Court Dismisses FTC Complaint Against Data Broker Kochava

An Idaho federal court dismissed the U.S. Federal Trade Commission’s lawsuit against data analytics vendor Kochava in bid by the agency to permanently stop the company from selling geolocation data collected from mobile devices.

See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources

The court said FTC can file an amended complaint with a strengthened argument against Kochava within 30 days.

In a 35-page ruling Thursday, U.S. District Court Judge B. Lynn Winmill said the FTC failed to sufficiently allege consumer harms.

“The FTC asks the Court to simply infer that consumer injury is probable from its assertion that Kochava is disclosing “sensitive information” about device users,” Winmill wrote. “The FTC must go one step further and allege that Kochava’s practices create a ‘significant risk’ that third parties will identify and harm consumers.”

The FTC in its lawsuit filed last August against Idaho-based Kochava said the company invades consumer’s privacy by selling advertisers geolocation data sets of mobile phone holders tied to a unique ID (see: FTC Sues Firm That Collects, Sells Sensitive Location Data).

That information could be used to identify individuals who have visited abortion clinics, mental health providers and other sensitive locations, the agency said.

Kochava filed its own lawsuit in the same Idaho federal court weeks before FTC’s action, as a bid to preemptively counter the federal agency (see: Lawsuit Against FTC Intensifies Location Data Privacy Battle).

The company also filed a motion last October to dismiss the FTC’s lawsuit.

Winmill wrote in her Thursday ruling that nothing prevents the FTC from asserting that an invasion of privacy by itself can constitute a legitimate cause for suing. The agency’s failed, she said, by not establishing that Kochava’s business practices constitute substantial injury to consumers.

“The privacy concerns raised by the FTC are certainly legitimate. Disclosing where a person has been every fifteen-minutes over a seven-day period could undoubtedly reveal information that the person would consider private, such as their travel habits, medical conditions, and social or religious affiliations,” she wrote.

But the data that Kochava sells “is not, on its face, sensitive or private.” Instead, the information that the FTC highlights as sensitive, such as medical conditions revealed by repeated trips to a specialist physician, depends on inferences made from geolocation data. “But inferences are often unreliable.”

A geolocation data set showing repeat trips to an oncology clinic might reveal a cancer patient, or the family member of a cancer patient, or a medical professional, Winmill wrote.

The judge also said the geolocation data can be obtained through other means such as following an individual’s movements. “Privacy interests in the kind of location data Kochava sells are therefore weaker than, for example, privacy interests in confidential financial or medical information which is not otherwise publicly accessible.”

The FTC also didn’t indicate how many device users whose privacy interests might be impacted by Kochava.

“The FTC claims only that third parties could tie the data back to device users; not that they have done so or are likely to do so.”

The FTC declined Information Security Media Group’s request for comment on the ruling. An attorney representing Kochava did not immediately respond to ISMG’s request for comment.

The court’s decision serves as a reminder “that Congress has given the FTC very constrained and antiquated tools that limit its ability to tackle emerging privacy concerns,” said Daniel Kaufman, former acting director of the FTC’s Consumer Protection Bureau, currently a regulatory attorney at law firm BakerHostetler.

The FTC brought this case asserting that Kochava had engaged in unfair practices, and to show that a practice is unfair, the FTC has to demonstrate that the practices cause or are likely to cause substantial consumer injury, he tells ISMG.

“That is not an easy standard to meet in many privacy cases and the Court essentially says that. The Court notes that the ‘privacy concerns raised by the FTC are certainly legitimate’ but that is of course not the legal test and therefore the Court dismisses the complaint.”