Court gives FTC 30 days to swing again in privacy bout with location data slinger
Second time's a charm?
An FTC lawsuit against Kochava, alleging the data broker harmed Americans by selling records of their whereabouts, has failed.
That said, a federal court has given the US government agency 30 days to come up with a better legal argument and try again.
"We are pleased the court agreed with a number of our arguments, and we look forward to continuing to press our case on behalf of American consumers," an FTC spokesperson told The Register.
Kochava's chief executive, on the other hand, described the case outcome as an "important step toward resolving this matter." In a statement to The Register, Charles Manning said:
We are encouraged by the fact that the court was receptive to our arguments that the FTC's allegations fall short. As we've said all along, Kochava operates consistently and proactively in compliance with all rules and laws, including those specific to privacy. We remain confident in the legal arguments and rationale for dismissal of the FTC's case and we are hopeful that challenging the FTC will bring necessary regulatory clarity that will ultimately benefit consumers and advertisers as a whole.
The FTC sued Kochava in August, hoping that would force the analytics firm to stop selling personal information. In the lawsuit, the regulator alleged that the company's data feeds, which are sold via publicly accessible marketplaces, revealed individuals' visits to health clinics, places of worship, homeless and domestic violence shelters, addiction recovery facilities, and other sensitive places.
These records, the lawsuit claimed, pinpoint when and where people have been, using timestamps and latitude and longitude values. While this information is supposed to be anonymized, there is a concern it can be used with other information sources to unmask and identify individual netizens and track their movements using this metadata.
Selling both data points together — timestamped geolocation coordinates and a per-device anonymous unique identifier — without any controls to prevent this being used to track a specific person puts individuals at risk of serious harm, according to the FTC.
As the watchdog put it when announcing its legal action:
For example, the location of a mobile device at night is likely the user’s home address and could be combined with property records to uncover their identity. In fact, the data broker has touted identifying households as one of the possible uses of its data in some marketing materials.
In October, Idaho-based Kochava asked the court to throw out the lawsuit, arguing that its data analytics services are all above board and that the FTC doesn't have any proof of "substantial injury" to folks — just "speculative hypotheticals about how unidentified third parties could potentially misuse Kochava's data."
Kochava collects its data from various sources: such as by buying the information from other brokers, or via mobile apps that include Kochava's SDK. That software toolkit is used to track the performance of ads: how many people clicked through an ad in an app, information about those users, whether they made a purchase from the advertiser after clicking through, and so on. That data gets packaged up and sold via marketplaces as described above.
The FTC's lawsuit was too vague, and the watchdog doesn't have any legal standing to sue Kochava anyway, according to the company's motion to dismiss [PDF].
In a ruling on Thursday, the federal court agreed with Kochava in that the FTC's lawsuit didn't make a strong enough case to prove consumer injury.
- FTC sues data broker for selling millions of people's 'precise' location info
- Strike three: FTC says Meta still failing to protect user privacy
- FTC urged to freeze OpenAI's 'biased, deceptive' GPT-4
- Sephora to pay $1.2m to settle Cali privacy law claims – and why this is a big deal
"Although the FTC's first legal theory of consumer injury is plausible, the FTC has not made sufficient factual allegations to proceed," US District Court Judge Lynn Winmill wrote [PDF]. "To do so, it must not only claim that Kochava's practices could lead to consumer injury, but that they are likely to do so, as required by the statute."
But, he added, "it is not clear, however, that the deficiencies cannot be cured." To this point, Judge Winmill gave the FTC 30 days to amend its lawsuit in compliance with the court order.
And while the court agreed with the FTC that an invasion of privacy can constitute "substantial injury" to consumers, thus making it a violation of the FTC Act, in this case the agency failed to show how Kochava's alleged privacy intrusion rises to this level of harm.
"Although the court is somewhat skeptical that this deficiency can be cured through an amended complaint, it will give the FTC an opportunity to try," Winmill wrote. ®