Client Alert: SCOTUS Overrules Roe v. Wade: Part IV: The Impact of Dobbs on Data Privacy – FTC v. Kochava
Publications
September 8, 2022
By: Shoba Pillay, Madeleine Findley, Anne Cortina Perry, Dawn L. Smalls, Alison I. Stein, Philip B. Sailer
The Federal Trade Commission (FTC) recently filed a complaint against a data broker alleging that the collection and sale of precise location data significantly harms consumers, especially if the data contains information regarding travel to and from specific sensitive locations, such as reproductive healthcare clinics. The outcome of the case could have a substantial impact on the FTC’s authority to enforce consumer protection laws and will likely inform how companies handle consumer data to which they have access. The FTC’s complaint follows guidance the Biden administration issued to federal agencies, including the FTC, to take actions to protect consumers’ privacy in connection with reproductive healthcare services after the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization.[1] The outcome of the case could have a substantial impact on the sale and collection of consumer location data and the FTC’s authority to enforce consumer privacy protections.
The FTC and Dobbs
The Dobbs decision and its impact have significantly increased the Biden administration’s regulatory focus on and public awareness of the ways in which precise geolocation data may be used to identify and track consumers in all aspects of their lives, including patients and healthcare providers at reproductive healthcare locations. In July, after the Supreme Court issued its opinion in Dobbs, the FTC published a post on its website warning that the potential intrusions on consumers’ privacy because of this ruling were not merely a figment of a “dystopian fiction.” Rather, according to the FTC, consumers needed to understand the “unprecedented intrusion” that could result from the collection and monetization of their data. In its blog post, the FTC identified the specific harms caused by, “products that track women’s periods, monitor their fertility, oversee their contraceptive use, or even target women considering abortion,” including “discrimination, stigma, and mental anguish,” and the significant impact the intrusion could have on “personal reproductive matters.” The agency underscored its commitment to protecting consumers’ location, health, and other “highly sensitive data” from illegal use and sharing.[2]
FTC Complaint Against Kochava
On August 29, 2022, the FTC filed a complaint [3] against data broker Kochava Inc. (“Kochava”) in a federal district court in Idaho, alleging that Kochava collected, packaged, and sold sensitive consumer data, including, “geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations” in violation of Section 5(a) of the FTC Act, which prohibits companies from engaging in unfair or deceptive business practices.[4] The FTC is seeking an injunction against Kochava and a requirement that it delete consumers’ sensitive location data, including information associated with travel to or from reproductive healthcare clinics, and
prohibiting the collection and sale of similar data in the future.
Kochava is a data broker that purchases large volumes of precise geolocation data derived from consumers’ mobile devices. It packages this data into feeds that provide the information to advertisers so these firms can better optimize the services they provide to their own customers. According to its website, Kochava is the “industry leader for mobile app attribution and mobile app analytics.”
According to the complaint, Kochava advertises that its data-rich feed contains “raw latitude/longitude data” from almost 100 billion geotransactions per month, 125 million monthly consumers, and more than 90 daily transactions per device. In September 2016, Kochava began making a data sample publicly available for free on its platform and required only minimal registration information from a user before permitting a download. The free data sample contained information from over 61 million unique mobile devices, including information flagged as “sensitive,” at no cost. According to the FTC’s complaint, as of June 2022, Kochava no longer offers a free version of its services.[5]
Specifically, the complaint alleges that Kochava collects consumer data, including precise geolocation data linked to a consumer device’s Mobile Advertising ID (MAID). The MAID is a unique identifier assigned in a mobile device and allows marketers to use targeted ads to advertise to specific consumers based on data Kochava collects and sells.[6] The complaint alleges that it is possible to use geolocation data that is associated with the device’s identifier to identify the device owner. In fact, the complaint states that other data brokers advertise services that do just that. Even without such services, precise geolocation data showing a device’s presence in a particular location at regular daily or nightly intervals may identify a consumer’s work and home addresses, and this information may be used to identify the consumer’s name.
The FTC alleges that as a result, Kochava and its customers can “track the consumers’ movements to and from sensitive locations, including, among others, locations associated with medical care, reproductive health, religious worship, mental health, temporary shelters, such as shelters for the homeless, domestic violence survivors, or other at-risk populations, and addiction recovery.” The FTC also alleges Kochava failed to incorporate protections into its platform that would safeguard the
consumers’ geolocation data, identity, and privacy, such as providing less precise location data, removing timestamps, and proactively notifying users when their data is collected and/or sold.
Without incorporating necessary protections for consumers’ most sensitive data, the FTC alleges, Kochava’s business practices represent an “unwarranted intrusion into the most private areas of consumers’ lives and cause[] or is likely to cause substantial injury to consumers,” including “stigma, discrimination, physical violence, emotional distress, and other harms.”
FTC’s Authority Challenged
The FTC’s complaint comes after the company filed a preemptive suit [7] against the FTC alleging that the agency’s request for injunctive relief would violate the company’s constitutional due process rights. In its suit, Kochava alleges that the FTC is only authorized to seek injunctive relief for ongoing or potential unlawful conduct, not for past conduct that is unlikely to recur, and argues the agency lacks authority to require disgorgement remedies. In August, Kochava announced a “Privacy Block,” an update that is intended to remove consumer health service location data from its platform. The company also argued that the FTC’s investigation has not identified “any rule or statement with legal force and effect describing the specific geolocation data practices” the FTC is attempting to enforce, and that Kochava will be harmed by proceedings that could take “years” and “render[] any post hoc review of any administrative decision, if any at all, meaningless.”
A key legal question in the FTC’s case against Kochava will be scope of the agency’s enforcement authority under the FTC Act, which the Supreme Court limited in AMG Capital Management, LLC v. FTC, decided in 2021. [8] Other companies have similarly challenged the FTC’s investigative process and authority, including in a case currently pending at the Supreme Court between the FTC and a payday loan servicing company that allegedly violated the FTC Act by charging borrowers excessively high interest rates. [9] The Supreme Court will soon hear arguments over whether companies that are being investigated by the FTC can challenge the validity of the FTC’s actions before the completion of the agency’s internal administrative procedures. Whether the Supreme Court allows early judicial intervention during the agency’s investigations could have a substantial impact on Kochava’s ability to head-off FTC enforcement.
***
The FTC’s complaint reflects its increasing focus on privacy and security of consumer data, particularly consumer health data, in recent years. [10] Recently, as we discussed in a prior client alert, the FTC voted to publish a wide-ranging Advanced Notice of Proposed Rulemaking on consumer data collection and data security. [11] The outcome of the FTC’s case against Kochava will likely provide further valuable insight into the FTC’s regulatory approach to enforcing consumer privacy protections and how further enforcement could impact the collection and sale of consumer location data moving forward.
The FTC and Dobbs
The Dobbs decision and its impact have significantly increased the Biden administration’s regulatory focus on and public awareness of the ways in which precise geolocation data may be used to identify and track consumers in all aspects of their lives, including patients and healthcare providers at reproductive healthcare locations. In July, after the Supreme Court issued its opinion in Dobbs, the FTC published a post on its website warning that the potential intrusions on consumers’ privacy because of this ruling were not merely a figment of a “dystopian fiction.” Rather, according to the FTC, consumers needed to understand the “unprecedented intrusion” that could result from the collection and monetization of their data. In its blog post, the FTC identified the specific harms caused by, “products that track women’s periods, monitor their fertility, oversee their contraceptive use, or even target women considering abortion,” including “discrimination, stigma, and mental anguish,” and the significant impact the intrusion could have on “personal reproductive matters.” The agency underscored its commitment to protecting consumers’ location, health, and other “highly sensitive data” from illegal use and sharing.[2]
FTC Complaint Against Kochava
On August 29, 2022, the FTC filed a complaint [3] against data broker Kochava Inc. (“Kochava”) in a federal district court in Idaho, alleging that Kochava collected, packaged, and sold sensitive consumer data, including, “geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations” in violation of Section 5(a) of the FTC Act, which prohibits companies from engaging in unfair or deceptive business practices.[4] The FTC is seeking an injunction against Kochava and a requirement that it delete consumers’ sensitive location data, including information associated with travel to or from reproductive healthcare clinics, and
prohibiting the collection and sale of similar data in the future.
Kochava is a data broker that purchases large volumes of precise geolocation data derived from consumers’ mobile devices. It packages this data into feeds that provide the information to advertisers so these firms can better optimize the services they provide to their own customers. According to its website, Kochava is the “industry leader for mobile app attribution and mobile app analytics.”
According to the complaint, Kochava advertises that its data-rich feed contains “raw latitude/longitude data” from almost 100 billion geotransactions per month, 125 million monthly consumers, and more than 90 daily transactions per device. In September 2016, Kochava began making a data sample publicly available for free on its platform and required only minimal registration information from a user before permitting a download. The free data sample contained information from over 61 million unique mobile devices, including information flagged as “sensitive,” at no cost. According to the FTC’s complaint, as of June 2022, Kochava no longer offers a free version of its services.[5]
Specifically, the complaint alleges that Kochava collects consumer data, including precise geolocation data linked to a consumer device’s Mobile Advertising ID (MAID). The MAID is a unique identifier assigned in a mobile device and allows marketers to use targeted ads to advertise to specific consumers based on data Kochava collects and sells.[6] The complaint alleges that it is possible to use geolocation data that is associated with the device’s identifier to identify the device owner. In fact, the complaint states that other data brokers advertise services that do just that. Even without such services, precise geolocation data showing a device’s presence in a particular location at regular daily or nightly intervals may identify a consumer’s work and home addresses, and this information may be used to identify the consumer’s name.
The FTC alleges that as a result, Kochava and its customers can “track the consumers’ movements to and from sensitive locations, including, among others, locations associated with medical care, reproductive health, religious worship, mental health, temporary shelters, such as shelters for the homeless, domestic violence survivors, or other at-risk populations, and addiction recovery.” The FTC also alleges Kochava failed to incorporate protections into its platform that would safeguard the
consumers’ geolocation data, identity, and privacy, such as providing less precise location data, removing timestamps, and proactively notifying users when their data is collected and/or sold.
Without incorporating necessary protections for consumers’ most sensitive data, the FTC alleges, Kochava’s business practices represent an “unwarranted intrusion into the most private areas of consumers’ lives and cause[] or is likely to cause substantial injury to consumers,” including “stigma, discrimination, physical violence, emotional distress, and other harms.”
FTC’s Authority Challenged
The FTC’s complaint comes after the company filed a preemptive suit [7] against the FTC alleging that the agency’s request for injunctive relief would violate the company’s constitutional due process rights. In its suit, Kochava alleges that the FTC is only authorized to seek injunctive relief for ongoing or potential unlawful conduct, not for past conduct that is unlikely to recur, and argues the agency lacks authority to require disgorgement remedies. In August, Kochava announced a “Privacy Block,” an update that is intended to remove consumer health service location data from its platform. The company also argued that the FTC’s investigation has not identified “any rule or statement with legal force and effect describing the specific geolocation data practices” the FTC is attempting to enforce, and that Kochava will be harmed by proceedings that could take “years” and “render[] any post hoc review of any administrative decision, if any at all, meaningless.”
A key legal question in the FTC’s case against Kochava will be scope of the agency’s enforcement authority under the FTC Act, which the Supreme Court limited in AMG Capital Management, LLC v. FTC, decided in 2021. [8] Other companies have similarly challenged the FTC’s investigative process and authority, including in a case currently pending at the Supreme Court between the FTC and a payday loan servicing company that allegedly violated the FTC Act by charging borrowers excessively high interest rates. [9] The Supreme Court will soon hear arguments over whether companies that are being investigated by the FTC can challenge the validity of the FTC’s actions before the completion of the agency’s internal administrative procedures. Whether the Supreme Court allows early judicial intervention during the agency’s investigations could have a substantial impact on Kochava’s ability to head-off FTC enforcement.
***
The FTC’s complaint reflects its increasing focus on privacy and security of consumer data, particularly consumer health data, in recent years. [10] Recently, as we discussed in a prior client alert, the FTC voted to publish a wide-ranging Advanced Notice of Proposed Rulemaking on consumer data collection and data security. [11] The outcome of the FTC’s case against Kochava will likely provide further valuable insight into the FTC’s regulatory approach to enforcing consumer privacy protections and how further enforcement could impact the collection and sale of consumer location data moving forward.
[1] Exec. Order No. 14076, 87 F.R. 133 (2022), https://www.govinfo.gov/content/pkg/FR-2022-07-13/pdf/2022-15138.pdf.
[2] Kristin Cohen, Location, health, and other sensitive information: FTC committed to fully enforcing the law against
illegal use and sharing of highly sensitive data, FEDERAL TRADE COMMISSION BUSINESS BLOG (July 11, 2022),
https://www.ftc.gov/business-guidance/blog/2022/07/location-health-other-sensitive-information-ftc-committed-fullyenforcing-law-against-illegal-use.
[3] Complaint, F.T.C. v. Kochava, Inc., No. 2:22-cv-00377-DCN (D. Idaho Aug. 29, 2022), ECF 1,
https://www.ftc.gov/system/files/ftc_gov/pdf/1. Complaint.pdf.
[4] Press Release, FTC Sues Kochava for Selling Data that Tracks People at Reproductive Health Clinics, Places of
Worship, and Other Sensitive Locations, FEDERAL TRADE COMMISSION (August 29, 2022), https://www.ftc.gov/newsevents/news/press-releases/2022/08/ftc-sues-kochava-selling-data-tracks-people-reproductive-health-clinics-placesworship-other. See also The Federal Trade Commission Act §5, 15 U.S.C. § 45(a).
[5] Complaint at ¶ 13, F.T.C. v. Kochava, Inc., No. 2:22-cv-00377-DCN (D. Idaho Aug. 29, 2022), ECF 1,
https://www.ftc.gov/system/files/ftc_gov/pdf/1. Complaint.pdf.
[6] Complaint at ¶ 10, F.T.C. v. Kochava, Inc., No. 2:22-cv-00377-DCN (D. Idaho Aug. 29, 2022), ECF 1,
https://www.ftc.gov/system/files/ftc_gov/pdf/1. Complaint.pdf.
