed facts relate to redacted "gaps" in Meta's mandated privacy programs, including continued access to some data by third-party apps and the ability for some children to communicate with each other without parental approval. In a noteworthy concurring statement, Commissioner Alvaro Bedoya agrees that the FTC has met the standard to re-open the order, but reserves his final determination about the appropriate modifications to the order until after more evidence is established.
Upcoming happenings
- 10 May at 1 p.m. EDT, FPF hosts a ceremony for its third annual Research Data Stewardship Award (virtual).
- 10-12 May, the Privacy + Security Forum: Spring Academy takes place at George Washington University.
- 16 May, BBB National Programs hosts CARU 2023 (Arlington).
Please send feedback, updates and collective AI nouns to cobun@iapp.org.