FTC Settlement Bars Kochava From Selling Sensitive Location Data Without Consumer Consent
What Happened — The Federal Trade Commission reached a settlement with data‑broker Kochava and its subsidiary Collective Data Solutions that prohibits the sale, sharing, or disclosure of sensitive location information without explicit consumer consent. The agency found the firm had been collecting and monetising near‑real‑time geolocation (accurate to within 10 m), device identifiers, app‑usage patterns, and even annual income, including visits to houses of worship and health‑care clinics. The order also mandates a consent‑verification program, a catalog of “sensitive locations,” and a consumer‑opt‑out mechanism.
Why It Matters for TPRM
- Unchecked third‑party data collection can expose your organization to privacy‑law violations (CCPA, GDPR, state statutes).
- Vendors that sell precise location data create reputational risk, especially for sectors handling health or religious‑affiliated users.
- The settlement signals heightened regulatory scrutiny of data‑broker ecosystems, prompting a review of all third‑party data‑sharing arrangements.
Who Is Affected — Advertising & marketing firms, mobile‑app developers, health‑care providers, religious organizations, and any enterprise that integrates third‑party SDKs for location analytics.
Recommended Actions —
- Audit contracts and data‑flow diagrams for any reliance on Kochava or similar location‑data brokers.
- Verify that consent mechanisms are in place and documented for all collected location data.
- Consider alternative providers with stronger privacy safeguards or move to first‑party data collection where feasible.
Technical Notes — Data was harvested via SDKs embedded in consumer mobile apps, enabling near‑real‑time geolocation, device IDs, app usage, and inferred income. No specific vulnerability (CVE) was cited; the issue stemmed from business practices and lack of explicit consent. Source: The Record