FTC Bans Kochava from Selling Sensitive Location Data Without Explicit Consent

What Happened: FTC Settlement with Kochava

On [date of settlement], the Federal Trade Commission (FTC) announced a settlement with data broker Kochava and its subsidiary CDS, banning them from selling sensitive location data without obtaining consumers' affirmative express consent. The settlement resolves a 2023 FTC complaint alleging that Kochava collected and sold precise geolocation data from hundreds of millions of mobile devices, enabling tracking of visits to sensitive locations such as houses of worship, health clinics, and shelters, in violation of Section 5 of the FTC Act prohibiting unfair or deceptive practices.

Under the proposed order, Kochava must:

• Obtain consumers' affirmative express consent before selling or transferring any covered data (precise location data that could reveal sensitive locations).
• Implement a sensitive location data program to identify and restrict the use of location data associated with sensitive locations.
• Establish a supplier assessment program to verify that consent has been obtained from consumers whose data is collected by third parties.
• Provide consumers with a list of entities that have purchased or received their covered data.
• Report any third-party violations of the order to the FTC.
• Create and maintain a data retention and deletion schedule.

Notably, the FTC did not impose a monetary fine. The settlement largely formalizes changes Kochava had already implemented as part of a prior class-action settlement, including stopping location data sales and creating an opt-out mechanism.

Why It Matters: Broader US Privacy Enforcement Trends

The Kochava settlement is part of a broader FTC crackdown on data brokers. Similar enforcement actions have been taken against InMarket Media, Outlogic, Gravy Analytics, and Mobilewalla. The FTC has also signaled potential new rules on commercial surveillance and data security, indicating increased regulatory scrutiny of location data privacy.

This action underscores the FTC's focus on geolocation data as particularly sensitive, especially when collected without meaningful consent. While no comprehensive federal privacy law exists in the US as of early 2025, the FTC is using its authority under Section 5 of the FTC Act to target unfair or deceptive data practices. The settlement also aligns with state-level privacy laws such as the California Consumer Privacy Act (CCPA)/CPRA, which gives consumers rights to know, delete, and opt out of the sale of their personal information, including precise geolocation data.

For businesses, the message is clear: the FTC considers the sale of sensitive location data without explicit consent to be an unfair practice, regardless of whether the data was originally collected with consent or not. The requirement for a supplier assessment program and ongoing monitoring of third-party compliance places responsibility on data brokers to verify consent throughout the data supply chain.

What Organizations Should Do: Practical Compliance Steps

Companies that collect, process, or share geolocation data should take the following steps to align with FTC expectations and emerging US privacy compliance standards:

1. Review consent mechanisms: Ensure that any collection of precise location data is preceded by a clear, affirmative consent notice that explains how the data will be used and shared. Avoid pre-ticked boxes or implied consent.
2. Implement data minimization: Collect only the location data necessary for the specific purpose disclosed to the consumer. Avoid collecting location data at a granularity that could reveal sensitive locations (e.g., clinics, shelters, places of worship) unless explicitly consented.
3. Conduct vendor due diligence: If you share location data with third parties (data brokers, analytics providers, ad networks), require contractual assurances that they have obtained valid consent and will notify you of any misuse. Consider using a vendor assessment program similar to Kochava's supplier assessment program.
4. Establish a data retention schedule: Define and enforce retention limits for location data. Delete or anonymize data once the business purpose is fulfilled.
5. Provide consumer transparency: Offer consumers a way to see which entities have received their location data and to withdraw consent. This aligns with CCPA/CPRA rights and FTC expectations.
6. Monitor regulatory developments: The FTC's enforcement actions signal a trend toward stricter regulation of data brokers. Stay informed about state privacy laws (e.g., California, Virginia, Colorado, Connecticut) that may impose additional requirements on geolocation data processing.

For organizations managing multi-domain compliance across privacy, data governance, and regulatory change, platforms like AIGovHub provide integrated tools for tracking regulatory alerts, conducting vendor due diligence, and mapping policies to frameworks like CCPA, CPRA, and the FTC Act. The AIGovHub Vendor Marketplace also offers assessments of privacy and data broker compliance solutions.

Related Resources

• Complete Guide to AI Governance for Emerging Technologies
• AI Truth Crisis and Governance Content Verification Gap
• Microsoft Copilot Security Flaw: Email Data Governance Lessons

This content is for informational purposes only and does not constitute legal advice.