FTC says Idaho firm’s data can track visits to abortion clinics. The firm fights back

Angela Palermo
Manu Fernandez/AP

An Idaho data analytics company is suing the Federal Trade Commission, saying the agency wrongly threatened to sue over the company’s consumer-tracking and data-sharing capabilities.

The FTC sought to enforce an injunction against Kochava for its precise geolocation data, which the agency argues can be used to track people to various locations, including abortion clinics.

Kochava develops software tools and programs that mobile app developers can use to measure, track and organize data for marketing campaigns. The Sandpoint company also aggregates third-party provided mobile device data and makes it available through its own marketplace.

In a proposed complaint, the FTC alleges that Kochava collects a wealth of information about consumers and their mobile devices by buying data from other brokers to sell to its own customers.

The agency alleges Kochava sells time-stamped latitude and longitude coordinates showing the location of mobile devices.

It says the precise geolocation data can be used to identify people and track them to sensitive locations, including therapists’ offices, addiction recovery centers, medical facilities and women’s reproductive health clinics. Kochava denies this claim.

After the U.S. Supreme Court decision to overturn Roe v. Wade in June, President Biden issued an executive order directing federal agencies to protect the privacy of patients seeking abortions, according to the Wall Street Journal.

“The FTC’s hope was to get a small, bootstrapped company to agree to a settlement – with the effect of setting precedent across the ad-tech industry and using that precedent to usurp the established process of Congress creating law,” a spokesperson for Kochava emailed the Statesman.

The FTC, which prohibits unfair or deceptive acts affecting commerce, seeks a permanent injunction to prevent future violations.

A spokesperson for the FTC declined a request for comment.

In its lawsuit, filed Friday in the U.S. District Court in Idaho, Kochava says the allegations regarding its business practices illustrate a lack of understanding of the company’s services.

Kochava says it does not identify specific users but collects mobile advertising identifier, or MAID, information and links it to hashed emails and primary IP addresses. Hashed email addresses are encrypted with a unique code to be anonymous, allowing marketers to protect their customers’ data while tracking them across multiple platforms, according to Mailmodo.

While the company does collect latitude and longitude, IP address and MAID associated with a consumer’s device, it doesn’t receive the data elements until days later, unlike a GPS tool. And Kochava says it doesn’t identify the location associated with latitude and longitude or the consumer associated with the MAID.

“Kochava does not collect, then subsequently sell data compilation that allows one to track a specific individual to a specific location,” the lawsuit says. “Even if an injury to the consumer did indeed occur, it is reasonably avoidable by the consumer themselves by way the opt-out provision to allow the data collection.”

On Aug. 10, the company announced a new capability for its data marketplace called a privacy block. The feature removes health services’ location data from Kochava’s marketplace. It won’t become available until the end of the month.

Even if consumers previously consented to share their location data, the company says the privacy block feature prevents the sharing of health services locations.

St. Luke’s vendor experiences data breach. Thousands of Idaho patients may be affected

2021 was worst year for ransomware attacks. How FBI says cybercrimes affected Idahoans

Boise City Council to consider resolution on abortion. Here’s what it would do

After Roe decision, Idaho lawmakers may consider restricting some contraception

Advertisement