Judge Bounces FTC’s Suit Against Kochava theregister.com

In August, the FTC sued location broker Kochava over its sale of device-specific location data. The company asked for the suit to be dropped and, this week, it got its wish.

Jessica Lyons Hardcastle, the Register:

An FTC lawsuit against Kochava, alleging the data broker harmed Americans by selling records of their whereabouts, has failed.

That said, a federal court has given the US government agency 30 days to come up with a better legal argument and try again.

If this feels familiar, it may be because a judge rejected the first FTC complaint against Facebook — filed in December 2020 — before agreeing to hear an amended version.

Hardcastle:

In a ruling on Thursday, the federal court agreed with Kochava in that the FTC’s lawsuit didn’t make a strong enough case to prove consumer injury.

“Although the FTC’s first legal theory of consumer injury is plausible, the FTC has not made sufficient factual allegations to proceed,” US District Court Judge Lynn Winmill wrote [PDF]. “To do so, it must not only claim that Kochava’s practices could lead to consumer injury, but that they are likely to do so, as required by the statute.”

This is a frustrating argument. To the same extent there may be questions about whether Kochava’s sale of personal data could be injurious to consumers is likely or merely possible, there is little awareness of data collection by this specific company. Consumers do not know they are providing their location to Kochava for resale when using a given app. They are increasingly aware of the privacy risks of using smartphones, I am sure, but not of these specific contracts. How should any consumer realistically protect themselves when data brokers are prevalent yet invisible in their lives?

Meanwhile, it is worth noting, the harm of an unregulated market for private data is far from a theoretical concern. Trying to figure out whether it is definitively the data bought from a specific broker’s market which leads to some awful circumstance is a profoundly idiotic pursuit. The only reasonable course of action is a comprehensive prophylactic federal data privacy law.