Commissioner Rebecca Slaughter had some free advice for anyone tuning in to the Federal Trade Commission’s virtual PrivacyCon event on Wednesday.
“Pay close attention to Kochava.”
The case against mobile attribution company Kochava is a case in point. It makes the commission’s stance on data collection perfectly clear – and highlights what should be a huge concern for the ad tech industry.
In the FTC’s view, selling or sharing information that a third party can use to identify someone could be enough to violate Section 5 of the FTC Act, which protects against unfair and deceptive business practices.
And a judge agrees.
The FTC v. Kochava
In early February, the federal district court in Idaho denied Kochava’s second attempt to dismiss the FTC’s lawsuit, which was originally filed in 2022 after Kochava refused to settle.
The FTC alleged that Kochava collected potentially sensitive geolocation data and made it available for sale to other companies through a marketplace.
According to that original suit, the data was being sold in a format that would allow companies to track consumers moving between sensitive locations, such as reproductive health clinics or places of worship.
Kochava filed a motion to dismiss the FTC’s case last year because it lacked specific examples of harm. That motion was granted, although only provisionally. The FTC was given 30 days to refile an amended suit that includes more supporting evidence of harm, which the commission did, and the case can proceed.
The FTC now needs to prove at trial that Kochava’s business practices are a violation of Section 5 and expose consumers to significant risk of secondary privacy-related harms, such as stigma, discrimination, physical violence and/or emotional distress.
“The court’s affirmation that we can act to stop injuries allows us to step in to protect consumers before they’re irreparably harmed,” Slaughter said. “I’m looking forward to watching this case closely.”
Browsing data is sensitive, ‘full stop,’ FTC says
In the meantime, the FTC’s broad definition of sensitive information should be setting off alarm bells for every ad tech company – as well as the fact that a court is on board with the FTC’s premise that disclosing sensitive information can be an unfair and potentially illegal business practice in and of itself.
Last week, FTC staff published guidance in a blog post summarizing the rationale behind its recent enforcement actions against “mass data collectors.” (The trio of X-Mode, InMarket and Avast.)
In that post, the FTC explicitly states that it considers all browsing and location data to be sensitive, “full stop.”
As the FTC points out, none of the companies it’s recently dinged for mishandling data were accused of collecting or selling personally identifiable information. There were no names in their data sets, no social security numbers – no typical PII.
Nothing Everything personal
But PII isn’t the issue.
Almost any data becomes sensitive if it can be re-identified and connected to an individual, and that includes what a person browses online.
So don’t be surprised when the FTC brings more cases against data brokers and companies whose business is monetizing consumer data. X-Mode, InMarket and Avast all recently reached settlement agreements with the FTC.
X-Mode, for example, was able to get very personal very quickly by associating location data with traditional identifiers. If someone’s phone was observed to dwell at a cardiologist’s office followed by a visit to the pharmacy and then a specialty infusion center, it’s not a leap to assume that person has a heart condition.
InMarket, meanwhile, was able to sort people into audience segments for advertising purposes based solely on their visits to certain locations: “Christian churchgoers,” “parents of preschoolers,” “low-income millennials” or “well-off suburban moms.”
And Avast collected and sold browsing data in a re-identifiable format, including specific searches for directions on Google Maps, cosplay erotica, government jobs in Fort Meade, Maryland, with a salary greater than $100,000 and the link to a French dating website (including a unique member ID).
And so, if a company has access to just one user’s browsing or location history – and nothing else – that information can be “highly revealing and used to re-identify that user with frightening ease,” said FTC Commissioner Alvaro Bedoya, also speaking at PrivacyCon.
“It’s easy to see how this data can harm people,” Bedoya said, “and the FTC and its staff will not wait for it to be associated with a traditional identifier before we move to protect that data.”
