FTC Bans Kochava From Selling Location Data Tied to Clinics

The Federal Trade Commission finalized a settlement barring data broker Kochava and its subsidiary from selling sensitive location data without explicit consumer consent. The order, filed May 4 in U.S. District Court for the District of Idaho, ends nearly four years of litigation over allegations the company sold geolocation data from hundreds of millions of mobile devices.

Under the terms, Kochava and Collective Data Solutions (CDS)—which took over Kochava's data broker operations—can no longer sell, license, or share precise location data unless consumers provide affirmative express consent and the data supports a service the consumer directly requested.

What Kochava Was Selling

The FTC's original complaint, filed in August 2022, alleged Kochava's products allowed clients to track individual movements to sensitive locations. The list included reproductive health clinics, mental health and addiction recovery facilities, places of worship, and shelters for homeless and domestic violence survivors.

According to the FTC's case filing, the company marketed its location intelligence platform as delivering "94 billion+ geo transactions per month" across "125 million monthly active users." Clients accessed the data through Amazon Web Services for a $25,000 subscription fee.

The implications were stark. In a post-Dobbs environment where abortion access varies by state, geolocation data showing visits to reproductive health clinics could theoretically be used to identify and target individuals. The same logic applies to addiction treatment—data that insurers or employers might find valuable for discrimination purposes.

Settlement Requirements

The order imposes operational restrictions beyond the consent requirement. Kochava and CDS must:

• Establish a sensitive location program to identify and manage data tied to sensitive locations
• Vet data suppliers for proper consent documentation before incorporating their data
• Allow consumer data requests—anyone can ask which businesses received their location data
• Provide easy consent withdrawal for ongoing data sales
• Create data retention schedules with mandatory deletion timeframes
• Report incidents to the FTC when third parties misuse location data

The Commission approved the stipulated final order with a 2-0 vote.

Why This Matters

Most consumers never consented to location tracking at the level Kochava enabled. The FTC stated that affected individuals "were unaware of and had not consented to the data sharing," creating risks of "stalking, discrimination, and physical violence."

This case mirrors concerns raised in the Infutor data broker breach we covered in March. Data brokers aggregate information about people who've never directly interacted with these companies. When that data includes precise location history, the privacy implications intensify dramatically.

The settlement arrives as regulators increasingly scrutinize the data broker industry. Location data specifically has drawn attention because it reveals behavioral patterns—where people work, worship, seek medical care, and spend their time—with a precision that static demographic data can't match.

The Consent Standard

The "affirmative express consent" requirement represents a higher bar than typical data broker practices. Generic app permissions or buried privacy policy disclosures won't qualify. Consumers must actively agree to location data sales for specific purposes.

This matters because most location data flows through SDK integrations in mobile apps. Users might accept location permissions for map functionality without realizing their movements would be packaged and sold to marketing platforms, law enforcement agencies, or anyone willing to pay. As we noted during Data Privacy Week 2026, controlling personal information has become a full-time job few people have time for.

For organizations evaluating their data supply chains, the settlement signals that FTC enforcement will extend to downstream purchasers who should have known their data sources lacked proper consent.

What Users Can Do

If you're concerned about location data exposure, basic privacy practices help but don't eliminate risk entirely:

• Review app location permissions and restrict to "While Using" rather than "Always"
• Audit which apps actually need location access
• Consider disabling advertising IDs on iOS (Settings > Privacy > Tracking) and Android (Settings > Privacy > Ads)
• Remember that even careful users can appear in aggregated datasets through others' devices

The Kochava settlement won't stop location data collection—it establishes consent requirements that should have existed from the start. Whether those requirements actually change industry practices depends on enforcement follow-through and whether companies decide consent friction outweighs the revenue.

For more coverage of regulatory actions and cybersecurity enforcement, see our latest news.