Idaho Judge Denies Kochava's Motion to Dismiss FTC's Privacy Complaint
U.S. District Judge Lynn Winmill for the District of Idaho in Coeur d’Alene denied Kochava’s motion to dismiss the FTC’s first amended complaint in a privacy lawsuit over geolocation data, said his signed order Saturday (docket 2:22-cv-00377).
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The FTC sued Kochava in August 2022 for allegedly selling “vast amounts of ‘highly granular’ personal information about millions of people in a format that is essentially nonanonymized,” said the order. The data can reveal a person’s religious affiliations, sexual orientation, medical conditions, and “much more,” and by selling that data, Kochava “arguably invades consumers’ privacy and exposes them to significant risks of secondary harms.” The FTC seeks an injunction enjoining Kochava from acquiring consumers’ geolocation data associated with unique persistent identifiers that reveal consumers’ visits to sensitive locations and selling it in a format that allows entities to track their movements.
In denying Kochava’s motion to dismiss, the FTC has stated a “plausible claim under Section 5(a) of the FTC Act,” Winmill said. The FTC’s amended complaint “significantly expands the factual allegations” in its original complaint, “and it easily satisfies the liberal plausibility standard,” said the order. Kochava’s “practice of selling vast amounts of data about mobile device users may violate Section 5(a) by depriving consumers of their privacy and exposing them to significant risks of secondary harms,” it said.
The amended complaint focuses on four Kochava data products: geolocation data, the Database Graph, the App Graph and audience segments, said the order. Though the data is contained in separate collections, it “is not anonymized and is linked or easily linkable to individual consumers,” said the amended complaint. A customer could identify a woman visiting a particular building and without mining other data sources, know her name, email and home addresses, race, whether she’s a parent and if she has “an app identifying symptoms of cancer on her phone,” it said.
The FTC alleges Kochava’s data harms consumers by putting them at an increased risk of suffering “secondary harms, such as stigma, discrimination, physical violence, and emotional distress,” and by invading their privacy. The agency has alleged facts sufficient to proceed under both theories, the order said.
Kochava doesn’t just sell “bits and pieces” of data that are available through other lawful means; instead, it sells “comprehensive, aggregated collections of raw and synthesized data designed to give its customers a '360-degree perspective’ on the unique traits of millions of individual device users,” said the order. This alleged invasion of privacy “constitutes a ‘substantial injury’ to consumers,” it said.
Kochava emphasizes that its data only “inferentially reveals information about device users,” and the court previously noted that inferences based on geolocation data alone “can be unreliable,” said the order. “But that conclusion is less applicable to the allegations in the FTC’s Amended Complaint,” it said. In the FTC’s new allegations, “Kochava itself makes inferences about consumers, rather than simply providing raw data from which its customers could make inferences,” it said.
Those inferences “are generally more reliable than inferences drawn solely from geolocation data,” said the order. Data revealing a device user’s regular use of an app designed to track and manage cancer treatments “leaves little to the imagination,” it said.
Kochava "expected today's ruling and we are confident we will prevail on the merits," said CEO Charles Manning in an emailed statement Tuesday. "This case is really about the FTC attempting to make an end-run around Congress to create data privacy law. The FTC’s salacious hypotheticals in its amended complaint are mere scare tactics," Manning said. Kochava "has always operated consistently and proactively in compliance with all rules and laws, including those specific to privacy," he said. Prior to the FTC's action, Kochava announced Privacy Block, "a sensitive location blocking solution" that has blocked over 2.1 million locations from its data products "on an ongoing basis," he said. "Never in a million years did we imagine that as a small, law-abiding company we’d find ourselves in the ring on behalf of an entire industry," he said. "We’re here, we have the truth in our corner, and we’re in it to win it. We look forward to proving our case.”