Kochava, an Idaho-based data broker, is currently embroiled in a federal lawsuit with the Federal Trade Commission (“FTC”) that has the potential to redefine the legal bounds of the data sharing and data brokering industries.  Privacy World immediately reported on the FTC v. Kochava, Inc. case the day after the FTC filed its motion for a preliminary injunction in August.  Notably, the Commission approved the complaint against Kochava in a 4-1 vote, with now former Commissioner Noah Phillips voting no. In the intervening months, the parties have fully briefed a motion to dismiss, which comes before the Idaho District Court for a hearing on February 21, 2023.

The case centers on the question of whether Kochava’s potentially unrestricted sale of precise consumer geolocation data constitutes an illegal, unfair business practice.  In some ways, the FTC’s interest in Kochava is unusual.  There is no omnibus federal privacy law for the FTC to enforce.  Instead, the FTC has the ability to enforce privacy violations through Section 5 of the FTC Act.  A typical FTC consumer protection case might seek to prevent fraud, scams, identity theft, false advertising, or anti-competitive behavior.  Recently, however, the FTC has broadened the scope of its enforcement activities to patrol for commercial practices that create data privacy and/or cybersecurity concerns.

Privacy World has previously covered the fact that the FTC has made securing data privacy a top priority in recent years.  This trend is evident at least since 2021 where, for example, the FTC issued a policy statement urging health apps to notify consumers of data breaches.  The FTC put the policy stance into action that same year by suing and settling with Flo Health, a fertility tracking app that allegedly shared sensitive health data with third parties.  Since that time, the FTC has continued to address data privacy issues, from curtailing  illegal commercial surveillance practices to bringing an enforcement action against a business that purportedly failed to implement reasonable information security practices to protect consumer information even after multiple security breaches.

The Kochava case not only aligns with the FTC’s increasing interest in data privacy and cybersecurity, but also serves to further recent federal policy initiatives.  One to note is the Biden Administration’s executive order addressing security concerns over the disclosure of sensitive health-related data.  This federal policy at first seems entirely disconnected from Kochava, which is not an app focused exclusively on health.  But, as the FTC explains in its complaint, Kochava’s brokerage of “precise geolocation data” makes it possible to track consumers to sensitive locations such as “places of religious worship … domestic abuse shelters,” and “medical facilities, and … women’s reproductive health clinics.”

This intrusion into a consumer’s private life without the proper controls over access and use, the FTC claims, constitutes an illegal and unfair business practice.  The FTC’s logic focuses on three main issues: (1) sensitive personal information is of heightened concern and has the potential to injure consumers; (2) consumers cannot avoid injury based on Kochava’s lack of safeguards on control and use; (3) and the actions of Kochava are likely to cause substantial injury to consumers that the consumers cannot reasonably avoid and the injury is not outweighed by the countervailing benefits to consumers or competition.  These three key points, the FTC contends, is all that is necessary to state a claim for “unfair business practices.”

Kochava, in turn, claims that the FTC’s approach oversimplifies the concept of an unfair business practice.  In addition to the above three elements, Kochava claims that the FTC must show that (1) Kochava violated a predicate law or statute; (2) Kochava’s activities violate public policy; and (3) Kochava’s conduct is unethical or oppressive.

On October 28, 2022, Kochava filed a motion to dismiss arguing that the FTC failed to satisfy these requirements. In fact, the FTC’s interpretation of “unfair business practices” deviates so substantially from current law, argues Kochava, that it raises several constitutional issues.  Firstly, Kochava claims that the FTC’s enforcement action violates Kochava’s procedural due process rights because Kochava did not have fair notice that its activities might constitute unfair business practices.  Second, Kochava argues that the FTC’s novel interpretation of “unfair business practices” is effectively the creation of a new law.  The FTC, Kochava continues, does not have the constitutional authority to create new law, rather its authority is limited to simply interpreting existing law and promulgating administrative rules and regulations.  Finally, Kochava claims that there is not an ongoing harm to remedy with an injunction. The geolocation data at the center of the dispute, Kochava explains, has not been available for sale since June 2022, and will not be available for purchase in the future.

The FTC filed a response to the motion to dismiss on November 18, 2022 in support of its complaint, and Kochava filed its reply on December 2, 2022 reiterating the deficiencies highlighted in its motion to dismiss.

Based on FTC trends, Kochava appears to be on thin ice.  Unfair business practices may be but are not required to be explicitly defined to be a violation of Section 5 of the FTC Act.  For the last 60 years the Commission has analyzed the following three criteria to determine whether an act or practice violations the prohibition against consumer unfairness:

(1) whether the practice, without necessarily having been previously considered unlawful, offends public policy as it has been established by statutes, the common law, or otherwise-whether, in other words, it is within at least the penumbra of some common- law, statutory, or other established concept of unfairness; (2) whether it is immoral, unethical, oppressive, or unscrupulous; (3) whether it causes substantial injury to consumers (or competitors or other businessmen).

Statement of Basis and Purpose, Unfair or Deceptive Advertising and Labeling of Cigarettes in Relation to the Health Hazards of Smoking, 29 Fed. Reg. 8324, 8355 (1964).  Injury to the consumer, by itself, may be sufficient to warrant a finding of unfairness. The injury “must be substantial; it must not be outweighed by any countervailing benefits to consumers or competition that the practice produces; and it must be an injury that consumers themselves could not reasonably have avoided.” FTC Policy Statement on Unfairness.  The public policy criteria is less important and usually used to support a finding of consumer injury, but the Commission considers outside statutory policies and judicial principles in determining whether conduct harms a consumer.  Finally, the “immoral” criteria is usually duplicated in the finding that the practice injures consumers or violates public policy, and the Commission focuses on the first to criteria for finding unfairness.

Applied here, the FTC’s argument is that Kochava’s collection and use of sensitive personal information (precise geolocation) results in substantial injury, which the consumer’s cannot avoid because of Kochava’s own unclear data practices.  Further, the FTC may point to recent state-level omnibus privacy laws that specifically address sensitive personal information, as well as previous FTC orders, to conclude that Kochava’s data practices violate public policy.  Finally, the FTC will likely conclude that the “immoral” criteria is met in part by the proof of consumer injury and the violation of public policy.  This is most certainly an enforcement action to be tracked.

The District Court for the District of Idaho will have an opportunity to confront the FTC and Kochava’s competing arguments at a hearing on February 21, 2023.  In the meantime, Privacy World will be there to keep you appraised of developments both in this case and in the data privacy world more broadly.