Hogan Lovells 2024 Election Impact and Congressional Outlook Report
The Federal Trade Commission (FTC) data privacy lawsuit against Kochava was recently tossed by an Idaho federal judge. While the Court granted the FTC an opportunity to amend its complaint, the Court expressed skepticism that the FTC could cure all of the defects in its unfair trade practices case against Kochava for alleged sale of location data.
Real-time and historical location data has come under increasing scrutiny from the FTC and other regulators in recent years. In Kochava, the FTC alleged that the company unlawfully sold historical location data associated with unique mobile device IDs for analytics and advertising purposes (e.g. so that customers could increase foot traffic at their stores). The FTC alleged that this data—with a 7-day lookback—potentially enabled buyers to extract sensitive details about consumers’ lives that invaded their privacy and could be used to cause them additional harm. For example, the FTC alleged it was able to use a data sample from Kochava to identify a particular device that had visited a reproductive health clinic, spent nights at a certain residences, and visited another location on at least three evenings that week. The FTC further alleged that the data from Kochava (i.e. location associated with devices) could be combined with data from third parties to link locations with a particular individual.
The FTC alleged Kochava engaged in unfair trade practices under Section 5 of the FTC Act. Among other requirements, a trade practice can only be unfair if it “causes or is likely to cause substantial injury to consumers.” The FTC presented two theories of “substantial injury:” (1) bad actors could theoretically use data acquired from Kochava to identify, track, and harm individuals visiting sensitive locations, and (2) the data sold by Kochava is itself an unwarranted privacy intrusion that is a substantial injury. The Court dismissed both theories.
The FTC’s first “substantial injury” theory was that bad actors could use data from Kochava (which included location and device information) and combine it with data from third parties to associate that location data with specific individuals. That could reveal, for example, whether those individuals visited sensitive locations, such as healthcare facilities, places of worship, homeless and domestic violence shelters, or addiction recovery centers. The bad actors could then inflict secondary harms such as stigma, discrimination, physical violence, and emotional distress on specific individuals based on the locations they had visited.
The Court dismissed the FTC’s theory, finding that the FTC’s complaint merely speculated about the potential harms that might arise, premised on the mere possibility that substantial injury “could” occur. The FTC Act requires more. And because the FTC had not alleged there was at least a “significant risk” that third parties would take the additional steps needed to associate Kochava data with specific individuals, the Court found this theory of harm insufficient as a matter of law.
The FTC’s second “substantial injury” theory was that Kochava’s data reveals “sensitive and private characteristics of consumers” and therefore the sale of that data is an actionable privacy intrusion. Although the Court emphasized that certain privacy intrusions may qualify as substantial injuries under the FTC Act, the Court pointed to three reasons why Kochava’s alleged conduct fell short of that standard.
First, the Court found that location data is not inherently sensitive or private and that sensitive or private information derived from location data could only be inferred. The Court gave the following example: “geolocation data showing that a device visited an oncology clinic twice in one week could reveal that the device user suffers from cancer. Or it may instead reveal that the person has a friend or family member who suffers from cancer. Or that the person is a pharmacist or is in the business of selling or maintaining medical devices. The point is that the FTC does not actually claim that Kochava is disclosing private information, but rather that it is selling data from which private information might be inferred.”1
Second, the Court noted that location data is generally accessible through other lawful sources. For example, the Court explained, movements on public streets can be observed by third parties and addresses are generally publicly accessible through property records. By contrast, confidential information, like medical or financial information, typically is not publicly available.
Third, the Court found that the extent of an individual’s alleged injuries were largely inchoate and did not constitute concrete injury. If most Kochava users’ data was being used for aggregate analytics purposes without ever being tied back to a user, the Court found that there was no substantial injury to individuals.
The Court said it was “skeptical” that these deficiencies could be addressed through an amended complaint, but granted the FTC an opportunity to amend nonetheless.
Authored by Allison Holt Ryan, Adam A. Cooke, Lance Y. Murashige, Alicia J. Paller, and Stephanie Sandoval.