The FTC’s Post-Dobbs Focus on Location Privacy Draws a Legal Challenge

Jeremy Meisinger
Foley Hoag LLP - Security, Privacy and the Law
Contact
LinkedIn
Facebook
X
Send
Embed

Foley Hoag LLP - Security, Privacy and the Law

As we had previously blogged, the FTC in guidance following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health indicated that it would aggressively wield its enforcement authority in relation to deceptive statements about location privacy, particularly in the context of what the FTC called “the often shadowy ad tech and data broker ecosystem.”  The FTC voiced particular concern about unbeknownst tracking or selling of sensitive location data, such as data that relates to the receipt of medical care (or even just proximity to medical facilities).  While it is difficult to know the full extent to which the FTC is putting its words into practice because investigations and settlement negotiations tend to be confidential, a recently filed lawsuit in Idaho suggests that the FTC’s announced focus on location privacy is very real.

Idaho-based Kochava, which offers digital marketing and analytics services, has asked a federal court to grant an injunction against a proposed complaint that was apparently revealed to Kochava by the FTC in settlement talks.  The lawsuit characterizes the FTC’s concerns as relating to geolocation data that can be associated with sensitive locations such as therapists, addiction recovery centers, reproductive health centers, and other medical facilities.  Kochava argues that data it collects and then sells as part of its business would not permit the buyer of the data to correlate specific location data with a specific individual or, in the alternative, that individuals agreed to the sharing of such data.

The limited window provided by Kochava’s complaint shows both that the FTC is serious about claims made about location data, and also that critical terms like “anonymous” and “anonymized” carry multiple meanings out in the commercial world, meaning they are susceptible to claims of deception brought by the FTC and similar enforcers (such as state attorneys general).  This underscores that, while anonymization can be a useful tool for commercializing consumer data, it is important to take into account whether the data is truly anonymized.  While anonymization has a clear meaning in the US-based health information context (because HIPAA affirmatively provides one), the concept is more malleable outside of that context and also in other jurisdictions.  Indeed, the GDPR treats many categories of information that might informally be referred to as “anonymized” in the US as merely “pseudonymized,” and thus still within the ambit of European regulators.  All of which is to say, whether in the US or in Europe, it is important to scrutinize anonymization claims before making them public, as they are likely to remain a regulatory focus.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Foley Hoag LLP - Security, Privacy and the Law | Attorney Advertising

Written by:

Foley Hoag LLP - Security, Privacy and the Law
Foley Hoag LLP - Security, Privacy and the Law
Contact
more
less

Foley Hoag LLP - Security, Privacy and the Law on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide