A view from DC: Kochava is not enough

It is a bittersweet feeling to pen my fifth and final installment in the spy-themed adventure series of consumer protection legal drama known as Kochava versus the U.S. Federal Trade Commission. It has been a tumultuous saga.

Back in 2022, when the irascible Idaho-based mobile advertising attribution company decided to sue the FTC rather than negotiate a settlement to the agency's allegations of location-based privacy harms, I wrote about the unusual and highly risky Kochava Gambit. Kochava's lawsuit against the FTC's constitutionality invited a countersuit from the agency, making public the preliminary allegations in its complaint, which closely tracked what we later found to be a robust line of cases relating to the sharing of data about sensitive locations within the advertising data stream.

The federal court battle was first waged, as they so often are, on preliminary motions. In Die Another Day, we explored the surprise decision by the district court judge to grant Kochava's motion to dismiss, but leave open the possibility that the FTC could amend its complaint to reopen the case. The dogged privacy enforcer did just that. In Never Say Never Again, the FTC doubled down on its factual allegations to show why it believed the Kochava's geolocation data practices represented serious, not just theoretical, privacy risks to U.S. consumers.

Then in License to Litigate, we saw the outcome of this amended complaint, an about-face from the judge who accepted as plausible the FTC's claims that the sharing of identifiable geolocation data about consumers' visits to sensitive locations — including medical and reproductive health clinics, places of religious worship and domestic abuse shelters — could constitute an unfair practice under the FTC Act. This allowed the case to proceed to the expensive discovery phase, where the FTC undoubtedly gained access.

More than two years later, as the FTC's weary fans may have all but given up hope for a resolution in the matter, Kochava filed with the agency a negotiated settlement. 

Overall, it is hard to say if Kochava's litigious gambit paid off. The stipulated injunctive terms in the settlement generally conform to the FTC's line of 2024 location data settlements, including XMode, InMarket Media, Gravy Analytics and Mobilewalla. The proposed final settlement is certainly slimmer than these other cases, with some notable differences that leave the company with narrow wins in comparison with its peers, but these nuances came at the cost of years of litigation, which Kochava agrees to bear as part of the settlement. In the meantime, Kochava also settled a number of class-action claims, agreeing to many of the same operational changes required by the FTC settlement.

One stark difference, which should come as no surprise to close FTC watchers, is the term length of the settlement agreement. Consistent with other recent privacy matters at the agency, Kochava has agreed to FTC oversight that will last for only five years. All the other cases in this enforcement sweep, not to mention nearly all privacy matters before that, are subject to 20-year terms. This change is consistent with scholarship from pro-innovation commentators who have called on the FTC to bind companies for shorter terms in its settlements.

Other inconsistencies in the Kochava settlement are more subtle. Among its peers, it probably most closely resembles InMarket Media, which lacked some of the more damning findings and accompanying remedies from other cases, such as banning the sale of data related to individuals' private residences. The settlement also lacks some ongoing restrictions on the collection, use, maintenance and disclosure of location data generally, even when not related to sensitive locations, which appear in all of the other matters except Mobilewalla.

Another interesting wrinkle is the obligation for Kochava to implement either a mechanism for consumers to request a list of all recipients to whom Kochava disclosed their covered data or a mechanism to delete this data, but not both. If Kochava is able to implement a functional, clear and conspicuous deletion mechanism, such that all recipients will delete consumers' precise location data upon request.

The order is more precise about the narrow functioning of mandatory deletion requirements, focusing on Kochava's obligation moving forward to deidentify any sensitive location data, rather than delete it. Other settlements framed this as a requirement to delete all of the ill-gotten data but allowed for deidentification in the alternative.

Finally, the definition of sensitive locations in the order is the narrowest yet from this line of cases, leaving out LGBTQ-related locations such as "service organizations, bars, and nightlife," which were included in Mobilewalla and InMarket, along with locations related to labor unions, correctional facilities, "associations held out to the public as predominantly providing services based on racial or ethnic origin," and locations providing services and shelter to refugees or immigrants, all of which were treated as sensitive in all four of the other settlements.

Though the term is shorter, Kochava remains subject to most if not all of the same operational obligations as its peers, including a mandatory privacy program, changes to the operation of its SDKs and other third-party monitoring obligations at both the supplier and recipient sides of its business. 

Importantly, the company must also designate a senior officer, "such as a Chief Privacy Officer or Chief Compliance Officer, to be responsible for" the mandatory sensitive location data program. This program must identify all covered locations within 90 days of the entry of the final order so that the company can comply with the prohibition on the sale and disclosure of any identifiable data related to those locations.

As such, the takeaways for what counts as the unfair sharing of data about visits to sensitive locations have not changed under the current FTC. Without the explicit consent of consumers, companies should continue to scrub sensitive sites from location datasets before disclosing to other parties.

In the intervening years, the world has moved on. For example, when Connecticut's governor soon signs the state's most recent amendment to its comprehensive privacy law, SB 4, it will become the fourth state to entirely prohibit the sale of precise locations data, Maryland, Oregon and Virginia. These days, improperly handling any precise location data, not just that related to sensitive locations, comes with a price.

Please send feedback, updates and James Bond quotes to cobun@iapp.org.