FTC, Kochava data broker lawsuit puts U.S. privacy laws to the test

FTC, Kochava data broker lawsuit puts U.S. privacy laws to the test

Now here’s a Federal Trade Commission lawsuit that the public can get behind—even if the case doesn’t ultimately go in the agency’s favor.

FTC officials on Monday sued one of the nation’s larger data brokers, Kochava, alleging the Idaho-based company has violated federal law by acquiring and selling data that tracks consumers’ precise movements through their mobile phones. Agency lawyers said in a complaint that Kochava’s customers can use the data to identify the addresses of tens of millions of people, as well as their visits to sensitive locations (medical offices, domestic violence shelters, places of worship, etc.).

The lawsuit comes after the FTC board’s new Democratic majority, led by Chair Lina Khan, filed the agency’s first blockbuster case since gaining power, claiming that Facebook parent Meta’s planned acquisition of an up-and-coming virtual reality fitness app violates federal antitrust laws. While Big Tech foes cheered the action, some legal analysts said the case rested on weak legal arguments, and Bloomberg reported that Khan overruled staff members who opposed the lawsuit. Several prominent entrepreneurs also argued that the Meta lawsuit, if successful, would chill investment in innovative companies.

Compared with the Meta case, the FTC’s political pretext for its strike against Kochava is certainly stronger.

The $200 billion–plus data broker industry fundamentally puts profits over privacy—and Americans aren’t happy about it. A poll last year of about 2,000 registered voters by Morning Consult found 83% of respondents believed privacy legislation should be a “top” or “important, but lower” priority for Congress. Four in five respondents said they believed it was “very” or “somewhat” important to include geolocation data in any new privacy laws.

This year, Congress has responded. Legislators have spent the past several months haggling over comprehensive privacy legislation, with a House committee approving a sweeping, bipartisan bill, known as the American Data Privacy and Protection Act, by a 53–2 vote in July. The legislation would limit commercial entities’ ability to collect and use wide swaths of data, while also adding new transparency requirements for data collectors. (The bill still faces big hurdles in the Senate, where some influential members argue the legislation is too weak and overrides stronger state privacy protections.)

But similar to the Meta lawsuit, the FTC is treading on potentially shaky legal terrain in its crusade against Kochava.

The FTC’s lawyers argue that Kochava is violating federal law that prohibits “unfair or deceptive acts or practices in or affecting commerce.” 

To prove this, the FTC must show that Kochava “causes or is likely to cause substantial injury to consumers.” In its complaint, the FTC argues that Kochava’s sale of data “poses an unwarranted intrusion into the most private areas of consumers’ lives,” which constitutes a “substantial injury.” 

FTC lawyers offer one specific example of harm, citing a publicly available sample of Kochava data that traces a device to a women’s reproductive health clinic and a single-family home. FTC officials also include a few hypothetical examples of Kochava customers using the data to connect home addresses with religious facilities and shelters for vulnerable people. 

However, the FTC doesn’t provide any concrete examples of how a Kochava customer’s knowledge of a mobile device owner’s movements led to physical harm, monetary losses, reputational injury, or embarrassment. 

While it’s easy to imagine all sorts of unwanted fallout from misused or widely published tracking data, a judge might be more interested in actual examples of harm. If the FTC doesn’t provide them, a judge could have to decide whether the privacy implications of mobile data sharing alone causes “substantial injury” to consumers, or if the potential harm tied to Kochava’s business practices meets the “likely to cause substantial injury” standard. (Kochava argued in a preemptive legal filing last month that it “does not uniquely identify users” and invited customers to participate in a new feature that “blocks the sharing of health service locations.”)

The FTC also must prove that the substantial injury is not “reasonably avoidable by consumers themselves”—a point on which Kochava could make a decent case.

As Kochava officials wrote in last month’s legal filing, mobile phone and app users can opt out of tracking features. While many consumers aren’t aware of those choices and tech companies often make it difficult to opt out of monitoring, that isn’t Kochava’s fault.

“The consumer agreed to share its location data with an app developer,” Kochava’s lawyers wrote. “As such, the consumer should reasonably expect that this data will contain the consumer’s locations, even locations which the consumer deems is sensitive.”

The FTC could very well lose its case against Kochava on legal grounds. At least this time, though, the court of public opinion should rule overwhelmingly in the feds’ favor.

Want to send thoughts or suggestions for Data Sheet? Drop me a line here.

