On August 29, 2022, the Federal Trade Commission (FTC) filed a lawsuit against Kochava, Inc. alleging that Kochava engaged in unfair and deceptive practices by selling the “precise location information” of consumers. This suit comes on the heels of the FTC’s announcement earlier this month that it would “crack down” on “commercial surveillance practices” and July’s warning that the agency would be exercising its enforcement authority against the “illegal” use and sharing of sensitive consumer data.

In Depth

The FTC alleges that Kochava amassed a large amount of sensitive data by tracking the mobile advertising IDs from hundreds of millions of mobile phones, and that such data could be used to track people visiting abortion clinics, domestic abuse shelters, places of worship and other sensitive locations. The FTC then said that Kochava sold that data without first anonymizing it, allowing anyone who purchased the data to use it to track the movements of the mobile device users. The FTC wants to not only block Kochava from selling such data, but also require them to delete and destroy it. In its complaint, the FTC relied on the FTC Act’s general prohibition against “unfair and deceptive acts or practices” and alleged that the company unfairly sold the sensitive data.

Kochava, which beat the FTC to the courthouse and preemptively filed a lawsuit against the FTC prior to the FTC’s complaint, asserted that all of the location data came from third-party data brokers who obtained the information from consenting consumers. Despite the alleged consent, Kochava says it is in the process of implementing steps to remove health services location data from its database. Kochava argued that the litigation was the outcome of the FTC’s failed attempt to implement a vague settlement that had no clear terms and made the problem a moving target.

The Kochava suit brings to the forefront several competing policy considerations, the determination of which could shape the scope of the FTC’s enforcement authority for years to come. The first and foremost issue that the Kochava suit raises is whether the FTC has the authority to effectively impose a consent-based regime for the sale of sensitive consumer information when no federal law enforced by the FTC (other than the Children’s Online Privacy Protect Act (COPPA), which applies to data collected about children under 13) expressly provides for that requirement. While it is not uncommon for the FTC to take expansive views of its enforcement authority, that authority has been successfully challenged in recent years. (See AMG Capital Management, LLC v. FTC, which held that the FTC does not have the statutory authority to seek equitable monetary relief under Section 13(b) of the FTC Act).) Now, Kochava will test the FTC’s authority to regulate in the privacy space—and the FTC may not like the result.

In the unlikely event that Kochava were to litigate against the FTC all the way to the Supreme Court of the United States, Kochava might find a receptive audience. Using West Virginia v. Environmental Protection Agency as precedent, the Supreme Court could conclude that US Congress did not grant the FTC authority to regulate privacy issues because the FTC Act does not expressly mention privacy regulation as being within the ambit of the FTC’s authority. This would be a big problem for the FTC, which has visions of engaging in formal rulemaking on privacy and data security.

Weighing in favor of the FTC’s complaint is the fact that the FTC appears to be cracking down on the precise types of privacy concerns that the public has been focused on in the wake of Dobbs v. Jackson Women’s Health Organization. Since Dobbs, we’ve seen companies and private citizens go through great lengths to protect the need for increased sensitivity and privacy for the information regarding a person’s visit to an abortion clinic. The FTC argues that this is exactly that type of sensitive geographic information that it seeks to protect, no doubt acting on US President Joe Biden’s executive order following Dobbs, which instructed the FTC to take action to protect consumer privacy regarding reproductive health. While the president’s executive order may give those marching orders to the FTC, it does not expand the FTC’s legal authority nor give them new powers.

As a result, the Kochava action, which is consistent with the FTC’s view of its own enforcement authority in the privacy space, pits an issue of great public concern against the hard and fast statutory limits of the FTC’s authority as granted by Congress. While the likeliest outcome is a settlement that does not adjudicate that the FTC has the authority to regulate issues of privacy, Kochava is nonetheless worth watching. Kochava could either cement the FTC’s authority to regulate in the privacy space or severely limit the FTC’s authority to do so, which might actually be the exact catalyst that Congress needs to finally pass a federal privacy bill.