VYPR
advisoryPublished May 5, 2026· Updated May 17, 2026· 1 source

FTC Bans Data Broker Kochava from Selling Sensitive Location Data

The Federal Trade Commission has finalized a settlement with data broker Kochava, prohibiting the company from selling precise geolocation data without explicit consumer consent following allegations that it tracked users to sensitive locations.

The Federal Trade Commission (FTC) has reached a settlement with data broker Kochava and its subsidiary, Collective Data Solutions (CDS), effectively banning the companies from selling or licensing precise geolocation data without obtaining explicit, affirmative consent from consumers BleepingComputer. This agreement concludes a legal battle initiated in August 2022, when the FTC first sued the Idaho-based firm for the unauthorized sale of sensitive movement data collected from hundreds of millions of mobile devices BleepingComputer.

The core of the FTC’s complaint centered on the granular nature of the data Kochava provided to its clients. Through a subscription service costing $25,000, the company offered access to a data feed via the Amazon Web Services (AWS) Marketplace, which it claimed included "rich geo data spanning billions of devices worldwide" BleepingComputer. The agency alleged that this feed, which processed approximately 94 billion geo-transactions per month, allowed third parties to track individuals to highly sensitive locations, including reproductive health clinics, mental health facilities, places of worship, and shelters for domestic violence survivors BleepingComputer.

According to the FTC, the affected consumers were never informed that their movements were being tracked and monetized, nor did they provide consent for such sharing. The agency argued that this lack of transparency left users vulnerable to significant real-world harms, such as stalking, discrimination, and physical violence BleepingComputer. While Kochava previously attempted to counter the FTC's claims by filing its own lawsuit and introducing a "Privacy Block" feature intended to filter out health-related locations, the final settlement imposes much stricter, legally binding requirements on the firm BleepingComputer.

Under the proposed order filed in the U.S. District Court for the District of Idaho, Kochava and its subsidiary are prohibited from selling or transferring precise location data unless the data is necessary for a service the consumer directly requested and the consumer has provided express consent BleepingComputer. Furthermore, the companies are mandated to establish a comprehensive sensitive location data program, implement a supplier assessment process to verify that consent was obtained, and provide consumers with mechanisms to withdraw consent or request information about who has received their data BleepingComputer.

The settlement also requires the companies to maintain a strict data retention and deletion schedule and to submit incident reports to the FTC if they discover that third parties have misused the location data BleepingComputer. This enforcement action is part of a broader regulatory crackdown by the FTC on commercial surveillance practices. Since 2024, the agency has secured similar bans against other major data brokers, including InMarket Media, Outlogic, Gravy Analytics, and Mobilewalla, signaling a sustained effort to curb the unauthorized monetization of consumer location history BleepingComputer.

Synthesized by Vypr AI
FTC Bans Data Broker Kochava from Selling Sensitive Location Data · VYPR