The Federal Trade Commission has reached a settlement with Kochava and its Collective Data Solutions subsidiary that prohibits the company from selling sensitive consumer location data, establishes data retention and deletion requirements, and mandates the deletion of historical sensitive location datasets already collected. The action resolves an FTC lawsuit filed in 2022 and represents the most substantive regulatory enforcement action against the mobile location data broker industry to date.
What the Settlement Requires
Permanent ban on sensitive location data sales: Kochava’s Collective Data Solutions subsidiary is permanently prohibited from selling, licensing, or otherwise monetising precise location data that reveals consumers’ visits to sensitive locations — including healthcare providers, abortion clinics, addiction treatment facilities, reproductive health centres, houses of worship, political rally locations, and labour union meetings.
Data deletion obligation: Kochava must delete existing datasets containing the prohibited sensitive location data. The deletion requirement extends to historical data that was collected prior to the settlement but retained.
Consent requirements for future data: Future location data collection and monetisation requires explicit, informed consumer consent that clearly discloses how the data will be used — consistent with the FTC’s “consent decree” approach.
No monetary penalty: The settlement does not include financial penalties, which the FTC characterised as the result of remediation cooperation and the structural prohibition being the primary enforcement goal.
Why This Settlement Matters
Kochava is not the largest actor in the location data broker industry — it is mid-sized relative to companies such as Veraset, Safegraph, X-Mode, and Near Intelligence. However, the settlement establishes several precedents:
Precise location data as inherently sensitive: The FTC’s theory of harm — that selling precise location data (described in the complaint as “within 10 meters”) without consent constitutes an unfair act — establishes that precision is a material factor in location data regulation. Data that reveals specific building-level visits to healthcare providers is categorically different from city-level or zip-code-level data.
Location data enabling discrimination and harm: The FTC’s complaint documented specific harms enabled by the Kochava dataset: the ability to identify consumers who visited abortion clinics (with implications in states where abortion has been criminalised), identify individuals attending mental health providers (with employment and insurance discrimination potential), and identify members of specific religious communities.
Broker accountability for downstream use: The settlement’s scope extends to Kochava’s role as a data broker — not just as a data collector — establishing that brokers are accountable for the end uses of data they sell even when they do not directly use the data.
Implications for Organisations Using Location Data
Advertising technology: Companies purchasing location audience segments from data brokers should review their data supply chain to confirm that sensitive location categories are excluded from purchased datasets. The FTC’s theory of harm applies to data buyers as well as sellers under FTC Act Section 5.
Retail and footfall analytics: Organisations using mobile location data for store visit attribution, competitive intelligence, or retail analytics should assess whether their data providers comply with the consent requirements the settlement establishes.
Financial services and insurance: Some organisations use location data for fraud detection and risk scoring. Location data use in these contexts is likely to face increasing regulatory scrutiny — assess whether the fraud detection benefit justifies the regulatory exposure.
UK and EU context: The settlement aligns with GDPR’s treatment of location data as sensitive data under the UK ICO’s guidance and EU regulatory frameworks. Organisations operating in both US and European markets should treat the FTC enforcement position as convergent with their existing GDPR obligations rather than as a distinctly US concern.
Share this article