FTC Settlement Would Bar Kochava From Selling Sensitive Location Data Without Consent

Key Takeaways

• Consent Requirement Tightened: Kochava and its subsidiary must obtain affirmative express consent before selling or sharing sensitive location data.
• Sensitive Location Protections: The companies must identify and restrict data tied to locations such as health facilities and places of worship.
• Accountability for Data Sources: A supplier assessment program is required to verify that location data is collected with proper consumer consent.
• Consumer Rights Expanded: Individuals can request disclosure of who received their data and withdraw consent for its sale.
• Data Governance Measures Introduced: The order mandates incident reporting and a formal data retention schedule to limit long-term data exposure.

Deep Dive

The Federal Trade Commission is moving to restrict how one of the data broker industry’s more prominent players handles location data, proposing a settlement that would prohibit Kochava and its subsidiary Collective Data Solutions from selling or sharing sensitive location information unless consumers have clearly agreed to it.

The case traces back to August 2022, when the FTC filed suit against Kochava, alleging the company’s collection and sale of precise location data exposed intimate details of people’s lives. According to the complaint, the data, drawn from hundreds of millions of mobile devices, could be used to trace individuals’ movements, including visits to locations many would consider deeply private, such as health facilities and places of worship.

At the heart of the FTC’s argument was a lack of awareness and consent. Consumers, the agency said, did not know their location data was being collected and shared in this way, leaving them with no meaningful way to avoid the potential consequences of its disclosure.

The proposed order, filed in the U.S. District Court for the District of Idaho, would impose a strict consent framework going forward. Kochava and Collective Data Solutions would be barred from selling, licensing, transferring, sharing, or otherwise disclosing sensitive location data unless they first obtain a consumer’s affirmative express consent, and even then, only when the data is used to provide a service the consumer has directly requested.

Beyond that central restriction, the settlement outlines a series of operational changes aimed at tightening oversight of how location data is handled. The companies would be required to build and maintain a program that identifies sensitive locations, helping prevent related data from being sold or disclosed. They must also establish a supplier assessment process to verify that any location data they acquire has been collected with appropriate consumer consent.

The order further requires the companies to report incidents to the FTC when they determine a third party has shared precise location data in violation of contractual terms. Consumers, meanwhile, would gain new visibility and control. They must be able to request the names of businesses or individuals that received their location data, and they must be given a straightforward way to withdraw consent for its sale.

Finally, the companies would need to implement a formal data retention schedule, requiring location data to be deleted on a defined timeline rather than stored indefinitely.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.