The Federal Trade Commission is suing to stop an analytics company (Idaho-based company called Kochava) from selling geo-location data on over 125 million consumers, including where they live and if they recently visited an abortion clinic.
Kochava has been selling the information as a data feed covering 125 million monthly active users and charging thousands of dollars per month for access. The geolocation data can include the precise longitude and latitude of the user’s smartphone, along with timestamps and the IP address. To protect consumers, the company strips out users’ identities from the data and assigns them a mobile advertising ID.
The FTC says the supposedly anonymized geo-location data can be easily compiled with other information from third-party sources to pinpoint a user’s identity.
For example, the location of a mobile device at night is likely the user’s home address and could be combined with property records to uncover their identity, The same data can also expose sensitive locations a consumer has visited, such as a reproductive health clinic, places of worship, or a domestic violence shelter. “The data may also be used to identify medical professionals who perform, or assist in the performance, of abortion services,” the FTC’s lawsuit adds.
On the AWS marketplace, Kochava allegedly offered up some of the data at no cost through a free sample, which covered a seven-day rolling period. One day of the sample data could cover 61.8 million unique devices. Kochava put minimal safeguards in place to prevent bad actors from accessing the same data; it merely required interested users to fill out a form.
The FTC’s lawsuit suggests the company blocked access to the data feed on AWS in June. Earlier this month, Kochava also announced it would begin removing “health services location data” from its analytics product by this quarter. The company also noted the geo-location information it’s been monetizing came from third-party suppliers, which secured consent from consumers.