Full Report
The FTC will ban data broker Kochava and its subsidiary, Collective Data Solutions (CDS), from selling location data without consumers' explicit consent to settle charges alleging that it sold precise geolocation data collected from hundreds of millions of mobile devices. [...]
Analysis Summary
# Regulation/Compliance: FTC Settlement Order Re: Kochava Inc. (Precise Geolocation Data)
## Overview
This is a legal settlement and permanent injunction issued by the Federal Trade Commission (FTC) against Kochava Inc. and its subsidiary, Collective Data Solutions (CDS). The order addresses the unauthorized collection and sale of precise geolocation data, specifically prohibiting the sale of such data without explicit consent and mandating the protection of sensitive locations (e.g., healthcare facilities, shelters, and places of worship).
## Key Details
- **Issuing Authority:** Federal Trade Commission (FTC) / U.S. District Court for the District of Idaho
- **Effective Date:** May 5, 2026 (Date of proposed order; carries force of law upon judicial approval)
- **Jurisdiction:** United States (applying to Americans' data)
- **Status:** Final (Settlement reached; awaiting final judicial sign-off)
## Requirements
### Mandatory Requirements
1. **Affirmative Express Consent:** Must obtain clear, opt-in consent before collecting, selling, licensing, or disclosing precise location data.
2. **Usage Limitation:** Location data must only be used to provide a specific service requested by the consumer.
3. **Sensitive Location Program:** Implement a comprehensive program to identify and block the collection/sale of data linked to "sensitive locations" (medical facilities, religious centers, domestic violence shelters, etc.).
4. **Supplier Assessment Program:** Implement a formal process to verify that third-party data providers have obtained legal consumer consent.
5. **Consumer Transparency:** Provide a mechanism for consumers to find out who received their data and a clear method to withdraw consent.
6. **Data Retention/Deletion:** Establish and maintain a public schedule for data retention and timely deletion.
7. **Incident Reporting:** Mandatory reporting to the FTC if any third-party recipient is found to be misusing location data.
### Recommended Practices
1. **Privacy-by-Design:** Integrate "Privacy Block" technology to automate the exclusion of sensitive POI (Points of Interest).
2. **Anonymization:** Transition toward aggregated or de-identified data sets rather than raw latitude/longitude feeds.
## Affected Organizations
- **Industries:** Data brokers, AdTech, location intelligence providers, and mobile app developers.
- **Organization Size:** All sizes (Kochava managed 125M+ monthly users).
- **Geographic Scope:** Any entity collecting or selling precise geolocation data of individuals within the United States.
## Compliance Timeline
- **August 2022:** Original FTC complaint filed.
- **May 5, 2026:** Settlement announced and proposed order filed.
- **Immediate (Upon Approval):** Implementation of consent mandates and sensitive location blocks.
## Implementation Guidance
### Assessment Phase
- Map all data flows involving "precise geolocation" (raw latitude/longitude).
- Audit current data acquisition pipelines to determine if "affirmative express consent" is currently being recorded and logged.
- Identify "Sensitive Points of Interest" (POIs) within the existing database.
### Implementation Phase
- Deploy an "Affirmative Consent" interface (CMP) for all direct-to-consumer interactions.
- Establish a blacklisting/filtering engine to automatically purge data originating from sensitive geofenced areas.
- Create a "Supplier Audit" checklist for all data vendors.
### Validation Phase
- Conduct quarterly audits of supplier consent logs.
- Perform penetration tests or data queries to ensure sensitive location data is not being leaked into the marketplace feed.
- Submit compliance reports as mandated by the FTC order.
## Technical Requirements
- **Geo-fencing:** Technical controls to prevent data collection in "sensitive" corridors.
- **Data De-identification:** Controls to ensure raw coordinates cannot be trivially re-linked to specific individuals without consent.
- **Audit Logs:** Secure logging of consent timestamps and the specific purpose for which consent was granted.
## Penalties & Enforcement
- **Fines:** While this specific settlement focuses on prohibitions, violations of FTC orders can lead to civil penalties of up to **$51,744 per violation**.
- **Other Consequences:** Potential permanent ban from the data brokerage industry; mandated 20-year compliance monitoring.
- **Enforcement:** Ongoing monitoring by the FTC Bureau of Consumer Protection.
## Related Standards
- **NIST Privacy Framework:** Aligns with "Data Processing Management" and "Inventory and Mapping."
- **ISO/IEC 27701:** Privacy Information Management System (PIMS) requirements for data processors.
- **FTC Section 5:** Prohibition of "unfair or deceptive acts or practices."
## Resources
- **Official Documentation:** [ftc[.]gov/legal-library/browse/cases-proceedings/ftc-v-kochava-inc]
- **Guidance Documents:** FTC Blog: [Location, health, and other sensitive information]
- **Tools:** IAB Transparency and Consent Framework (TCF) for AdTech compliance.
## Practical Recommendations
1. **Stop Selling Raw Feeds:** Move away from raw latitude/longitude feeds to aggregated "audience segments" to reduce liability.
2. **Audit Third Parties:** If you buy data, verify the *source* of the consent; "contractual warranties" of consent from a vendor are likely insufficient under this new FTC standard.
3. **Draft a Retention Policy:** Explicitly define how long location data is kept and ensure automated deletion scripts are functional.