December 3, 2022

Volume XII, Number 337

Advertisement

December 02, 2022

Subscribe to Latest Legal News and Analysis

December 01, 2022

Subscribe to Latest Legal News and Analysis

FTC Flexes Its Muscle in Suit against Kochava (But May Not Like the Results)

On August 29, 2022, the Federal Trade Commission (FTC) filed a lawsuit against Kochava, Inc. alleging that Kochava engaged in unfair and deceptive practices by selling the “precise location information” of consumers. This suit comes on the heels of the FTC’s announcement earlier this month that it would “crack down” on “commercial surveillance practices” and July’s warning that the agency would be exercising its enforcement authority against the “illegal” use and sharing of sensitive consumer data.

In Depth

The FTC alleges that Kochava amassed a large amount of sensitive data by tracking the mobile advertising IDs from hundreds of millions of mobile phones, and that such data could be used to track people visiting abortion clinics, domestic abuse shelters, places of worship and other sensitive locations. The FTC then said that Kochava sold that data without first anonymizing it, allowing anyone who purchased the data to use it to track the movements of the mobile device users. The FTC wants to not only block Kochava from selling such data, but also require them to delete and destroy it. In its complaint, the FTC relied on the FTC Act’s general prohibition against “unfair and deceptive acts or practices” and alleged that the company unfairly sold the sensitive data.

Kochava, which beat the FTC to the courthouse and preemptively filed a lawsuit against the FTC prior to the FTC’s complaint, asserted that all of the location data came from third-party data brokers who obtained the information from consenting consumers. Despite the alleged consent, Kochava says it is in the process of implementing steps to remove health services location data from its database. Kochava argued that the litigation was the outcome of the FTC’s failed attempt to implement a vague settlement that had no clear terms and made the problem a moving target.

The Kochava suit brings to the forefront several competing policy considerations, the determination of which could shape the scope of the FTC’s enforcement authority for years to come. The first and foremost issue that the Kochava suit raises is whether the FTC has the authority to effectively impose a consent-based regime for the sale of sensitive consumer information when no federal law enforced by the FTC (other than the Children’s Online Privacy Protect Act (COPPA), which applies to data collected about children under 13) expressly provides for that requirement. While it is not uncommon for the FTC to take expansive views of its enforcement authority, that authority has been successfully challenged in recent years. (See AMG Capital Management, LLC v. FTC, which held that the FTC does not have the statutory authority to seek equitable monetary relief under Section 13(b) of the FTC Act).) Now, Kochava will test the FTC’s authority to regulate in the privacy space—and the FTC may not like the result.

In the unlikely event that Kochava were to litigate against the FTC all the way to the Supreme Court of the United States, Kochava might find a receptive audience. Using West Virginia v. Environmental Protection Agency as precedent, the Supreme Court could conclude that US Congress did not grant the FTC authority to regulate privacy issues because the FTC Act does not expressly mention privacy regulation as being within the ambit of the FTC’s authority. This would be a big problem for the FTC, which has visions of engaging in formal rulemaking on privacy and data security.

Weighing in favor of the FTC’s complaint is the fact that the FTC appears to be cracking down on the precise types of privacy concerns that the public has been focused on in the wake of Dobbs v. Jackson Women’s Health Organization. Since Dobbs, we’ve seen companies and private citizens go through great lengths to protect the need for increased sensitivity and privacy for the information regarding a person’s visit to an abortion clinic. The FTC argues that this is exactly that type of sensitive geographic information that it seeks to protect, no doubt acting on US President Joe Biden’s executive order following Dobbs, which instructed the FTC to take action to protect consumer privacy regarding reproductive health. While the president’s executive order may give those marching orders to the FTC, it does not expand the FTC’s legal authority nor give them new powers.

As a result, the Kochava action, which is consistent with the FTC’s view of its own enforcement authority in the privacy space, pits an issue of great public concern against the hard and fast statutory limits of the FTC’s authority as granted by Congress. While the likeliest outcome is a settlement that does not adjudicate that the FTC has the authority to regulate issues of privacy, Kochava is nonetheless worth watching. Kochava could either cement the FTC’s authority to regulate in the privacy space or severely limit the FTC’s authority to do so, which might actually be the exact catalyst that Congress needs to finally pass a federal privacy bill.

© 2022 McDermott Will & EmeryNational Law Review, Volume XII, Number 244
Advertisement
Advertisement
Advertisement

About this Author

Lesli C. Esposito Washington D.C. Partner antitrust consumer protection Lawyer McDermott Will & Emery Law
Partner

For more than 20 years, Lesli C. Esposito has helped clients around the globe navigate complex antitrust and consumer protection matters. She has deep experience handling government investigations, litigation, compliance, and global merger control on behalf of clients in diverse industries, including consumer products, retail, technology, pharmaceuticals, healthcare, telemarketing, oil and gas, mortgage lending and professional services.

202-756-8445
Amy C. Pimentel, Global Privacy Staff Attorney, McDermott Will & Emery Law Firm
Associate

Amy Pimentel is an associate in the law firm of McDermott Will & Emery LLP and is based in the Firm’s Boston office.  Amy is a member of the Firm’s Global Privacy and Data Protection Affinity Group.  She focuses her practice on consumer protection, privacy, information security and international law.

Amy received her J.D. in 2014 from Northeastern University School of Law.  While in law school, Amy worked at the U.S. Department of Justice in the Office of International Affairs and interned for a judge at the International Criminal Tribunal...

617-535-3948
David Saunders Cybbersec Attorney McDermott Will Emery Law Firm
Partner

David P. Saunders (CIPP/US, CIPM) is an experienced litigator who focuses his practice on privacy and cybersecurity matters. David helps clients mitigate and manage risks related to data privacy and cybersecurity, from counseling on compliance with privacy regulations and managing data incident responses, to navigating regulatory investigations and handling biometric and other privacy-related litigation.

 

David works collaboratively with a diverse range of clients, from small business and pro bono clients to multinational Fortune 100 companies, understanding and advising on...

312-803-8305
Advertisement
Advertisement
Advertisement