Jacob Carpenter

NEWSWORTHY

On second thought. A former Twitter executive’s claims of widespread security issues at the company are now part of Elon Musk’s case for backing out of a $44 billion deal to buy the outfit, Bloomberg reported Monday. The Tesla CEO’s lawyers submitted a filing that argued “egregious deficiencies” in the platform’s security and privacy protocols, including those outlined last week by former Twitter head of security Peiter Zatko, constitute a breach of the merger agreement. Musk has previously tried to renege on the deal by arguing Twitter fails to accurately measure the prevalence of bots on its platform, claims that Twitter officials have refuted.

Beyond the console. Sony announced plans Monday to acquire Savage Game Studios and fold the developer into a newly created mobile gaming unit, TechCrunch reported. The effort will entail building mobile games off intellectual property tied to Sony’s PlayStation console. Savage Game Studios was founded in 2020 by three developers with extensive experience at some of the mobile gaming industry’s largest outfits, but the two-year-old group hasn’t produced any widely available titles to date.

A Bayou State battle. Tesla has filed a lawsuit challenging Louisiana’s law banning sales of vehicles directly to consumers, waging its latest legal battle against auto dealers and their supporters in state legislatures, the Wall Street Journal reported. The leading electric-auto maker argues the five-year-old statute violates protections for interstate commerce. Tesla has fought direct-sale laws in several states where auto dealerships have lobbied in favor of funneling auto purchases through independently owned operations.

What’s the holdup? Donald Trump’s Truth Social Android app remains unavailable in the Play Store because the platform hasn’t complied with Google’s policies surrounding content moderation, Axios reported Tuesday. The delay comes as multiple reports suggest Truth Social faces mounting financial and legal problems, some of which are holding up a planned merger with a special purpose acquisition company. Google officials said they notified Truth Social two weeks ago about several issues related to content moderation, while the platform’s CEO, former congressman Devin Nunes, has claimed Google is slow-walking approval.

FOOD FOR THOUGHT

A big red light. As Twitter considered whether to launch a competitor to adult-content colossus OnlyFans, a team of employees came to a startling conclusion: The platform remains incapable of identifying child sexual exploitation and nonconsensual nudity at scale. The Verge reported Tuesday that the episode highlighted Twitter’s long-standing problems with removing abusive content on the social media site, which lacks many of the tools used by Meta, Apple, Google, and other tech giants. The discovery of Twitter’s shortcomings came as employees tested a new project aimed at monetizing adult content posted by creators on the platform, which has historically been more permissive of pornography than other sites. Twitter officials previously flagged issues with spotting illegal sexual content in early 2021, but the recent exercise suggests company executives have not moved swiftly to address concerns.

From the article:

Before the final go-ahead to launch, though, Twitter convened 84 employees to form what it called a “Red Team.” The goal was “to pressure-test the decision to allow adult creators to monetize on the platform, by specifically focusing on what it would look like for Twitter to do this safely and responsibly,” according to documents obtained by The Verge and interviews with current and former Twitter employees.

What the Red Team discovered derailed the project: Twitter could not safely allow adult creators to sell subscriptions because the company was not—and still is not—effectively policing harmful sexual content on the platform.

IN CASE YOU MISSED IT

The Great Resignation forced U.S. companies to order a record number of robots, by Tristan Bove

‘Overpromised and underdelivered’: El Salvador’s Bitcoin bond delayed again, by Leo Schwartz

Auto insurance watchdog warns that one of the most important features of self-driving cars can fail to spot pedestrians at night, by Tristan Bove

Mark Zuckerberg’s dreams of building a super app are starting to come true, by Grady McGregor

Twitter launches new feature Twitter Circle, which basically sounds like a text-message chain, by Chris Morris

There’s a storm brewing in cloud computing—and most firms aren’t prepared for it, by Joe Atkinson

BEFORE YOU GO

Landing in hot water. Excusez-moi, is that a pool in your backyard? French authorities have been posing that question to thousands of homeowners in recent months as part of an A.I.-enabled crackdown on residents hiding their piscines from the taxman, the Washington Post reported Tuesday. While French homeowners are expected to notify tax officials after completing construction of a residential pool, software developed by Google and a Paris-based tech firm Capgemini helped authorities identify undeclared pools using aerial images of yards and local property databases. They’ve already tracked about 20,000 surreptitious pools to date, which will bring in nearly $10 million in additional tax revenue. Sneaky swimmers are drawing particular ire this summer in France, where record-high temperatures have led to drought conditions.

https://fortune.com/2022/08/30/ftc-lawsuit-data-brokers-kochava-privacy-mobile-tracking/