FTC sues data broker for letting people track health clinic visitors

The Federal Trade Commission has sued app analytics firm Kochava for selling sensitive geolocation data, including details that could unmask people seeking or performing abortions.

The lawsuit claims Kochava failed to add basic privacy protections to its location data, much of which is collected from phones without the owners’ knowledge. “Kochava’s data can reveal people’s visits to reproductive health clinics, places of worship, homeless and domestic violence shelters, and addiction recovery facilities,” the FTC said in a press release. “By selling data tracking people, Kochava is enabling others to identify individuals and exposing them to threats of stigma, stalking, discrimination, job loss, and even physical violence.” The agency demands Kochava cease selling sensitive data and delete any such information it’s collected.

The suit follows an FTC promise to crack down on medical location data sharing, a widespread issue that’s become particularly fraught after the demise of Roe v. Wade. Outlets, including Motherboard, have reported on data brokers selling cheap access to geolocation data around reproductive health clinics — something that could compromise visitors’ privacy and open them up to harassment or legal action. Following pressure from Sen. Elizabeth Warren (D-MA) and others, data brokers SafeGraph and Placer.ai committed to ending the practice, and Google said it would automatically delete visits to clinics and other sensitive locations.

But the FTC says Kochava made it easy, and in some cases free, to track down sensitive data. While the company’s services typically cost thousands of dollars, it also offers a free trial with “minimal steps and no restrictions on usage.” According to the complaint, that sample let the FTC identify a visitor to a women’s reproductive health clinic, then tie it to a home address that would likely expose the visitor’s identity. In another case, it identified a phone whose owner spent the night in a shelter for at-risk pregnant women or new mothers. The agency calls on Kochava to add safeguards around sensitive locations, something it says could be done at a “reasonable” cost.

Kochava disputed the allegations in a statement. “Kochava operates consistently and proactively in compliance with all rules and laws, including those specific to privacy,” said general manager Brian Cox. “For the past several weeks, Kochava has worked to educate the FTC on the role of data, the process by which it is collected, and the way it is used in digital advertising. We hoped to have productive conversations that led to effective solutions with the FTC about these complicated and important issues and are open to them in the future. Unfortunately the only outcome the FTC desired was a settlement that had no clear terms or resolutions and redefined the problem into a moving target.”

Update August 29th, 5:45PM ET: Added statement from Kochava.