Data broker allegedly selling de-anonymized info to face FTC lawsuit after all

The Federal Trade Commission has successfully kept alive its first lawsuit in federal court against a geolocation data broker that allegedly unfairly sold large amounts of data in violation of the FTC Act.

On Saturday, U.S. District Judge Lynn Winmill denied Kochava's motion to dismiss a Amended FTC Complaintwhich he said plausibly argued that “Kochava’s data sales infringe on consumers’ privacy and expose them to risks of secondary harm from third parties.”

Winmill's ruling overturned the FTC's dismissal of the original complaint, which the court found did not sufficiently allege that Kochava's data sales caused or were likely to cause “substantial” harm to consumers.

The FTC accused Kochava of selling “a substantial amount of data obtained from millions of mobile devices around the world,” allegedly combining precise geolocation data with a “staggering amount of sensitive and identifying information” to without the users' knowledge or informed consent. This data, the FTC asserts, “is not anonymized and is linked or easily linked to individual consumers” without tapping “other data sources.”

Kochava's data sales would allow its customers — who the FTC says often pay tens of thousands of dollars per month — to target specific individuals by combining Kochava's data sets. Using only Kochava data, marketers can create “highly accurate” portraits of advertising targets such as “a woman visiting a particular building, her name, email address, and home address, and whether the woman is African American, a parent (and if so, how many children), or has an app identifying cancer symptoms on her phone.” Only one of Kochava's databases “contains “full profiles of individual consumers,” with up to “300 data points” for “more than 300 million unique individuals,” the FTC reported.

According to the FTC, this harms consumers in “two distinct ways”: by invading their privacy and causing “an increased risk of experiencing secondary harms, such as stigma, discrimination, physical violence, and emotional distress.”

In its amended complaint, the FTC overcame shortcomings in its original complaint by citing specific examples of consumers already known to have been harmed by brokers sharing sensitive data without their consent. This included a Catholic priest who resigned after being exposed by a group using precise mobile geolocation data to track his personal use of Grindr and his travel to “locations associated with the LGBTQ+ community.” The FTC also highlighted invasive practices by journalists using precise mobile geolocation data to identify and track military and law enforcement officers over time, as well as data brokers tracking “women concerned about abortion” who visited reproductive health clinics to target them with abortion ads. and alternatives to abortion.

“Kochava’s practices intrude into the most private areas of consumers’ lives and cause or are likely to cause significant harm to consumers,” the FTC’s amended complaint states.

The FTC is seeking a permanent injunction to stop Kochava from allegedly selling sensitive data without user consent.

Kochava considers the examples of consumer harm in the FTC's amended complaint to be “anecdotes” disconnected from his own activities. The data broker was apparently so confident that Winmill would agree to dismiss the FTC's amended complaint that the company sought sanctions against the FTC for what it considered a “meritless” filing. According to Kochava, many of the FTC's allegations were “knowingly false.”

Ultimately, the court found no evidence that the FTC's complaints were without merit. Instead of dismissing the case and ordering the FTC to pay penalties, Winmill wrote in his order that Kochava's motion to dismiss “misses the point” of the FTC's filing, which was to allege that Kochava’s data sales are “likely” to cause alleged harm. Because the FTC had “significantly” expanded the factual allegations, the agency “easily” met the plausibility standard to allege that substantial harm was likely, Winmill said.

Kochava CEO and founder Charles Manning said in a statement provided to Ars that Kochava “expected” Winmill's decision and was “confident” that Kochava would “prevail on the merits.”

“This case is really about the FTC’s attempt to circumvent Congress to create a data privacy law,” Manning said. “The FTC's salacious assumptions in its amended complaint are mere scare tactics. Kochava has always acted consistently and proactively in compliance with all rules and laws, including those specific to privacy.”

In a Press release Announcing the FTC's 2022 lawsuit, FTC Bureau of Consumer Protection Director Samuel Levine said the FTC was committed to stopping Kochava's allegedly harmful data sales.

“When consumers seek health care, receive advice or celebrate their faith, this is private information that should not be sold to the highest bidder,” Levine said. “The FTC is suing Kochava to protect people's privacy and stop the sale of their sensitive geolocation information.”

Source link

Scroll to Top