Peter A Clarke

Location data is very valuable for a whole range of businesses and law enforcement. One of the first things police do when they have a suspect in a serious crime is to review the location data of that person’s mobile phone. That has sunk many alibis. At the commercial level location data is very valuable as well. It is also very sensitive information. At its most granular tracking a person’s movements is a serious invasion of his or her privacy. And that is what the Federal Trade Commission alleged in its charges against Kochava, a data broker. The FTC sued Kochava in August 2022 for selling data that tracked people to reproductive health clinics, places of worship and other sensitive locations. To resolve the matter Kochava has consented to orders injuncting it from selling sensitive information.

The sale of data in the United States is a big industry and there is no equivalent in Australia in the private sector because of the Privacy Act and general regulation against the commodification of data for commercial gain.  But the technology is the same in Australia as in the United States.  And in the recent past the controls on data exchange have loosened.

This case is relevant in highlighting the importance of securing and not misusing tracking data.  Tracking data is not confined to mobile phones.  Technology now allows for tracking of fitness devices and other wearable items.  Modern cars have tracking devices.  There are strong controls within the Privacy Act relating to the use of such sensitive information.

The FTC media release provides:

The Federal Trade Commission will prohibit data broker Kochava and its subsidiary from selling, sharing or disclosing sensitive location data without consumers’ affirmative express consent to settle allegations the companies sold location data from hundreds of millions of mobile devices that could be used to trace the movements of individuals.   

The FTC sued Idaho-based Kochava in August 2022 alleging that its collection, use and disclosure of precise location data invaded consumers’ privacy by revealing their movements, including visits to sensitive locations such as health facilities and places of worship. The FTC alleged that because consumers were unaware of and did not consent to this data sharing, consumers had no way of avoiding the harm resulting from its collection and disclosure.

Under the proposed order resolving the FTC’s litigation, Kochava and its subsidiary,  Collective Data Solutions (CDS), which has taken over Kochava’s data broker business, will be prohibited from selling, licensing, transferring, sharing or disclosing sensitive location data in any products or services unless they obtain a consumer’s affirmative express consent and the data is used to provide a service directly requested by the consumer. The subsidiary and Kochava (if Kochava sells or uses precise location data) also are required to:

• • Establish and implement a sensitive location data program to develop a comprehensive list of sensitive locations to prevent the sale, transfer or disclosure of sensitive location data;
  • Implement a supplier assessment program designed to confirm that consumers have provided consent for the collection and use of all location data obtained by the subsidiary or Kochava;
  • Submit incident reports to the FTC when the companies determine a third party shared consumers’ precise location data in violation of contractual requirements;
  • Allow consumers to request the names of any business or individual to which CDS or Kochava has knowledge that consumers’ precise location data was sold, and provide consumers with an easy way to withdraw consent for the sale of their device’s precise location data; and
  • Create a data retention schedule that will require the deletion of data on an established timeframe.