Post Dobbs, organizations are taking a closer look at their geolocation practices, data that they receive from third parties, including data brokers, and their operational practices. To further complicate this review, the FTC has shined a light on the issue with its recently filed suit against Kochava, who is in the data broker industry. This suit can provide insight on how the FTC and other agencies will look at geolocation data and what organizations should be on the lookout for.

Overview
With the FTC finally having a full complement of commissioners, Commissioner Lena Khan’s ambitious agenda appears to finally be kicking into motion. In addition to her efforts to tie antitrust law to data protection practices and jumpstarting the federal rulemaking process for badly needed updates to federal privacy law, Khan’s FTC brought an action in late August against Kochava, a data broker, for the sale of precise geolocation data of consumers in the U.S. District Court of Idaho.

Theory of the Case
The FTC’s suit centers around Kochava’s role in the data broker industry and some of the most controversial data practices regarding consumer data. Kochava is not alone in this but is one of the key players in the precise geolocation industry and has found itself in the crosshairs here for reselling consumer precise geolocation data to consumers that can be tied back to places of worship, health care clinics, schools, and other locations. This data, coupled with an advertising ID, can reveal intimate details about consumers’ lives and habits. It goes without saying that this level of data, no matter how pseudonymized, has high value to advertisers with precise geolocation data audience segments ad analytics selling at some of the highest rates in the programmatic advertising industry.

Kochava claims to process more than 94 billion data transactions each month for 125 million monthly active users and 35 million daily active users. The consumer data is made available for purchase through a license or through a free sample that contains a rolling 7 day period. Kochava denies the allegations in the complaint, stating their practices are in compliance with all applicable privacy laws and, “Kochava sources 100% of the geo data in our data marketplace from third party data brokers all of whom represent that the data comes from consenting consumers.”

The FTC is seeking a permanent injunction to stop this practice. Typically, the FTC has brought privacy cases under the “deceptive” practices prong of its authority under Section 5 of the FTC Act. Advancing this case on unfairness grounds represents an aggressive move against not just Kochava, but geolocation as a whole, enabling the FTC to seek a permanent injunction against the practice, not just about any statements related to the practice, of selling precise geolocation data. The FTC is choosing to advance a harder argument here – that the practice of selling precise geolocation data is uniquely unfair because a consumer cannot meaningfully consent to the transaction by companies it has no knowledge of and that the practice has and will substantially harm individuals – in order to have a greater impact on the business model as a whole.

A win by the FTC here would likely result in a substantial impact on not just data brokers and advertisers, but also analytics companies, retail groups, device tracking technologies (e.g. Apple Airtags) and automotive manufacturers who increasingly process substantial amounts of precise geolocation data for a wide variety of purposes. But key questions remain: Is Kochava the right target for this action if no particularized harm has been identified and alleged from the sale of its particular data set?

Additional Implications
Precise geolocation data is also highly valuable to law enforcement. Earlier this week, the Associated Press released an article based on a joint investigation with the Electronic Frontier Foundation, unmasking a data broker called Fog Data Science LLC, licensing a tool to law enforcement and government agencies for a reputed $7,500/year fee, that would provide geofencing and location tracking capabilities without a warrant. Such practice is currently lawful because of the exception under 4th Amendment caselaw for publicly available information.

Precise geolocation data is considered highly sensitive data – a type of digital plutonium – because of the difficulty anonymizing the data and the rich insights that can be extracted from the feed. Precise geolocation tied to a time stamp and advertising identifier – the unique number each phone is assigned by Apple or Google for advertisers to use for targeting – can reveal an individual’s home address, work address, and other sensitive data. In 2021, a Catholic priest resigned after he was outed as visiting LGBTQ+ bars. His precise geolocation data was obtained through a data broker by a Catholic news organization who outed him. The data broker got it from Grindr, the LGBTQ+ dating app. Precise geolocation has revealed numerous national security implications as well. In 2018, the US military was forced to reexamine its security practices after fitness tracker Strava’s heatmaps revealed military bases and patrol routes. That story, among others, was part of a New York Times series on location data practices that included the ability to locate devices traveling to and from CIA Headquarters in Langley, Virginia. At the same time, the US military and other law enforcement agencies have been caught buying precise geolocation data from Muslim prayer apps, a move that clearly has First Amendment implications.

In a post-Dobbs’ America, the implications are profound with Republican governed states rapidly moving to criminalize women who seek abortions or the doctors who provide them. Some are even exploring enforcing their laws on women who seek abortions across state lines.

Client Aware
The FTC’s suit here in this case coupled with its move to update its regulations via the rulemaking process last month, show an increased appetite to tackling privacy problems under current authority while proposed federal privacy law remains deadlocked in Congress. Businesses that collect, process, sell, or otherwise use precise geolocation data or engage with vendors who do, should take a renewed look at their data practices, their technical and administrative compliance measures, and their consumer disclosures and methods of obtaining consent, where applicable. The Beckage Firm of seasoned privacy and cybersecurity professionals is available to assist as needed.
*Attorney Advertising: Prior Results Do Not Guarantee Similar Outcomes

Thebeckagefirm.com
info@thebeckagefirm.com