FTC Bans Kochava from Selling US Location Data Without Consent

The Federal Trade Commission announced a settlement with data broker Kochava and its subsidiary Collective Data Solutions (CDS) that prohibits them from selling or sharing precise geolocation data of U.S. consumers without explicit, informed consent. The action follows an FTC investigation that alleged the firms harvested location signals from mobile apps and sold them to third parties, enabling highly accurate tracking of individuals.

Kochava aggregated GPS coordinates, Wi‑Fi timestamps, and cell‑tower triangulation data, then packaged them into “location‑of‑interest” datasets sold via an API to advertisers, data‑analytics firms, and risk‑assessment services. The data included timestamps down to the second and coordinates with sub‑meter accuracy, which could be used to infer home addresses, medical appointments, and political gatherings. The FTC’s complaint highlighted that the firm’s privacy policy lacked clear opt‑in mechanisms and that it failed to honor do‑not‑sell requests.

Under the settlement, Kochava and CDS must implement a consumer‑consent gateway, conduct quarterly audits of data flows, and delete any previously collected location data within 90 days. They also face a civil penalty of $5 million and are required to disclose any future data‑sharing agreements to the FTC. The FTC noted that this case sets a precedent for enforcement under Section 5 of the FTC Act regarding deceptive data practices, especially for data brokers that operate at scale.

Privacy advocates praised the decision, saying it signals stronger oversight of the $12 billion location‑data market. Security researchers warn that even with the ban, residual risks remain because location data can be re‑identified from anonymized datasets. The FTC has pledged to continue monitoring data brokers and to issue guidance on compliant consent mechanisms for geolocation data.