HomeIntelligenceBrief
BREACH BRIEF🟠 High Advisory

FTC Settlement Forces Kochava to Halt Sale of Sensitive Location Data Without Explicit Consumer Consent

The FTC has settled with data broker Kochava, requiring the firm to stop selling precise location data tied to sensitive places unless users give affirmative consent. The order imposes quarterly supplier verification and consumer opt‑out rights, raising privacy‑risk exposure for any third‑party that relies on Kochava’s location‑enrichment services.

LiveThreat™ Intelligence · 📅 May 06, 2026· 📰 databreachtoday.com
🟠
Severity
High
AD
Type
Advisory
🎯
Confidence
High
🏢
Affected
5 sector(s)
Actions
4 recommended
📰
Source
databreachtoday.com

FTC Settlement Forces Kochava to Halt Sale of Sensitive Location Data

What Happened — The U.S. Federal Trade Commission reached a settlement with mobile‑data broker Kochava (and its subsidiary Collective Data Solutions) that bars the company from selling, licensing, or otherwise disclosing precise location information tied to “sensitive locations” (e.g., medical clinics, places of worship, shelters) unless it obtains a consumer’s affirmative express consent. The order also requires quarterly verification that any upstream data supplier has secured such consent and gives consumers a right‑to‑know and opt‑out mechanism.

Why It Matters for TPRM

  • Data‑broker relationships can expose downstream vendors to privacy‑regulatory risk even when the vendor is not the direct collector.
  • Failure to obtain proper consent may trigger FTC enforcement, state‑level penalties, and class‑action litigation.
  • The settlement expands the definition of “sensitive data” to include location tied to health, religious, and safety‑critical venues, raising the bar for consent management across many third‑party ecosystems.

Who Is Affected — Advertising‑technology platforms, mobile‑app developers, health‑tech services, religious‑affiliated organizations, shelters, and any downstream customers that purchase or rely on Kochava’s location‑enrichment services.

Recommended Actions

  • Review all contracts and data‑sharing agreements with Kochava or any other location‑data broker.
  • Verify that consent‑capture mechanisms meet the FTC’s “affirmative express” standard for any location data you ingest.
  • Conduct a data‑flow audit to ensure no downstream systems retain or process location data from prohibited “sensitive locations.”
  • Update privacy notices and consumer‑rights processes to include the new opt‑out and data‑disclosure requirements.

Technical Notes — Kochava’s SDK aggregates GPS coordinates with Wi‑Fi SSID/BSSID signals to achieve ~10‑meter accuracy. No software vulnerability (CVE) is involved; the risk stems from the business practice of selling granular geolocation data without explicit user consent. Source: DataBreachToday

📰 Original Source
https://www.databreachtoday.com/kochava-will-stop-selling-sensitive-location-info-a-31601

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →