[co-author: Kathryn Smith*]
The FTC’s second attempt to pursue the data broker, Kochava, continues to move forward. The amended complaint, which was just unsealed and thus available for the public to review, gives insight into the agency’s perspective on the harm that results when companies create profiles with sensitive information, and use that information to target ads to individuals. The amended complaint provides more detail about Kochava’s alleged practices; allegations the company strongly disagreed with. (Thus, why it sought -unsuccessfully- to have it sealed.)
The agency’s original complaint from August 2022 focused on the company’s data selling practices. The complaint alleged Kochava collected geolocation data from hundreds of millions of mobile devices and packaged them into “data feeds” for marketing purposes. Those feeds included personal identifiers like name and address. It also included information about gender identity and ethnicity. The feeds, the FTC alleged, tracked location information that might place people in “sensitive” physical locations. These included reproductive health clinics, domestic abuse shelters, places of worship, and the like. Those feeds, the FTC noted, are time stamped. Meaning that the time the person (mobile device) was at the location can also be tracked.
Notwithstanding these concerns, the case was dismissed in May of this year for failure to state sufficient harm, with leave to amend. The FTC ‘s amended complaint was filed in June (but just unsealed), and in it, not surprisingly, the FTC has expanded its discussion of harm to consumers.
In the original complaint, the FTC’s concerns focused on the potential harm if someone was tracked at a sensitive location, with a potential for discrimination and physical violence. In the amended complaint, the FTC includes harm from the company’s alleged collection and use of profiles based on sensitive information gathered from a wide variety of sources. These sources, according to the FTC, include health information from women’s reproductive health apps. The profiles it creates, the FTC further alleges, is then sold to third parties. It is then used to market to individuals based on the sensitive information. For example, targeting ads to “new parents/expecting” or “likely Republican voter.”
Like the initial complaint, the amended complaint alleges that Kochava had no security processes in place for determining whether to approve a data access request. Nor were there controls in place, according to the FTC, to limit the subsequent use and sale of the data.
*Kathryn Smith is a fellow in the firm’s Chicago office.
Putting it into Practice: While this is far from settled, it shows that the FTC is being aggressive in its use of the FTC Act to pursue those who create and use consumer profiles. This effort mirrors others in the data broker space, including California’s recent Delete Act, and examination of data brokers by the CFPB.
