Data broker’s staggering sale of sensitive info exposed in unsealed FTC filing


The FTC has accused Kochava of violating the FTC Act by amassing and disclosing “a staggering amount of sensitive and identifying information about consumers,” alleging that Kochava’s database includes products seemingly capable of identifying nearly every person in the United States.

According to the FTC, Kochava’s customers, ostensibly advertisers, can access this data to trace individuals’ movements—including to sensitive locations like hospitals, temporary shelters, and places of worship, with a promised accuracy within “a few meters”—over a day, a week, a month, or a year. Kochava’s products can also provide a “360-degree perspective” on individuals, unveiling personally identifying information like their names, home addresses, phone numbers, as well as sensitive information like their race, gender, ethnicity, annual income, political affiliations, or religion, the FTC alleged.

Beyond that, the FTC alleged that Kochava also makes it easy for advertisers to target customers by categories that are “often based on specific sensitive and personal characteristics or attributes identified from its massive collection of data about individual consumers.” These “audience segments” allegedly allow advertisers to conduct invasive targeting by grouping people not just by common data points like age or gender, but by “places they have visited,” political associations, or even their current circumstances, like whether they’re expectant parents. Or advertisers can allegedly combine data points to target highly specific audience segments like “all the pregnant Muslim women in Kochava’s database,” the FTC alleged, or “parents with different ages of children.”


According to the FTC, Kochava obtains data “from a myriad of sources, including from mobile apps and other data brokers,” which together allegedly connects a web of data that “contains information about consumers’ usage of over 275,000 mobile apps.”

The FTC alleged that this usage data is also invasive, allowing Kochava customers to track not just what apps a customer uses, but how long they’ve used the apps, what they do in the apps, and how much money they spent in the apps, the FTC alleged.


Kochava “actively promotes its data as a means to evade consumers’ privacy choices,” the FTC alleged. Further, the FTC alleged that there are no real ways for consumers to opt out of Kochava’s data marketplace, because even resetting their mobile advertising IDs—the data point that’s allegedly most commonly used to identify users in its database—won’t stop Kochava customers from using its products to determine “other points to connect to and securely solve for identity.”


Kochava hoped the court would impose sanctions on the FTC because Kochava argued that many of the FTC’s allegations were “knowingly false.” But Winmill wrote that the bar for imposing sanctions is high, requiring that Kochava show that the FTC’s complaint was not just implausibly pled, but “clearly frivolous,” raised “without legal foundation,” or “brought for an improper purpose.”

In the end, Winmill denied the request for sanctions, partly because the court could not identify a “single” allegation in the FTC complaint flagged by Kochava as false that actually appeared “false or misleading,” the judge wrote.

Instead, it seemed like Kochava was attempting to mislead the court.


“The Court concludes that the FTC’s legal and factual allegations are not frivolous,” Winmill wrote, dismissing Kochava’s motion for sanctions. The judge concluded that Kochava’s claims that the FTC intended to harass and generate negative publicity about the data broker were ultimately “long on hyperbole and short on facts.”

Source: Data broker’s “staggering” sale of sensitive info exposed in unsealed FTC filing | Ars Technica

Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft