Court Dismisses FTC Complaint Against Data Broker Kochava – Source: www.databreachtoday.com

Governance & Risk Management
,
Legislation & Litigation
,
Privacy

Ruling Leaves Door Open for a Revised Lawsuit

Marianne Kolbasuk McGee (HealthInfoSec) •
May 4, 2023    

An Idaho federal court dismissed the U.S. Federal Trade Commission’s lawsuit against data analytics vendor Kochava in a bid by the agency to permanently stop the company from selling geolocation data collected from mobile devices.

See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources

The court said the FTC can file an amended complaint with a strengthened argument against Kochava within 30 days. The agency in a statement to Information Security Media Group on Friday said it is “pleased the Court agreed with a number of our arguments and we look forward to continuing to press our case on behalf of American consumers.”* An attorney representing Kochava did not respond to ISMG’s request for comment.

In a 35-page ruling Thursday, U.S. District Judge B. Lynn Winmill said the FTC failed to sufficiently allege consumer harms.*

“The FTC asks the Court to simply infer that consumer injury is probable from its assertion that Kochava is disclosing ‘sensitive information’ about device users,” Winmill wrote. “The FTC must go one step further and allege that Kochava’s practices create a ‘significant risk’ that third parties will identify and harm consumers.”

The FTC in its lawsuit filed last August against Idaho-based Kochava said the company invades consumers’ privacy by selling advertisers geolocation data sets of mobile phone holders tied to a unique ID (see: FTC Sues Firm That Collects, Sells Sensitive Location Data).

That information could be used to identify individuals who have visited abortion clinics, mental health providers and other sensitive locations, the agency said.

Kochava filed its own lawsuit in the same Idaho federal court weeks before the FTC’s action, as a bid to preemptively counter the federal agency (see: Lawsuit Against FTC Intensifies Location Data Privacy Battle).

The company also filed a motion last October to dismiss the FTC’s lawsuit.

Winmill wrote in her Thursday ruling that nothing prevents the FTC from asserting that an invasion of privacy by itself can constitute a legitimate cause for suing. The agency failed, he said, by not establishing that Kochava’s business practices constitute substantial injury to consumers.

“The privacy concerns raised by the FTC are certainly legitimate. Disclosing where a person has been every fifteen-minutes over a seven-day period could undoubtedly reveal information that the person would consider private, such as their travel habits, medical conditions, and social or religious affiliations,” he wrote.

But the data that Kochava sells “is not, on its face, sensitive or private.” Instead, the information that the FTC highlights as sensitive, such as medical conditions revealed by repeated trips to a specialist physician, depends on inferences made from geolocation data. “But inferences are often unreliable.”

For example, geolocation data set showing repeat trips to an oncology clinic might reveal a cancer patient or the family member of a cancer patient or a medical professional, Winmill wrote.

The judge also said the geolocation data can be obtained through other means, such as following an individual’s movements. “Privacy interests in the kind of location data Kochava sells are therefore weaker than, for example, privacy interests in confidential financial or medical information which is not otherwise publicly accessible.”

The FTC also didn’t indicate how many device users’ privacy interests might be affected by Kochava.

“The FTC claims only that third parties could tie the data back to device users; not that they have done so or are likely to do so.”

The court’s decision serves as a reminder “that Congress has given the FTC very constrained and antiquated tools that limit its ability to tackle emerging privacy concerns,” said Daniel Kaufman, former acting director of the FTC’s Consumer Protection Bureau, currently a regulatory attorney at law firm BakerHostetler.

The FTC brought this case asserting that Kochava had engaged in unfair practices and to show that a practice is unfair, the FTC has to demonstrate that the practices cause or are likely to cause substantial consumer injury, he tells ISMG.

“That is not an easy standard to meet in many privacy cases and the Court essentially says that. The Court notes that the ‘privacy concerns raised by the FTC are certainly legitimate’ but that is of course not the legal test and therefore the Court dismisses the complaint.”

*Update May 5, 2023 13:03 UTC: Adds statement from Federal Trade Commission.

*Correction May 5, 2023 13:34 UTC: We previously referred to Judge B. Lynn Winmill by the wrong pronoun. Judge Winmill is a he. We regret the error.