FTC Sues Idaho Data Broker Over New Privacy Concerns
On August 28, 2022, the Federal Trade Commission (FTC) announced that the government agency had filed a complaint against Kochava Inc, an Idaho-based data broker, in a district court within the state. Likewise, the FTC has claimed that “Kochava’s sales of precise geolocation information collected from consumers’ mobile devices constitutes an “unfair or deceptive act or practice” because it enables those who obtain the data to identify the mobile devices’ owners, track their movements to and from sensitive locations, and make inferences about those individuals and their behavior that could be harmful.” To this last point, the complaint also alleges that the collection of this geolocation data was effectively putting the lives of American citizens at risk.
The complaint goes on to state that the company’s monthly data feed consists of 95 billion transactions pertaining to as many as 35 million individuals on a daily basis. What’s more, the FTC has also alleged that Kochava Inc. does not anonymize or encrypt the geolocation data they sell to businesses and consumers, meaning that such information can be used to track down the whereabouts of people in real-time. To this end, the complaint goes on to state that the geolocation information that Kochava Inc has been collecting and subsequently selling could be used to track individuals to a myriad of different locations, including but not limited to healthcare facilities, retail stores, and even their personal homes.
Roe v. Wade
While the unregulated collection of geolocation data is problematic in virtually every situation or context, the recent overturning of Roe v. Wade by the U.S. Supreme Court in June of this year has placed a new emphasis on the ways in which businesses and organizations safeguard the personal information of their respective customers. This being the case, the data that Kochava Inc. has been selling is also alleged to have been timestamped, in addition to providing buyers with precise latitude and longitude coordinates. Due to these factors, many privacy advocates around the country fear that businesses such as Kochava Inc. are violating the reproductive healthcare rights of American citizens, as states throughout the nation have been deliberating over whether or not they should ban the practice of abortion.
To illustrate this point further, major U.S. news outlets in August of last month reported that a Nevada woman was being brought up on charges of essentially covering up an abortion that her teenage daughter had undergone several months prior. For reference, abortion became illegal in the state of Nevada after the practice was outlawed at the federal level, in accordance with a law that was enacted in the state in 2010, which forbids citizens from receiving an abortion after 20 weeks of pregnancy. With all this being said, law enforcement officials within Nevada reached out to the social media giant Meta to obtain messages that the woman in question had shared with her daughter when looking to help facilitate her abortion.
Despite the fact that Meta, much like other major tech companies that operate within the U.S., has a history of assisting law enforcement agencies when there is a legal requirement to do so, many people around the world expressed criticism over Meta for their decision to hand over personal messages that had been sent using this platform. Given this background information, the notion of a company such as Kochava Inc selling the personal information of everyday working people in the millions obviously opens the conversation to the manner in which this data collection could be used to prosecute American citizens looking to receive abortions, as there is a great level of confusion about which reproductive healthcare activities are considered to be illegal within a particular state.
Federal data privacy law
In spite of the powers that have been bestowed upon the FTC as it concerns the regulation of the business practices of American companies and institutions, the absence of comprehensive data protection law at the U.S. federal level means that citizens of the nation will be subject to violations of their personal privacy irrespective of any actions that are taken by a specific government agency or entity. As data privacy laws within the U.S. are largely limited to sector-specific legislation, such as the Health Insurance Portability and Accountability Act (HIPAA), among others, citizens within the state of Idaho have no tangible means by which they can prevent a company like Kochava Inc from adequately protecting the trove of information such businesses retain over the course of their operations.
In summation, the FTC complaint against Kochava Inc argues that the company’s data collection, processing, retention, and disclosure practices constituted an “an unwarranted intrusion into the most private areas of consumers’ lives” that was compounded by the opacity of geolocation tracking and data brokers’ sales. Indeed, most consumers are unaware of this collection and sale of their data and cannot avoid being included in these datasets or inferences being made about them.” Moreover, while these claims are specifically geared toward Kochava Inc, the underlying accusations that are being made are very much applicable on a much more general level, as many consumers both in the U.S. and around the world at large are unaware of the steps that companies are taking to gather their personal data.