U.S. Federal Trade Commission Sues Kochava ftc.gov

From the FTC’s press release:

In a complaint filed against Kochava, the FTC alleges that the company’s customized data feeds allow purchasers to identify and track specific mobile device users. For example, the location of a mobile device at night is likely the user’s home address and could be combined with property records to uncover their identity. In fact, the data broker has touted identifying households as one of the possible uses of its data in some marketing materials.

[…]

The FTC alleges that Kochava fails to adequately protect its data from public exposure. Until at least June 2022, Kochava allowed anyone with little effort to obtain a large sample of sensitive data and use it without restriction. The data sample the FTC examined included precise, timestamped location data collected from more than 61 million unique mobile devices in the previous week. Using Kochava’s publicly available data sample, the FTC complaint details how it is possible to identify and track people at sensitive locations […]

Lauren Feiner, CNBC:

“This lawsuit shows the unfortunate reality that the FTC has a fundamental misunderstanding of Kochava’s data marketplace business and other data businesses,” Kochava Collective General Manager Brian Cox said in a statement. “Kochava operates consistently and proactively in compliance with all rules and laws, including those specific to privacy.”

Cox said the company announced a new ability to block location data from sensitive locations prior to the FTC’s lawsuit. He said the company engaged with the FTC for weeks explaining the data collection process and hoped to come up with “effective solutions” with the agency.

By “engaging with the FTC for weeks”, Cox appears to mean filing a lawsuit against the Commission earlier this month in an attempt to block the FTC from filing this complaint.

Marketing and data companies are eager to put on a privacy-respecting guise when it suits them while promising services completely antithetical to that. For example, Kochava says it offers in its data marketplace the ability to match mobile devices — perhaps the billion unique mobile devices it also brags about — to email addresses and precise locations. Its marketing materials say it can tie those devices to households and their respective behaviour and purchasing data. Of course, on the same page, it says it is “privacy-first by design” — one wonders how that is possible when the sample data set viewed by the FTC apparently pinpoints specific users by time and location.

Want to opt out? Thanks to regulation in Europe, some U.S. states, and elsewhere, that is made possible. But Kochava is uniquely dickish about it:

[…] You may submit a request to delete all your personal information by emailing Kochava at privacy@kochava.com or by contacting the legal department via telephone at 855-562-4282. However, please bear in mind that when you contact Kochava with such a request, because of the precautions we have proactively taken to protect your privacy, you are actually volunteering more personally identifying information to Kochava as a result of lodging the request than Kochava would have ever had prior to you initiating contact.

I call bullshit. What identifiers could you possibly give Kochava to opt out of its privacy hostile practices that it does not already know and have enriched with other data sources?

Kochava obviously wants to promote itself as uniquely precise to its audience of marketers who crave that kind of fidelity. Its claims warrant some skepticism. But time and time again this industry has proved itself to be as creepy as the brochures claim, at least in how much it collects. How it interprets that information is, in my experience, more questionable.

The FTC does not come out of this looking particularly good, either. Megan Gray on Twitter:

Methinks the agency knows it’s going to lose. Picked this company b/c thought it would settle. Oopsy. Then when company preemptively filed case, agency was in a corner and doesn’t want to be perceived as backing down from a fight.

Gray, continued:

The agency had until MID OCTOBER to respond to the DJ (and could’ve gotten an extension for further time). This was clearly rushed to capture the press cycle. I genuinely feel bad for staff.

It looks really bad for regulators to get financial settlements and modest concessions out of these cases without pushing for an admission of wrongdoing. It makes it look as though these cases are primarily for revenue generation instead of exposing heinous behaviour and setting standards for others to follow.