Amid urgent national security, cybersecurity and data privacy threats, companies require experienced counsel to advise on an ever-changing privacy and cybersecurity compliance landscape and respond to potentially crippling data incidents so they can get back to business. Led by some of the world’s leading legal advisors on national security and data-related regulatory matters, we help boards and top executives safely navigate high-impact breaches and related cyber incidents, and offer specialized regulatory advice in the transactional and compliance contexts.
FTC Action Against Digital Marketing and Analytics Company Highlights Enforcement Approach Ahead of Public Forum on “Commercial Surveillance and Data Security”
September 2, 2022 Download PDF
On August 29, 2022, the Federal Trade Commission (“FTC”) filed suit against Kochava, Inc. (“Kochava”), a digital marketing and analytics company, in the United States District Court for the District of Idaho for allegedly acquiring and selling consumers’ “precise geolocation data” in a format that allows users to track consumers traveling to and from “sensitive locations” such as reproductive health facilities, mental health facilities or places of worship.[i] The Complaint alleges that selling such data constitutes an “unfair practice” under Section 5 of the FTC Act because it may expose consumers to “stigma, discrimination, physical violence, emotional distress, and other harms.”[ii]
The Complaint’s characterization of Kochava’s collection and sale of geolocation data as an “unfair business practice” reflects a divergence from prior FTC enforcement related to data collection and disclosure practices, which has focused principally on whether such practices were inadequately disclosed to consumers, or based on a lack of consent, and therefore “deceptive.” In recent statements, Chair Lina Khan has expressed support for FTC rulemaking and enforcement that imposes “substantive limits” on certain categories of data collection and processing rather than imposing only “procedural protections.”[iii] The Kochava complaint appears to be consistent with this new approach.
The FTC’s priorities and perspective in the area of data privacy and security likely will be further revealed at the Commission’s Commercial Surveillance and Data Security Public Forum scheduled for September 8, 2022, at which several commissioners are expected to offer public remarks, and the Commission will solicit public comment in anticipation of new rulemaking related to data privacy and security.
Key Takeaways
- By asserting that certain data collection and disclosure practices in the digital advertising industry are substantively “unfair,” the Complaint against Kochava departs from prior enforcement actions in this area, which generally alleged that such practices are “deceptive” due to inadequate consumer disclosure or consent.
- Recent statements by Chair Khan expressing support for FTC enforcement activity that imposes “substantive limits on certain types of data collection and processing” suggest the Complaint’s focus on alleged harm resulting from disclosure of geolocation data may foreshadow further FTC enforcement and rulemaking limiting the collection and disclosure of certain categories of data.
The Complaint
The FTC’s Complaint alleges that Kochava “sells customized data feeds to its clients to, among other purposes, assist in advertising and analyzing foot traffic at stores or other locations.”[iv] It alleges that, among other categories of data, the data feed, which purportedly encompasses hundreds of millions of mobile devices, includes “timestamped latitude and longitude coordinates showing the location of mobile devices,” in combination with “a unique identifier assigned to a consumer’s mobile device” (referred to in the Complaint as a “device id” or “mobile advertising ID”).[v]
The Complaint further alleges that the data offered by Kochava is not anonymized because it may be used to identify a mobile device’s user or owner, such as through the use of third-party services that match mobile advertising IDs with a user’s name or address, or by using timestamps associated with a user’s location to infer the user’s address. As a result, the Complaint alleges, the data may be used to “track the consumers’ movements to and from sensitive locations,” such as “locations associated with medical care, reproductive health, religious worship, mental health, temporary shelters, such as shelters for the homeless, domestic violence survivors, or other at-risk populations, and addiction recovery.”[vi] According to the FTC, this tracking may, in turn, expose consumers to “stigma, discrimination, physical violence, emotional distress, and other harms.”[vii]
The Complaint asserts a single claim for violation of Section 5 of the FTC Act, 15 U.S.C. 45(a), (n), which prohibits “unfair or deceptive business practices in or affecting commerce.” The Complaint requests a permanent injunction “to prevent future violations of the FTC Act” by the company.[viii]
The filing of the Complaint came only two weeks after Kochava had filed its own suit against the FTC alleging that the agency lacked authority to bring this lawsuit, and seeking to enjoin the Commission from doing so.[ix] Kochava’s suit, which followed its receipt of a proposed complaint from the FTC, likely accelerated the FTC filing of its Complaint. In its lawsuit, Kochava asserted that it had obtained geolocation data from third-party app developers, who obtained that information from consenting consumers.[x]
Observations
The FTC’s focus on the alleged “unfairness” of Kochava’s collection and sale of geolocation data marks a departure from recent enforcement actions in this area. Recent enforcement actions that focused on the collection and disclosure of allegedly sensitive consumer data under Section 5(a) generally have centered on consumer deception, disclosure, and consent.[xi] In those actions, the FTC typically has alleged that companies engaged in deceptive practices by failing to adequately disclose their data collection or disclosure practices, or by misrepresenting those practices.
Here, although the Complaint alleges that the collection and use of location data was “opaque to consumers, who typically do not know who has collected their location data and how it is being used,” the Complaint does not allege that Kochava deceived consumers. Instead, it alleges that Kochava’s collection and sale of geolocation data was “unfair,” which will require the FTC to prove that those practices “cause[] or [are] likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”[xii] In contrast, in order to establish a deceptive act or practice, the FTC must prove “(1) a representation, omission, or practice … (2) is material, and (3) is likely to mislead consumers acting reasonably under the circumstances.”[xiii] As some have noted, the FTC faces an uphill battle to prove an unfairness claim as compared to a deception claim “because the standard to establish an unfair practice is more specific and the respondent has a great chance of success.”[xiv] While the Complaint does not provide much detail on this theory of liability, it alleges that Kochava’s sale of location data “injures or is likely to injure consumers through exposure to stigma, discrimination, physical violence, emotional distress, and other harms,” and that these potential harms are outweighed by countervailing benefits because Kochava “could implement safeguards to remove data associated with sensitive locations from its data feeds. . . . at a reasonable cost and expenditure of resources.”
The Complaint’s focus on the substantive unfairness of data privacy practices is consistent with Chair Khan’s recent suggestion that the Commission “should approach data privacy and security protections by considering substantive limits rather than just procedural protections.”[xv] The FTC’s suit also comes just days before the Commission hosts its public forum on “commercial surveillance and data security” scheduled for September 8, 2022. According to the FTC, the forum “will explore a wide range of issues that the FTC is seeking comment on” through its Advance Notice of Proposed Rulemaking (“ANPR”).[xvi] The ANPR solicits comments on a broad range of data privacy and security practices, including the “collection, aggregation, analysis, retention, transfer or monetization of consumer data.” The September 8 forum undoubtedly will shed additional light on the FTC’s enforcement priorities in the area of data privacy and security, and its approach to policing “commercial surveillance” going forward.
* * *
[i] See Complaint, FTC v. Kochava, Inc., Case No. 2:22-cv-377 (D. Idaho 2022), available at https://www.ftc.gov/system/files/ftc_gov/pdf/1.%20Complaint.pdf (hereinafter, “Complaint”).
[ii] Complaint ¶ 29.
[iii] See FTC Chair Lina Khan, Keynote at IAPP Global Privacy Summit 2022 (April 11, 2022), recording available at https://iapp.org/news/video/keynote-lina-khan-chair-of-the-federal-trade-commission-iapp-global-privacy-summit-2022/.
[iv] Complaint ¶ 9.
[v] Complaint ¶ 10.
[vi] Complaint ¶ 23.
[vii] Complaint ¶ 29.
[viii] Complaint at 11.
[ix] See Complaint, Kochava Inc. v. FTC, Case No. 2:22-cv-00349 (D. Idaho 2022).
[x] See Complaint ¶ 19, Kochava Inc. v. FTC, Case No. 2:22-cv-00349 (D. Idaho 2022).
[xi] See, e.g., Health app broke its privacy promises by disclosing intimate details about users (January 13, 2021), available at https://www.ftc.gov/business-guidance/blog/2021/01/health-app-broke-its-privacy-promises-disclosing-intimate-details-about-users; FTC Takes Action Against CafePress for Data Breach Cover Up (March 15, 2022), available at https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-cafepress-data-breach-cover; FTC Charges Twitter with Deceptively Using Account Security Data to Sell Targeted Ads (May 25, 2022), available at https://www.ftc.gov/news-events/news/press-releases/2022/05/ftc-charges-twitter-deceptively-using-account-security-data-sell-targeted-ads.
[xii] 15 U.S.C. § 45(n).
[xiii] FTC v. Stefanchik, 559 F.3d 924, 928 (9th Cir. 2009).
[xiv] Nelly Rosenberg, An Uphill Battle: Ftc Regulation of Unreasonable Data Security As an Unfair Practice, 66 DePaul L. Rev. 1163, 1191 (2017).
[xv] See FTC Chair Lina Khan, Keynote at IAPP Global Privacy Summit 2022 (April 11, 2022), recording available at https://iapp.org/news/video/keynote-lina-khan-chair-of-the-federal-trade-commission-iapp-global-privacy-summit-2022/.
[xvi] FTC Releases Final Agenda for Public Forum on Commercial Surveillance and Lax Data Security Practices (August 29, 2022), available at https://www.ftc.gov/news-events/news/press-releases/2022/08/ftc-releases-final-agenda-public-forum-commercial-surveillance-lax-data-security-practices.