FTC Bans Kochava from Selling Precise Geolocation Data Without Consent

Overview of the FTC Enforcement Action

The Federal Trade Commission (FTC) has finalized a settlement with data broker Kochava Inc. and its subsidiary, Collective Data Solutions (CDS), effectively banning the unauthorized sale of precise consumer geolocation data. According to BleepingComputer, the settlement addresses allegations that Kochava sold timestamped latitude and longitude coordinates collected from hundreds of millions of mobile devices without obtaining explicit consent from the users.

The enforcement action highlights the growing scrutiny surrounding the data brokerage industry, specifically regarding the handling of sensitive location data. The FTC alleged that Kochava’s data allowed third parties to track individuals to highly sensitive locations, including reproductive health clinics, places of worship, and domestic violence shelters. By failing to anonymize this data effectively, Kochava enabled the identification of specific individuals based on their movement patterns.

The Mechanics of Precise Geolocation Exploitation

Unlike generalized location data, which may only identify a city or zip code, Kochava’s data sets included precise GPS coordinates linked to Mobile Advertising IDs (MAIDs). These identifiers are persistent strings assigned to mobile devices to help marketers track user behavior. While this is not a software CVE in the traditional sense, the lack of data safeguards creates a systemic vulnerability for millions of citizens.

By correlating MAIDs with publicly available information or residential addresses, data purchasers could de-anonymize individuals. This practice exposes users to significant risks, ranging from targeted harassment to physical surveillance. Analysts within a SOC must recognize that the harvesting of such data can mimic the reconnaissance TTP used by sophisticated threat actors to profile targets for social engineering or physical intrusion.

Complying with FTC Geolocation Data Regulations and Enforcement

The settlement terms establish a new precedent for the industry, mandating that Kochava implement a comprehensive privacy program and delete historical data for which they cannot verify consent. Understanding the FTC Kochava settlement data privacy impact is essential for any enterprise that ingests third-party telemetry. The order requires the broker to develop a functional system that prevents the collection and sale of “sensitive location data”—a category that is expanding under current regulatory definitions.

For cybersecurity professionals, managing sensitive location data collection risks involves more than just technical encryption. It requires auditing the supply chain of information. If an organization ingests these datasets into a SIEM for behavioral analytics or fraud detection, they must now verify that the source of that data adheres to strict opt-in consent mechanisms. The FTC’s move indicates that “anonymized” data is no longer a sufficient defense if the data points are granular enough to re-identify a person.

Actionable Recommendations for Defenders

Security and compliance teams should take the following steps to align with the evolving regulatory landscape:

• Audit Data Ingestion: Inventory all third-party data feeds that include geolocation, MAIDs, or device-specific telemetry. Ensure that contracts include clauses verifying explicit user consent for data resale.
• Implement Data Minimization: Adopt a policy of only collecting the minimum amount of location data necessary for business operations. If precise coordinates are not required, aggregate the data to a less sensitive level (e.g., neighborhood or city) before storage.
• Verify Sensitive Geofencing: Establish “no-go” zones for data collection, such as healthcare facilities and religious institutions, to prevent the accidental acquisition of sensitive movement patterns.
• Review Consent Flows: For organizations that develop mobile applications, ensure that the permission prompts for location access clearly state if the data will be shared with third-party brokers or analytics firms.

This regulatory action serves as a warning that the unauthorized sale of telemetry is increasingly viewed through the lens of consumer safety and national security. Organizations must adapt their data governance frameworks to prioritize consumer privacy alongside traditional security metrics.