The federal district court in the Southern District of Idaho denied Kochava’s second attempt to dismiss the Federal Trade Commission’s allegations that the data broker aggregated and sold large amounts of sensitive consumer data in violation of the “unfair practices” prong of Section 5 of the FTC Act, finding the FTC plausibly alleged Kochava’s practices cause or are likely to cause “substantial injury” to consumers.
For those who have been following the case, the decision comes with at least modest surprises – in particular, the court’s focus on the potential sensitivity of mobile app and identity graph data, more so than the precise geolocation data that had seemed to spur the FTC’s original complaint.
We describe below the FTC’s amended complaint, the court’s decision, and key takeaways.
The FTC’s Complaint
The FTC amended its complaint after the court dismissed the original complaint for failure to demonstrate Kochava’s alleged actions “cause or are likely to cause” a “substantial injury” to consumers – substantial injury being a critical element of alleging an “unfair practices” claim under the FTC Act. In its amended complaint, the FTC alleges Kochava sells a “staggering amount” of sensitive geolocation data and identifying information, such as MAIDs, political affinity, and app usage without first imposing data privacy protections. The amended complaint contains new factual allegations bolstering the FTC’s claims that Kochava’s practices result in two harms to consumers: (1) an increased risk of secondary harm and (2) an invasion of privacy.
First, the FTC contends Kochava’s data sales significantly increase the risk of consumers experiencing secondary harm like stigma, discrimination, physical violence, and emotional distress. The FTC specifically points to four Kochava products that allegedly contain consumers’ precise location and behavioral data, don’t implement sufficient access controls or use restrictions, and link a variety of data (some of it personally identifiable, some of it pseudonymous) to MAIDS. The FTC argues such data sales – particularly when taken in combination — reveal highly sensitive data about individual users, such as whether a user “downloaded an LGBTQ+ dating app, a Muslim prayer app, or an app for monitoring specific health concerns, like cancer or sexually transmitted infections.” The FTC thus describes Kochava’s alleged sale of the non-anonymized mobile data of millions of consumers as giving Kochava customers a “360-degree perspective” on the unique and sensitive aspects of an individual’s identity.
The Decision
The court held the FTC’s addition of real-world examples of consumers experiencing harm due to disclosure of the consumers’ geolocation and app usage data plausibly alleged substantial risk of secondary harm – in particular, potential “stigma, discrimination, physical violence and emotional distress.” The court then further held that the sheer “quantity and quality” of Kochava’s datasets was by itself enough to allege an independent invasion of privacy. In doing so, the court emphasized that “Kochava does not merely sell ‘bits and pieces’ of data” or merely sell geolocation data, which the court noted were either “unreliable” or less reliable, but that Kochava also provides more holistic inferences.
Key Takeaways
The court’s opinion left open as many questions as it answered, regarding when data brokers step over the line to commit “unfair” acts and practices, and regarding whether precise geolocation data really should be categorized (as the FTC’s original complaint suggested) as a categorically more “harmful” type of data. For instance,
- While the court does not offer a bright line or balancing test as to when data sales cause “substantial injury” to consumers, the court appears to base its calculus on the sheer volume and sensitivity of consumer data Kochava sells to customers. The court seems particularly concerned about data collected from health, religion and dating apps.
- Unlike in its initial decision, the court does not center its discussion on geolocation data. The court seems most concerned with the sale of sensitive behavioral data from which entities may draw reliable inferences on consumer activities and preferences.
But the decision leaves unanswered questions that may be critical in other, similar cases. For instance, the court also does not offer guidance as to whether consent or robust notice might have cured the concerns raised in the FTC’s complaint. And, the court did not address the other elements of “unfair practices” – namely, whether countervailing benefits might have existed, or whether consumers could have reasonably avoided the data collection and uses and issue.