# FTC Bans Data Broker Kochava from Selling Location Data Without Explicit Consumer Consent


The Federal Trade Commission has issued a landmark enforcement action against location data broker Kochava, prohibiting the company and its subsidiary Collective Data Solutions from selling precise geolocation information collected from hundreds of millions of American mobile devices without explicit consumer consent. The settlement marks a significant escalation in the FTC's crackdown on the opaque data broker industry and signals intensified regulatory scrutiny of how location data is collected, aggregated, and monetized.


## The Threat: Mass Surveillance Through Mobile Location Data


Kochava operated one of the largest location data repositories in the United States, collecting precise geolocation information from mobile applications and advertising networks. This data—often tracking individuals' movements in real-time or near-real-time—was aggregated and packaged for sale to government agencies, law enforcement, financial services companies, retailers, and other third parties.


The scale of the operation was staggering:


  • Hundreds of millions of mobile devices tracked with precise latitude and longitude coordinates
  • Real-time movement tracking sold without meaningful consumer disclosure
  • Cross-device tracking enabled through device identifiers and IP addresses
  • Sensitive location inference revealing visits to medical facilities, places of worship, financial institutions, and intimate venues

    • The FTC alleged that Kochava's practices violated the FTC Act, which prohibits unfair and deceptive practices affecting consumers. The agency's investigation found that the company had made misleading claims about its data collection methods and the extent of consumer control over their information.


    ## Background and Context: The Unregulated Data Broker Ecosystem


    The U.S. data broker industry operates in a regulatory gray zone. Unlike Europe's General Data Protection Regulation (GDPR), which imposes strict consent requirements on data collection and processing, American privacy law has historically been fragmented and reactive rather than comprehensive.


    Key context:


  • Data brokers purchase consumer information from app developers, wireless carriers, and data aggregators
  • Location data flows through complex supply chains, often with limited transparency about its ultimate use
  • Many consumers are unaware their location is being tracked and sold, particularly when location permissions are buried in app settings
  • The location data industry generates billions in annual revenue, creating powerful financial incentives to maintain the status quo

    • The FTC has accelerated enforcement against data brokers in recent years, including prior actions against X-Mode Social and SafeGraph. However, Kochava's size and the scope of data it controlled make this action particularly significant.


    ## Technical Details: How Location Data Is Collected and Monetized


    Understanding the mechanics of Kochava's operation reveals why regulators view this practice as particularly problematic:


    Data Collection Methods:

  • SDK integration: Kochava integrated software development kits (SDKs) into mobile applications, allowing continuous tracking of user location
  • Device identifiers: Used advertising IDs, IMEI numbers, and MAC addresses to track individuals across multiple apps
  • Geofencing: Created virtual boundaries around specific locations to identify when users entered or exited particular areas
  • Probabilistic matching: Cross-referenced location data with other data sources to infer user identity

    • Data Product Categories:

  • Raw location feeds: Unprocessed location trails showing movement over time
  • Inferred segments: Behavioral classifications based on location patterns (e.g., "high-net-worth individuals," "likely to visit medical facilities")
  • Geofence reports: Foot traffic analysis showing how many people visited specific locations
  • Cross-device tracking: Following the same user across smartphones, tablets, and connected devices

    • Commercial Applications:

    Law enforcement agencies used Kochava data for investigative purposes without warrants. Financial institutions purchased data to assess customer behavior. Retailers used geofencing to target store visitors with advertising.


    ## Implications: Regulatory Momentum and Industry Disruption


    The FTC's ban carries far-reaching consequences:


    For Kochava and the broader data broker industry:

  • Prohibition on selling location data without explicit, affirmative consumer consent
  • Requirement to delete previously collected location data on 200 million devices
  • Ban from collecting or retaining the personal information of consumers

    • For law enforcement and government agencies:

  • New friction in accessing location data for investigative purposes
  • Potential requirement to seek warrants for location information previously obtained from data brokers
  • Questions about the legality of past practices

    • For consumers:

  • Limited relief for past data collection, though some data will be deleted
  • New protections going forward, but only if enforced industry-wide
  • Continued exposure to other data brokers unless broader legislative action occurs

    • Market implications:

    The action signals that large-scale location data sales without affirmative consent may no longer be viable in the U.S. market. However, the data broker ecosystem includes hundreds of companies, many smaller and less visible than Kochava. Unless Congress enacts comprehensive privacy legislation, competitors may continue similar practices using different legal arguments or corporate structures.


    ## The Limits of Enforcement


    While the FTC settlement is significant, several limitations highlight the need for broader legislative reform:


    | Concern | Current Status |

    |---------|---|

    | Retroactive remedies | Limited; consumers receive minimal compensation for past tracking |

    | Industry-wide impact | Only affects Kochava; other data brokers continue operating |

    | Consumer knowledge | Most Americans remain unaware their location is tracked and sold |

    | Litigation barriers | Consumers face high barriers to filing private lawsuits against data brokers |

    | Data broker regulation | No comprehensive federal framework; patchwork of state laws |


    ## Recommendations for Organizations and Policymakers


    For enterprises and organizations:


    1. Conduct location data audits: Identify all sources of location data your organization purchases or uses, including third-party vendors

    2. Review vendor agreements: Ensure data brokers comply with FTC standards and contractual obligations around consent

    3. Implement explicit consent workflows: If collecting location data, require affirmative user opt-in rather than relying on default permissions

    4. Document compliance: Maintain records demonstrating that location data was collected with proper authorization

    5. Prepare for regulatory changes: Assume that stricter location data standards will expand beyond Kochava


    For policymakers and regulators:


    1. Establish comprehensive privacy standards: Enact legislation requiring explicit consent for all personal data collection, including location

    2. Expand FTC enforcement: Allocate additional resources to investigate and enforce against data brokers

    3. Consumer transparency requirements: Mandate clear disclosures about what location data is collected and how it's used

    4. Law enforcement oversight: Require warrants for government access to location data held by third parties

    5. Private right of action: Allow consumers to sue data brokers for violations, creating additional accountability mechanisms


    ## Conclusion


    The FTC's action against Kochava represents a watershed moment in the data broker debate. By banning a major player in the location data industry, regulators have signaled that mass surveillance of Americans' movements without affirmative consent is no longer acceptable. However, meaningful protection will require sustained enforcement against the entire data broker ecosystem and, ultimately, comprehensive federal privacy legislation that gives consumers genuine control over their personal information.


    For organizations currently purchasing or selling location data, the message is clear: the regulatory environment is shifting rapidly, and business models dependent on unrestricted location data access face existential risk.