The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Federal Court Dismisses FTC Complaint Against Kochava

A complaint filed by the Federal Trade Commission (FTC) against the mobile app attribution and analytics company, Kochava, has been dismissed by a federal judge, although the door has been left open for a revised complaint that makes stronger arguments that the actions of Kochava have caused harms to consumers.

The FTC’s lawsuit against Kochava, filed in August 2022, alleged the company was selling the geolocation data of consumers gathered from their mobile phones without their knowledge. The geolocation data is tied to each individual user by a unique ID associated with their device. The FTC argued that the geolocation data could be used to identify individuals who had visited sensitive locations such as abortion clinics, mental health treatment centers, places of worship, and other sensitive locations. For example, the data sold by Kochava could be used to identify women who traveled from an anti-abortion state to a state where abortion is illegal, allowing those women to be prosecuted as well as the individuals that helped them have an out-of-state abortion. The FTC lawsuit alleged Kochava had engaged in unfair and deceptive business practices, in violation of the FTC Act. Kochava was aware that a lawsuit would likely be filed by the FTC and attempted to preempt it by filing its own lawsuit then sought to have the FTC lawsuit dismissed. Those efforts have been partially successful.

At this early stage of the litigation, the question that needed to be answered by the court was whether the FTC had stated a plausible claim against Kochava. Idaho District Judge B. Lynn Winmill said in his ruling that the privacy concerns raised by the FTC in the complaint were certainly legitimate and that the FTC’s theory that consumers could suffer an injury as a result of the sale of their data was certainly plausible. Judge Winmill agreed that individuals would be at risk of secondary harms but said the FTC failed to point to any specific examples of harms that have been caused, only stating a risk of secondary harms. The FTC failed to attach any degree of probability to the risks. While there is certainly a risk that geolocation data could be used to target individuals, the mere possibility of injury is not sufficient to allow the lawsuit to proceed.

The FTC argued that the invasion of privacy alone constitutes an injury, and while that is true, in this case, the privacy violation was not determined to be sufficiently severe to meet the threshold for injury. Specifically, because Kochava has not been accused of selling or disclosing private information, only selling data from which private information may be inferred from the presence of an individual in or near a sensitive location. The geolocation data does not indicate an individual has received a specific service or visited a location for a specific purpose and inferences are often unreliable. Further, location information could be obtained through legal means, such as observing a person visiting a sensitive location and then obtaining the individual’s address from public records. Finally, the FTC’s lawsuit would need to state, at least approximately, how many individuals could suffer privacy violations as a result of the sale of the data by Kochava. The FTC failed to state how many people are likely to be injured.

Get the FREE
HIPAA Compliance Checklist

Delivered via email so please ensure you enter your email address correctly.

Your Privacy Respected

HIPAA Journal Privacy Policy

While the complaint was dismissed, Judge Winmill agreed that consumers have no reasonable way of avoiding potential harms that are caused as a result of Kochava’s business practices and that any benefits that come from the sale of the data do not outweigh the harms that can be caused. The FTC has been given a further 30 days to refile the lawsuit with strengthened arguments that the privacy violations will likely cause substantial injury to consumers.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.


Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist