On August 29, the Federal Trade Commission announced it had filed a landmark lawsuit against data broker Kochava for “selling geolocation data from hundreds of millions of mobile devices” that can be used to trace individuals’ time-stamped movements to sensitive locations. These include reproductive health clinics, places of worship, addiction recovery centers, and shelters for the unhoused and survivors of domestic violence. Kochava, the FTC alleges, “is enabling others to identify individuals and exposing them to threats of stigma, stalking, discrimination, job loss, and even physical violence.”
In response, the Idaho-based company claims that it “operates consistently and proactively in compliance with all rules and laws, including those specific to privacy.” In other words, Kochava relied on a core defense in the data broker playbook: Well, it’s legal.
But this is like saying you’ve read every book on the subject when all that’s been written is a waiting-room brochure. In a colossal failure of US policymaking—and, in many cases, a product of deliberate attempts to undermine or neglect marginalized people’s privacy—the US has weak privacy laws in general. Very few laws in the US even relate to data brokers, let alone constrain their actions. Nonetheless, the fact that Kochava is not breaking the law doesn’t make its behavior harmless—and it doesn’t make the company immune from lawsuits, either. The FTC’s case could establish that this kind of data surveillance, monetization, and exploitation is an unfair or deceptive business practice, exposing brokers to punishment. And it has the argument to get there.