FTC Sues Idaho Data Broker Over New Privacy Concerns

September 02, 2022 | 4 minutes read
FTC Sues Idaho Data Broker Over New Privacy Concerns

On August 28, 2022, the Federal Trade Commission (FTC) announced that the government agency had filed a complaint against Kochava Inc, an Idaho-based data broker, in a district court within the state. Likewise, the FTC has claimed that “Kochava’s sales of precise geolocation information collected from consumers’ mobile devices constitutes an “unfair or deceptive act or practice” because it enables those who obtain the data to identify the mobile devices’ owners, track their movements to and from sensitive locations, and make inferences about those individuals and their behavior that could be harmful.” To this last point, the complaint also alleges that the collection of this geolocation data was effectively putting the lives of American citizens at risk.

The complaint goes on to state that the company’s monthly data feed consists of 95 billion transactions pertaining to as many as 35 million individuals on a daily basis. What’s more, the FTC has also alleged that Kochava Inc. does not anonymize or encrypt the geolocation data they sell to businesses and consumers, meaning that such information can be used to track down the whereabouts of people in real-time. To this end, the complaint goes on to state that the geolocation information that Kochava Inc has been collecting and subsequently selling could be used to track individuals to a myriad of different locations, including but not limited to healthcare facilities, retail stores, and even their personal homes.

Roe v. Wade

While the unregulated collection of geolocation data is problematic in virtually every situation or context, the recent overturning of Roe v. Wade by the U.S. Supreme Court in June of this year has placed a new emphasis on the ways in which businesses and organizations safeguard the personal information of their respective customers. This being the case, the data that Kochava Inc. has been selling is also alleged to have been timestamped, in addition to providing buyers with precise latitude and longitude coordinates. Due to these factors, many privacy advocates around the country fear that businesses such as Kochava Inc. are violating the reproductive healthcare rights of American citizens, as states throughout the nation have been deliberating over whether or not they should ban the practice of abortion.

To illustrate this point further, major U.S. news outlets in August of last month reported that a Nevada woman was being brought up on charges of essentially covering up an abortion that her teenage daughter had undergone several months prior. For reference, abortion became illegal in the state of Nevada after the practice was outlawed at the federal level, in accordance with a law that was enacted in the state in 2010, which forbids citizens from receiving an abortion after 20 weeks of pregnancy. With all this being said, law enforcement officials within Nevada reached out to the social media giant Meta to obtain messages that the woman in question had shared with her daughter when looking to help facilitate her abortion.

Despite the fact that Meta, much like other major tech companies that operate within the U.S., has a history of assisting law enforcement agencies when there is a legal requirement to do so, many people around the world expressed criticism over Meta for their decision to hand over personal messages that had been sent using this platform. Given this background information, the notion of a company such as Kochava Inc selling the personal information of everyday working people in the millions obviously opens the conversation to the manner in which this data collection could be used to prosecute American citizens looking to receive abortions, as there is a great level of confusion about which reproductive healthcare activities are considered to be illegal within a particular state.

Federal data privacy law

In spite of the powers that have been bestowed upon the FTC as it concerns the regulation of the business practices of American companies and institutions, the absence of comprehensive data protection law at the U.S. federal level means that citizens of the nation will be subject to violations of their personal privacy irrespective of any actions that are taken by a specific government agency or entity. As data privacy laws within the U.S. are largely limited to sector-specific legislation, such as the Health Insurance Portability and Accountability Act (HIPAA), among others, citizens within the state of Idaho have no tangible means by which they can prevent a company like Kochava Inc from adequately protecting the trove of information such businesses retain over the course of their operations.

In summation, the FTC complaint against Kochava Inc argues that the company’s data collection, processing, retention, and disclosure practices constituted an “an unwarranted intrusion into the most private areas of consumers’ lives” that was compounded by the opacity of geolocation tracking and data brokers’ sales. Indeed, most consumers are unaware of this collection and sale of their data and cannot avoid being included in these datasets or inferences being made about them.” Moreover, while these claims are specifically geared toward Kochava Inc, the underlying accusations that are being made are very much applicable on a much more general level, as many consumers both in the U.S. and around the world at large are unaware of the steps that companies are taking to gather their personal data.

Related Reads

Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy
September 06, 2023 | 4 minutes read
Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Learn More »
Sensitive Information, Protected: Patient Privacy, HIPAA, And You
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
Protecting Privacy in the Healthcare Field: PII, PHI & PCI
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
FISA Section 702, Is The US Government Monitoring You?
June 26, 2023 | 6 minutes read
FISA Section 702, Is The US Government Monitoring You?

Is there a give-and-take relationship that must be accepted when it comes to keeping the country safe? Should U.S. persons be okay with the incidental collection of their conversations in the name of national security under FISA Section 702? Even when it violates their constitutional rights? Well, that’s up to Congress to decide.

Learn More »
The Gap You Won’t Want to Close: Air-Gapped Systems
June 05, 2023 | 6 minutes read
The Gap You Won’t Want to Close: Air-Gapped Systems

An air-gapped system is a computer, or network that is physically isolated from any external connections and networks which includes the Internet. It operates in total isolation with neither wired nor wireless connections to other devices.

Learn More »
Using Redaction for Privacy Maintenance as An Investigator
May 31, 2023 | 5 minutes read
Using Redaction for Privacy Maintenance as An Investigator

These oaths emphasize upholding the law, serving the public, and protecting the rights of individuals. One of these many rights is privacy. An investigator must adhere to the legal and ethical guidelines within the jurisdiction and perform their investigation within those specifically set boundaries.

Learn More »