FTC Flexes Its Muscle in Suit against Kochava (But May Not Like the Results)

By , and on September 1, 2022

On August 29, 2022, the Federal Trade Commission (FTC) filed a lawsuit against Kochava, Inc. alleging that Kochava engaged in unfair and deceptive practices by selling the “precise location information” of consumers. This suit comes on the heels of the FTC’s announcement earlier this month that it would “crack down” on “commercial surveillance practices” and July’s warning that the agency would be exercising its enforcement authority against the “illegal” use and sharing of sensitive consumer data.


The FTC alleges that Kochava amassed a large amount of sensitive data by tracking the mobile advertising IDs from hundreds of millions of mobile phones, and that such data could be used to track people visiting abortion clinics, domestic abuse shelters, places of worship and other sensitive locations. The FTC then said that Kochava sold that data without first anonymizing it, allowing anyone who purchased the data to use it to track the movements of the mobile device users. The FTC wants to not only block Kochava from selling such data, but also require them to delete and destroy it. In its complaint, the FTC relied on the FTC Act’s general prohibition against “unfair and deceptive acts or practices” and alleged that the company unfairly sold the sensitive data.

Kochava, which beat the FTC to the courthouse and preemptively filed a lawsuit against the FTC prior to the FTC’s complaint, asserted that all of the location data came from third-party data brokers who obtained the information from consenting consumers. Despite the alleged consent, Kochava says it is in the process of implementing steps to remove health services location data from its database. Kochava argued that the litigation was the outcome of the FTC’s failed attempt to implement a vague settlement that had no clear terms and made the problem a moving target.

The Kochava suit brings to the forefront several competing policy considerations, the determination of which could shape the scope of the FTC’s enforcement authority for years to come. The first and foremost issue that the Kochava suit raises is whether the FTC has the authority to effectively impose a consent-based regime for the sale of sensitive consumer information when no federal law enforced by the FTC (other than the Children’s Online Privacy Protect Act (COPPA), which applies to data collected about children under 13) expressly provides for that requirement. While it is not uncommon for the FTC to take expansive views of its enforcement authority, that authority has been successfully challenged in recent years. (See AMG Capital Management, LLC v. FTC, which held that the FTC does not have the statutory authority to seek equitable monetary relief under Section 13(b) of the FTC Act).) Now, Kochava will test the FTC’s authority to regulate in the privacy space—and the FTC may not like the result.

In the unlikely event that Kochava were to litigate against the FTC all the way to the Supreme Court of the United States, Kochava might find a receptive audience. Using West Virginia v. Environmental Protection Agency as precedent, the Supreme Court could conclude that US Congress did not grant the FTC authority to regulate privacy issues because the FTC Act does not expressly mention privacy regulation as being within the ambit of the FTC’s authority. This would be a big problem for the FTC, which has visions of engaging in formal rulemaking on privacy and data security.

Weighing in favor of the FTC’s complaint is the fact that the FTC appears to be cracking down on the precise types of privacy concerns that the public has been focused on in the wake of Dobbs v. Jackson Women’s Health Organization. Since Dobbs, we’ve seen companies and private citizens go through great lengths to protect the need for increased sensitivity and privacy for the information regarding a person’s visit to an abortion clinic. The FTC argues that this is exactly that type of sensitive geographic information that it seeks to protect, no doubt acting on US President Joe Biden’s executive order following Dobbs, which instructed the FTC to take action to protect consumer privacy regarding reproductive health. While the president’s executive order may give those marching orders to the FTC, it does not expand the FTC’s legal authority nor give them new powers.

As a result, the Kochava action, which is consistent with the FTC’s view of its own enforcement authority in the privacy space, pits an issue of great public concern against the hard and fast statutory limits of the FTC’s authority as granted by Congress. While the likeliest outcome is a settlement that does not adjudicate that the FTC has the authority to regulate issues of privacy, Kochava is nonetheless worth watching. Kochava could either cement the FTC’s authority to regulate in the privacy space or severely limit the FTC’s authority to do so, which might actually be the exact catalyst that Congress needs to finally pass a federal privacy bill.

If you are currently facing an FTC investigation, please reach out to your regular McDermott lawyer or contact Lesli Esposito, Amy Pimentel or David Saunders with any questions.

Lesli Esposito
For more than 20 years, Lesli C. Esposito has helped clients around the globe navigate complex antitrust and consumer protection matters. She has deep experience handling government investigations, litigation, compliance, and global merger control on behalf of clients in diverse industries, including consumer products, retail, technology, pharmaceuticals, healthcare, telemarketing, oil and gas, mortgage lending and professional services. Read Lesli C. Esposito's full bio.

Amy Pimentel
Amy C. Pimentel advises clients on US and international data protection, privacy and cybersecurity. Her clients are diverse – spanning the health care/life sciences industries to big tech, media and consumer products, and ranging from Fortune 500 companies to early-stage start-ups. Amy is skilled at harmonizing requirements across jurisdictions and legal regimes to build practical, risk-based and business-focused global privacy and cybersecurity programs. She works with clients to understand their obligations under US federal and state laws, the growing body of international privacy laws and self-regulatory frameworks so that they can leverage and transfer data in a compliant way. Amy also manages large and complex cyber incidents by guiding clients through the phases of breach response and post-incident remediation. She has teamed with forensic vendors and other consultants to help clients investigate, remediate, mitigate and notify required parties. She has also teamed with her white collar and litigation colleagues to manage and respond to ensuing government investigationRead Amy C. Pimentel's full bio. 

David Saunders
David P. Saunders (CIPP/US, CIPM) is an experienced litigator who focuses his practice on privacy and cybersecurity matters. David helps clients mitigate and manage risks related to data privacy and cybersecurity, from counseling on compliance with privacy regulations and managing data incident responses, to navigating regulatory investigations and handling biometric and other privacy-related litigation. David works collaboratively with a diverse range of clients, from small business and pro bono clients to multinational Fortune 100 companies, understanding and advising on their data practices to provide guidance on the myriad issues that arise in today’s digital world. Additionally, David has experience conducting risk assessments, developing privacy programs, drafting privacy policies, performing due diligence for corporate transactions, planning around cross-border data transfers, negotiating vendor agreements and working with clients through data incident response. He regularly counsels on HIPAA, HITECH, GDPR, GLBA, CCPA and state law privacy obligations, including engaging with key rulemakers at the state level to advance clients’ interests. He has litigated and helped resolve matters related to data privacy and cybersecurity issues, including navigating potential and actual regulatory investigations. Read David P. Saunders's full bio. 





Ranked In Chambers USA 2022
US Leading Firm 2022