Privacy, Application security, Data Security

FTC sues data broker Kochava over sale of data tying users to health clinics

A person's finger hovers over the touchscreen of a smartdevice.
A data broker is facing a lawsuit from the FTC over how it scrapes and sells consumer data that could tie users to reproductive health clinics. (Photo credit: "Close up person using smartphone" by is licensed under CC BY-SA 2.0.)

The FTC filed a lawsuit against Kochava over the alleged sale of geolocation data from “hundreds of millions” of mobile devices, which could tie users to reproductive health clinics, addiction recovery facilities, places of worship, and homeless and domestic violence shelters.

Kochava is an Idaho-based data broker that purchases troves of location information from mobile devices, which is then packaged into customized data feeds matching unique device identification numbers complete with time-stamped latitude and longitude locations, according to the suit.

FTC analyzed a sample of public data from Kochava, which included “precise, time-stamped location data collected from more than 61 unique mobile devices in the previous week.”

The broker asserts that the data feeds are meant to support clients with advertising by analyzing foot traffic at physical locations. The suit claims these customized feeds allow purchasers to both identify and track “specific mobile device users.”

“For example, the location of a mobile device at night is likely the user’s home address and could be combined with property records to uncover their identity,” the lawsuit argues. “In fact, the data broker has touted identifying households as one of the possible uses of its data in some marketing materials.”

What’s more, consumers are often unaware of this data collection and sale, as well as the data sharing with Kochava, which means they have no control over it. FTC claims that Kochava also fails to adequately protect the data from public exposure, as it “allowed anyone with little effort to obtain a large sample of sensitive data and use it without restriction” until at least June 2022.

The sale of tracking data “is enabling others to identify individuals and exposing the threats of stigma, stalking, discrimination, job loss, and even physical violence.” The data also enables the purchasers to track users at sensitive locations and could reveal information about personal health choices, religious beliefs, and steps taken to protect themselves from abuse.

“Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement. 

The lawsuit aims to “protect people’s privacy and halt the sale of their sensitive geolocation data,” according to the release. FTC is seeking to stop the data broker from selling the sensitive geolocation data, while requiring Kochava to delete the geolocation data it collected from users.

FTC lawsuit filed in wake of Supreme Court overturning Roe v. Wade

The lawsuit comes on the heels of a number of growing concerns from Congress and other groups about the impact the repeal of Roe v. Wade will have on women’s health and safety. In states like Texas, citizens are able to report possible violations of the state’s abortion law.

The move prompted stakeholder groups to repeatedly warn tech companies to stop collecting the data. Congress has also proposed multiple laws that would effectively ban the sale of health data by health brokers for the precise reasons laid out in the FTC lawsuit.

In particular, the FTC is concerned the data tied to reproductive health clinics could be used to identify individuals and expose private medical decisions. The analyzed data sample revealed it was possible to track a mobile device from a reproductive health clinic to the user’s home.

The FTC is worried the data could also be used to identify medical professionals who perform or assist in reproductive health services. The lawsuit also notes that location data tied to addiction recovery centers could be used to track people who’ve visited those care sites, as well as any potential “relapses or returns to a recovery center.”

The release reasserts the agency’s keen focus on protecting consumer data, including health information and geolocation data.

Following the Supreme Court decision, the FTC reminded tech companies that it intends to enforce the law against the illegal use and sharing of consumer data, including health information.

Just last year, the FTC warned health app developers that it would be leveraging the rarely used Health Breach Notification rule. The move was lauded as the The Health Insurance Portability and Accountability Act does cover health app privacy and security, an issue stakeholders and Congress have been steadily working to address.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.