What happened
The Federal Trade Commission has reached a proposed settlement that would ban data broker Kochava and its subsidiary Collective Data Solutions from selling Americans’ precise location data without explicit consumer consent, resolving charges filed nearly four years ago. The proposed order has been filed in the US District Court for the District of Idaho and will carry the force of law upon judicial approval.
The FTC originally sued Idaho-based Kochava in August 2022, alleging the company collected and sold precise geolocation data from hundreds of millions of mobile devices, allowing clients to track users’ movements to and from sensitive locations including mental health and addiction recovery facilities, reproductive health clinics, places of worship, and shelters for domestic violence survivors and the homeless. Kochava charged clients a $25,000 subscription fee for access to a data feed through the AWS Marketplace, claiming delivery of 94 billion or more geo transactions per month across 125 million monthly active users.
Under the proposed order, Kochava and CDS are prohibited from selling, licensing, transferring, or disclosing precise location data unless they have affirmative express consent and the data is used to provide a service directly requested by the consumer. Additional requirements include establishing a sensitive location data program, implementing a supplier assessment program to verify consumer consent, allowing consumers to request disclosure of who received their data and withdraw consent, submitting incident reports to the FTC when third parties misuse location data, and creating a data retention and deletion schedule.
The settlement follows FTC bans on four other data brokers, InMarket Media, Outlogic, Gravy Analytics, and Mobilewalla, issued in 2024 for similar location data practices.
Who is affected
Consumers whose location data was collected and sold through Kochava’s platform without their knowledge or consent are the primary affected population, a group the FTC characterized as numbering in the hundreds of millions. Organizations that purchased location data through Kochava’s marketplace may face compliance implications if that data was used in ways inconsistent with the new order’s requirements.
Why CISOs should care
The Kochava settlement is the latest in a series of FTC enforcement actions establishing that selling precise location data without explicit consent is an unfair practice under US consumer protection law. For security and privacy leaders, the pattern of these enforcement actions signals a maturing regulatory posture around commercial surveillance data that will affect how organizations source, use, and retain third-party location intelligence.
The consent and disclosure requirements in the proposed order, including consumer rights to know who received their data and to withdraw consent, also preview the kind of data subject rights framework that organizations purchasing third-party location data may need to accommodate in their own compliance programs.
3 practical actions
- Audit your organization’s use of third-party location data and verify the consent basis for any data purchased from brokers: The FTC’s enforcement pattern across Kochava, Gravy Analytics, Outlogic, and InMarket Media establishes that purchasing location data without verifying consumer consent creates compliance exposure. Review any current data broker relationships involving location intelligence and confirm the legal basis under which that data was collected.
- Assess whether any location data in use could be linked to sensitive categories: The FTC’s enforcement focus has consistently emphasized location data tied to healthcare facilities, places of worship, and domestic violence resources. If your organization uses location data that could reveal visits to these categories of locations, treat that data as requiring the highest level of consent verification and access control.
- Update vendor due diligence processes to include location data consent verification as a mandatory assessment point: The Kochava order requires a supplier assessment program to verify consumer consent upstream. Organizations that purchase location data should build equivalent verification into their vendor onboarding and periodic review processes, treating consent documentation as a contractual requirement rather than an assumed given.
Also in the news today:
- DAEMON Tools Trojanized in Supply-Chain Attack to Deploy Backdoor
- Student Hacked Taiwan High-Speed Rail to Trigger Emergency Brakes
- Instructure Hacker Claims Data Theft From 8,800 Schools and Universities
- Australia Launches Cyber Incident Review Board Modeled on Disbanded US Equivalent
- North Korean Hackers Targeted Ethnic Koreans in China With Android BirdCall Malware