[7] Complaint, Kochava Inc. v. F.T.C., No. 2:22-cv-00349-BLW (D. Idaho August 12, 2022), ECF 1.
[8] AMG Cap. Mgmt., LLC v. F.T.C., 141 S. Ct. 1341 (2021).
[9] See e.g., Axon Enter., Inc. v. F.T.C., 986 F.3d 1173 (9th Cir. 2021), cert. granted in part, 142 S. Ct. 895 (2022).
[10] See, e.g., Flo Health Inc., 86 F.R. 7382 (F.T.C. June 17, 2021).
https://www.ftc.gov/system/files/documents/cases/192_3133_flo_health_decision_and_order.pdf (settling company for
targeted advertising, despite promising to keep users’ data private).
[11] Trade Regulation Rule on Commercial Surveillance and Data Security, Federal Trade Commission, 87 F.R. 51273
(F.T.C. proposed August 22, 2022), 2022-17752.pdf (govinfo.gov).
Footnotes
[1] Exec. Order No. 14076, 87 F.R. 133 (2022), https://www.govinfo.gov/content/pkg/FR-2022-07-13/pdf/2022-15138.pdf.
[2] Kristin Cohen, Location, health, and other sensitive information: FTC committed to fully enforcing the law against
illegal use and sharing of highly sensitive data, FEDERAL TRADE COMMISSION BUSINESS BLOG (July 11, 2022),
https://www.ftc.gov/business-guidance/blog/2022/07/location-health-other-sensitive-information-ftc-committed-fullyenforcing-law-against-illegal-use.
[3] Complaint, F.T.C. v. Kochava, Inc., No. 2:22-cv-00377-DCN (D. Idaho Aug. 29, 2022), ECF 1,
https://www.ftc.gov/system/files/ftc_gov/pdf/1. Complaint.pdf.
[4] Press Release, FTC Sues Kochava for Selling Data that Tracks People at Reproductive Health Clinics, Places of
Worship, and Other Sensitive Locations, FEDERAL TRADE COMMISSION (August 29, 2022), https://www.ftc.gov/newsevents/news/press-releases/2022/08/ftc-sues-kochava-selling-data-tracks-people-reproductive-health-clinics-placesworship-other. See also The Federal Trade Commission Act §5, 15 U.S.C. § 45(a).
[5] Complaint at ¶ 13, F.T.C. v. Kochava, Inc., No. 2:22-cv-00377-DCN (D. Idaho Aug. 29, 2022), ECF 1,
https://www.ftc.gov/system/files/ftc_gov/pdf/1. Complaint.pdf.
[6] Complaint at ¶ 10, F.T.C. v. Kochava, Inc., No. 2:22-cv-00377-DCN (D. Idaho Aug. 29, 2022), ECF 1,
https://www.ftc.gov/system/files/ftc_gov/pdf/1. Complaint.pdf.
[7] Complaint, Kochava Inc. v. F.T.C., No. 2:22-cv-00349-BLW (D. Idaho August 12, 2022), ECF 1.
[8] AMG Cap. Mgmt., LLC v. F.T.C., 141 S. Ct. 1341 (2021).
[9] See e.g., Axon Enter., Inc. v. F.T.C., 986 F.3d 1173 (9th Cir. 2021), cert. granted in part, 142 S. Ct. 895 (2022).
[10] See, e.g., Flo Health Inc., 86 F.R. 7382 (F.T.C. June 17, 2021).
https://www.ftc.gov/system/files/documents/cases/192_3133_flo_health_decision_and_order.pdf (settling company for
targeted advertising, despite promising to keep users’ data private).
[11] Trade Regulation Rule on Commercial Surveillance and Data Security, Federal Trade Commission, 87 F.R. 51273
(F.T.C. proposed August 22, 2022), 2022-17752.pdf (govinfo.gov).
Related Attorneys
Related Capabilities
© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.
Publications
September 8, 2022
By: Shoba Pillay, Madeleine Findley, Anne Cortina Perry, Dawn L. Smalls, Alison I. Stein, Philip B. Sailer
The Federal Trade Commission (FTC) recently filed a complaint against a data broker alleging that the collection and sale of precise location data significantly harms consumers, especially if the data contains information regarding travel to and from specific sensitive locations, such as reproductive healthcare clinics. The outcome of the case could have a substantial impact on the FTC’s authority to enforce consumer protection laws and will likely inform how companies handle consumer data to which they have access. The FTC’s complaint follows guidance the Biden administration issued to federal agencies, including the FTC, to take actions to protect consumers’ privacy in connection with reproductive healthcare services after the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization.[1] The outcome of the case could have a substantial impact on the sale and collection of consumer location data and the FTC’s authority to enforce consumer privacy protections.
The FTC and Dobbs
The Dobbs decision and its impact have significantly increased the Biden administration’s regulatory focus on and public awareness of the ways in which precise geolocation data may be used to identify and track consumers in all aspects of their lives, including patients and healthcare providers at reproductive healthcare locations. In July, after the Supreme Court issued its opinion in Dobbs, the FTC published a post on its website warning that the potential intrusions on consumers’ privacy because of this ruling were not merely a figment of a “dystopian fiction.” Rather, according to the FTC, consumers needed to understand the “unprecedented intrusion” that could result from the collection and monetization of their data. In its blog post, the FTC identified the specific harms caused by, “products that track women’s periods, monitor their fertility, oversee their contraceptive use, or even target women considering abortion,” including “discrimination, stigma, and mental anguish,” and the significant impact the intrusion could have on “personal reproductive matters.” The agency underscored its commitment to protecting consumers’ location, health, and other “highly sensitive data” from illegal use and sharing.[2]
FTC Complaint Against Kochava
On August 29, 2022, the FTC filed a complaint [3] against data broker Kochava Inc. (“Kochava”) in a federal district court in Idaho, alleging that Kochava collected, packaged, and sold sensitive consumer data, including, “geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations” in violation of Section 5(a) of the FTC Act, which prohibits companies from engaging in unfair or deceptive business practices.[4] The FTC is seeking an injunction against Kochava and a requirement that it delete consumers’ sensitive location data, including information associated with travel to or from reproductive healthcare clinics, and
prohibiting the collection and sale of similar data in the future.
Kochava is a data broker that purchases large volumes of precise geolocation data derived from consumers’ mobile devices. It packages this data into feeds that provide the information to advertisers so these firms can better optimize the services they provide to their own customers. According to its website, Kochava is the “industry leader for mobile app attribution and mobile app analytics.”
According to the complaint, Kochava advertises that its data-rich feed contains “raw latitude/longitude data” from almost 100 billion geotransactions per month, 125 million monthly consumers, and more than 90 daily transactions per device. In September 2016, Kochava began making a data sample publicly available for free on its platform and required only minimal registration information from a user before permitting a download. The free data sample contained information from over 61 million unique mobile devices, including information flagged as “sensitive,” at no cost. According to the FTC’s complaint, as of June 2022, Kochava no longer offers a free version of its services.[5]
Specifically, the complaint alleges that Kochava collects consumer data, including precise geolocation data linked to a consumer device’s Mobile Advertising ID (MAID). The MAID is a unique identifier assigned in a mobile device and allows marketers to use targeted ads to advertise to specific consumers based on data Kochava collects and sells.[6] The complaint alleges that it is possible to use geolocation data that is associated with the device’s identifier to identify the device owner. In fact, the complaint states that other data brokers advertise services that do just that. Even without such services, precise geolocation data showing a device’s presence in a particular location at regular daily or nightly intervals may identify a consumer’s work and home addresses, and this information may be used to identify the consumer’s name.
The FTC alleges that as a result, Kochava and its customers can “track the consumers’ movements to and from sensitive locations, including, among others, locations associated with medical care, reproductive health, religious worship, mental health, temporary shelters, such as shelters for the homeless, domestic violence survivors, or other at-risk populations, and addiction recovery.” The FTC also alleges Kochava failed to incorporate protections into its platform that would safeguard the
consumers’ geolocation data, identity, and privacy, such as providing less precise location data, removing timestamps, and proactively notifying users when their data is collected and/or sold.
Without incorporating necessary protections for consumers’ most sensitive data, the FTC alleges, Kochava’s business practices represent an “unwarranted intrusion into the most private areas of consumers’ lives and cause[] or is likely to cause substantial injury to consumers,” including “stigma, discrimination, physical violence, emotional distress, and other harms.”
FTC’s Authority Challenged
The FTC’s complaint comes after the company filed a preemptive suit [7] against the FTC alleging that the agency’s request for injunctive relief would violate the company’s constitutional due process rights. In its suit, Kochava alleges that the FTC is only authorized to seek injunctive relief for ongoing or potential unlawful conduct, not for past conduct that is unlikely to recur, and argues the agency lacks authority to require disgorgement remedies. In August, Kochava announced a “Privacy Block,” an update that is intended to remove consumer health service location data from its platform. The company also argued that the FTC’s investigation has not identified “any rule or statement with legal force and effect describing the specific geolocation data practices” the FTC is attempting to enforce, and that Kochava will be harmed by proceedings that could take “years” and “render[] any post hoc review of any administrative decision, if any at all, meaningless.”
A key legal question in the FTC’s case against Kochava will be scope of the agency’s enforcement authority under the FTC Act, which the Supreme Court limited in AMG Capital Management, LLC v. FTC, decided in 2021. [8] Other companies have similarly challenged the FTC’s investigative process and authority, including in a case currently pending at the Supreme Court between the FTC and a payday loan servicing company that allegedly violated the FTC Act by charging borrowers excessively high interest rates. [9] The Supreme Court will soon hear arguments over whether companies that are being investigated by the FTC can challenge the validity of the FTC’s actions before the completion of the agency’s internal administrative procedures. Whether the Supreme Court allows early judicial intervention during the agency’s investigations could have a substantial impact on Kochava’s ability to head-off FTC enforcement.
***
The FTC’s complaint reflects its increasing focus on privacy and security of consumer data, particularly consumer health data, in recent years. [10] Recently, as we discussed in a prior client alert, the FTC voted to publish a wide-ranging Advanced Notice of Proposed Rulemaking on consumer data collection and data security. [11] The outcome of the FTC’s case against Kochava will likely provide further valuable insight into the FTC’s regulatory approach to enforcing consumer privacy protections and how further enforcement could impact the collection and sale of consumer location data moving forward.
The FTC and Dobbs
The Dobbs decision and its impact have significantly increased the Biden administration’s regulatory focus on and public awareness of the ways in which precise geolocation data may be used to identify and track consumers in all aspects of their lives, including patients and healthcare providers at reproductive healthcare locations. In July, after the Supreme Court issued its opinion in Dobbs, the FTC published a post on its website warning that the potential intrusions on consumers’ privacy because of this ruling were not merely a figment of a “dystopian fiction.” Rather, according to the FTC, consumers needed to understand the “unprecedented intrusion” that could result from the collection and monetization of their data. In its blog post, the FTC identified the specific harms caused by, “products that track women’s periods, monitor their fertility, oversee their contraceptive use, or even target women considering abortion,” including “discrimination, stigma, and mental anguish,” and the significant impact the intrusion could have on “personal reproductive matters.” The agency underscored its commitment to protecting consumers’ location, health, and other “highly sensitive data” from illegal use and sharing.[2]
FTC Complaint Against Kochava
On August 29, 2022, the FTC filed a complaint [3] against data broker Kochava Inc. (“Kochava”) in a federal district court in Idaho, alleging that Kochava collected, packaged, and sold sensitive consumer data, including, “geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations” in violation of Section 5(a) of the FTC Act, which prohibits companies from engaging in unfair or deceptive business practices.[4] The FTC is seeking an injunction against Kochava and a requirement that it delete consumers’ sensitive location data, including information associated with travel to or from reproductive healthcare clinics, and
prohibiting the collection and sale of similar data in the future.
Kochava is a data broker that purchases large volumes of precise geolocation data derived from consumers’ mobile devices. It packages this data into feeds that provide the information to advertisers so these firms can better optimize the services they provide to their own customers. According to its website, Kochava is the “industry leader for mobile app attribution and mobile app analytics.”
According to the complaint, Kochava advertises that its data-rich feed contains “raw latitude/longitude data” from almost 100 billion geotransactions per month, 125 million monthly consumers, and more than 90 daily transactions per device. In September 2016, Kochava began making a data sample publicly available for free on its platform and required only minimal registration information from a user before permitting a download. The free data sample contained information from over 61 million unique mobile devices, including information flagged as “sensitive,” at no cost. According to the FTC’s complaint, as of June 2022, Kochava no longer offers a free version of its services.[5]
Specifically, the complaint alleges that Kochava collects consumer data, including precise geolocation data linked to a consumer device’s Mobile Advertising ID (MAID). The MAID is a unique identifier assigned in a mobile device and allows marketers to use targeted ads to advertise to specific consumers based on data Kochava collects and sells.[6] The complaint alleges that it is possible to use geolocation data that is associated with the device’s identifier to identify the device owner. In fact, the complaint states that other data brokers advertise services that do just that. Even without such services, precise geolocation data showing a device’s presence in a particular location at regular daily or nightly intervals may identify a consumer’s work and home addresses, and this information may be used to identify the consumer’s name.
The FTC alleges that as a result, Kochava and its customers can “track the consumers’ movements to and from sensitive locations, including, among others, locations associated with medical care, reproductive health, religious worship, mental health, temporary shelters, such as shelters for the homeless, domestic violence survivors, or other at-risk populations, and addiction recovery.” The FTC also alleges Kochava failed to incorporate protections into its platform that would safeguard the
consumers’ geolocation data, identity, and privacy, such as providing less precise location data, removing timestamps, and proactively notifying users when their data is collected and/or sold.
Without incorporating necessary protections for consumers’ most sensitive data, the FTC alleges, Kochava’s business practices represent an “unwarranted intrusion into the most private areas of consumers’ lives and cause[] or is likely to cause substantial injury to consumers,” including “stigma, discrimination, physical violence, emotional distress, and other harms.”
FTC’s Authority Challenged
The FTC’s complaint comes after the company filed a preemptive suit [7] against the FTC alleging that the agency’s request for injunctive relief would violate the company’s constitutional due process rights. In its suit, Kochava alleges that the FTC is only authorized to seek injunctive relief for ongoing or potential unlawful conduct, not for past conduct that is unlikely to recur, and argues the agency lacks authority to require disgorgement remedies. In August, Kochava announced a “Privacy Block,” an update that is intended to remove consumer health service location data from its platform. The company also argued that the FTC’s investigation has not identified “any rule or statement with legal force and effect describing the specific geolocation data practices” the FTC is attempting to enforce, and that Kochava will be harmed by proceedings that could take “years” and “render[] any post hoc review of any administrative decision, if any at all, meaningless.”
A key legal question in the FTC’s case against Kochava will be scope of the agency’s enforcement authority under the FTC Act, which the Supreme Court limited in AMG Capital Management, LLC v. FTC, decided in 2021. [8] Other companies have similarly challenged the FTC’s investigative process and authority, including in a case currently pending at the Supreme Court between the FTC and a payday loan servicing company that allegedly violated the FTC Act by charging borrowers excessively high interest rates. [9] The Supreme Court will soon hear arguments over whether companies that are being investigated by the FTC can challenge the validity of the FTC’s actions before the completion of the agency’s internal administrative procedures. Whether the Supreme Court allows early judicial intervention during the agency’s investigations could have a substantial impact on Kochava’s ability to head-off FTC enforcement.
***
The FTC’s complaint reflects its increasing focus on privacy and security of consumer data, particularly consumer health data, in recent years. [10] Recently, as we discussed in a prior client alert, the FTC voted to publish a wide-ranging Advanced Notice of Proposed Rulemaking on consumer data collection and data security. [11] The outcome of the FTC’s case against Kochava will likely provide further valuable insight into the FTC’s regulatory approach to enforcing consumer privacy protections and how further enforcement could impact the collection and sale of consumer location data moving forward.
[1] Exec. Order No. 14076, 87 F.R. 133 (2022), https://www.govinfo.gov/content/pkg/FR-2022-07-13/pdf/2022-15138.pdf.
[2] Kristin Cohen, Location, health, and other sensitive information: FTC committed to fully enforcing the law against
illegal use and sharing of highly sensitive data, FEDERAL TRADE COMMISSION BUSINESS BLOG (July 11, 2022),
https://www.ftc.gov/business-guidance/blog/2022/07/location-health-other-sensitive-information-ftc-committed-fullyenforcing-law-against-illegal-use.
[3] Complaint, F.T.C. v. Kochava, Inc., No. 2:22-cv-00377-DCN (D. Idaho Aug. 29, 2022), ECF 1,
https://www.ftc.gov/system/files/ftc_gov/pdf/1. Complaint.pdf.
[4] Press Release, FTC Sues Kochava for Selling Data that Tracks People at Reproductive Health Clinics, Places of
Worship, and Other Sensitive Locations, FEDERAL TRADE COMMISSION (August 29, 2022), https://www.ftc.gov/newsevents/news/press-releases/2022/08/ftc-sues-kochava-selling-data-tracks-people-reproductive-health-clinics-placesworship-other. See also The Federal Trade Commission Act §5, 15 U.S.C. § 45(a).
[5] Complaint at ¶ 13, F.T.C. v. Kochava, Inc., No. 2:22-cv-00377-DCN (D. Idaho Aug. 29, 2022), ECF 1,
https://www.ftc.gov/system/files/ftc_gov/pdf/1. Complaint.pdf.
[6] Complaint at ¶ 10, F.T.C. v. Kochava, Inc., No. 2:22-cv-00377-DCN (D. Idaho Aug. 29, 2022), ECF 1,
https://www.ftc.gov/system/files/ftc_gov/pdf/1. Complaint.pdf.
[7] Complaint, Kochava Inc. v. F.T.C., No. 2:22-cv-00349-BLW (D. Idaho August 12, 2022), ECF 1.
[8] AMG Cap. Mgmt., LLC v. F.T.C., 141 S. Ct. 1341 (2021).
[9] See e.g., Axon Enter., Inc. v. F.T.C., 986 F.3d 1173 (9th Cir. 2021), cert. granted in part, 142 S. Ct. 895 (2022).
[10] See, e.g., Flo Health Inc., 86 F.R. 7382 (F.T.C. June 17, 2021).
https://www.ftc.gov/system/files/documents/cases/192_3133_flo_health_decision_and_order.pdf (settling company for
targeted advertising, despite promising to keep users’ data private).
[11] Trade Regulation Rule on Commercial Surveillance and Data Security, Federal Trade Commission, 87 F.R. 51273
(F.T.C. proposed August 22, 2022), 2022-17752.pdf (govinfo.gov).
Footnotes
[1] Exec. Order No. 14076, 87 F.R. 133 (2022), https://www.govinfo.gov/content/pkg/FR-2022-07-13/pdf/2022-15138.pdf.
[2] Kristin Cohen, Location, health, and other sensitive information: FTC committed to fully enforcing the law against
illegal use and sharing of highly sensitive data, FEDERAL TRADE COMMISSION BUSINESS BLOG (July 11, 2022),
https://www.ftc.gov/business-guidance/blog/2022/07/location-health-other-sensitive-information-ftc-committed-fullyenforcing-law-against-illegal-use.
[3] Complaint, F.T.C. v. Kochava, Inc., No. 2:22-cv-00377-DCN (D. Idaho Aug. 29, 2022), ECF 1,
https://www.ftc.gov/system/files/ftc_gov/pdf/1. Complaint.pdf.
[4] Press Release, FTC Sues Kochava for Selling Data that Tracks People at Reproductive Health Clinics, Places of
Worship, and Other Sensitive Locations, FEDERAL TRADE COMMISSION (August 29, 2022), https://www.ftc.gov/newsevents/news/press-releases/2022/08/ftc-sues-kochava-selling-data-tracks-people-reproductive-health-clinics-placesworship-other. See also The Federal Trade Commission Act §5, 15 U.S.C. § 45(a).
[5] Complaint at ¶ 13, F.T.C. v. Kochava, Inc., No. 2:22-cv-00377-DCN (D. Idaho Aug. 29, 2022), ECF 1,
https://www.ftc.gov/system/files/ftc_gov/pdf/1. Complaint.pdf.
[6] Complaint at ¶ 10, F.T.C. v. Kochava, Inc., No. 2:22-cv-00377-DCN (D. Idaho Aug. 29, 2022), ECF 1,
https://www.ftc.gov/system/files/ftc_gov/pdf/1. Complaint.pdf.
[7] Complaint, Kochava Inc. v. F.T.C., No. 2:22-cv-00349-BLW (D. Idaho August 12, 2022), ECF 1.
[8] AMG Cap. Mgmt., LLC v. F.T.C., 141 S. Ct. 1341 (2021).
[9] See e.g., Axon Enter., Inc. v. F.T.C., 986 F.3d 1173 (9th Cir. 2021), cert. granted in part, 142 S. Ct. 895 (2022).
[10] See, e.g., Flo Health Inc., 86 F.R. 7382 (F.T.C. June 17, 2021).
https://www.ftc.gov/system/files/documents/cases/192_3133_flo_health_decision_and_order.pdf (settling company for
targeted advertising, despite promising to keep users’ data private).
[11] Trade Regulation Rule on Commercial Surveillance and Data Security, Federal Trade Commission, 87 F.R. 51273
(F.T.C. proposed August 22, 2022), 2022-17752.pdf (govinfo.gov).
Related Attorneys
Related Capabilities
© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.
News and Insights
Podcasts
Partner Laurel Loomis Rimon Discusses Fintech Enforcement, Debanking, and Regulatory Risk on Fintech Layer Cake Podcast
Partner Laurel Loomis Rimon was featured on the Fintech Layer Cake podcast, where she discussed how fintech enforcement and prosecution actually work in practice, and what exposes fintechs and banks to regulatory risk.
July 15, 2026
Publications
Supreme Court Clarifies Scope of Private Rights of Action Under the Investment Company Act, Private Equity Law Report
Partners Charles Riely, Todd C. Toral, and Martin Glass authored a guest article for Private Equity Law Report examining the US Supreme Court's June 11, 2026, ruling on the scope of private rights of action under the Investment Company Act of 1940.
July 14, 2026
Publications
Emily Loeb Discusses Congressional Oversight Preparedness in Bloomberg Law
Partner Emily Loeb, co-chair of Jenner & Block's Congressional Investigations Practice, spoke with Bloomberg Law article about how companies can prepare for potential oversight exposure ahead of this fall's midterm elections.
July 7, 2026
Publications
In New York Law Journal, The True Lender Doctrine and the OppFi Decision
Partners Jeremy Creelan, Michael Ross, Megan Poetzel, and Laurel Loomis Rimon, and Associate Molly Oberstein-Allen authored an article for the New York Law Journal examining the "True Lender" doctrine in light of a May 2026 California decision that provides the most detailed judicial framework to date for evaluating bank-nonbank lending partnerships.
July 1, 2026
Event
Partner Michael Vernick to Speak at NACUA's 2026 Annual Conference
On July 1, Partner Michael Vernick will speak on a panel at the National Association of College and University Attorneys (NACUA) 2026 Annual Conference in Nashville.
July 1, 2026