An Idaho-based data broker has been sued by the Federal Trade Commission (FTC) for selling geolocation data on hundreds of millions of mobile phone customers that could unveil sensitive personal information without their knowledge or consent.

The lawsuit, filed Monday in U.S. District Court for the District of Idaho, alleges Kochava violated the FTC Act when it purchased, collected, and sold geolocation data on mobile phone customers that could help buyers learn where a particular individual lived, worked, worshipped, and has sought medical or mental health services. The data collected was not anonymized, so buyers could track whether an individual visited sensitive locations like abortion clinics, homeless and domestic violence shelters, or substance abuse facilities, the FTC said.

Kochava’s data collection and sales practices put customers at “significant risk,” the FTC said, adding the company failed to protect its data from public exposure. Until at least June, the company offered public samples of data sets on up to 61 million unique mobile phone customers over the course of a week featuring time-stamped location data, the FTC said.

“The company’s data allows purchasers to track people at sensitive locations that could reveal information about their personal health decisions, religious beliefs, and steps they are taking to protect themselves from abusers. The release of this data could expose them to stigma, discrimination, physical violence, emotional distress, and other harms,” the FTC said in a press release.

The FTC voted 4-1 to file the complaint, with Chair Lina Khan joined in support by Commissioners Rebecca Kelly Slaughter, Christine Wilson, and Alvaro Bedoya. Voting no was Commissioner Noah Joshua Phillips.

The agency’s lawsuit seeks to require Kochava to halt the sale of and delete the geolocation data it has collected.

In the complaint, the FTC alleges customers do not know their geolocation data is being collected, by whom, and for what purposes. And they have no recourse.

“Indeed, once information is collected about consumers from their mobile devices, the information can be sold multiple times to companies that consumers have never heard of and never interacted with,” the complaint said. “Consumers have no insight into how this data is used—they do not, for example, typically know or understand that the information collected about them can be used to track and map their past movements and that inferences about them and their behaviors will be drawn from this information.”

Earlier this month, the FTC issued an advanced notice of proposed rulemaking that would allow the agency to punish companies that engage in abusive commercial surveillance practices. In July, the agency warned businesses it would begin cracking down on the illegal use and sharing of highly sensitive personal data.

“This location data can reveal a lot about people, including where we work, sleep, socialize, worship, and seek medical treatment,” wrote Kristin Cohen, acting associate director of the FTC’s Division of Privacy and Identity Protection, in a blog post. “While many consumers may happily offer their location data in exchange for real-time crowd-sourced advice on the fastest route home, they likely think differently about having their thinly disguised online identity associated with the frequency of their visits to a therapist or cancer doctor.”

Brian Cox, general manager of the Kochava Collective, said in an emailed statement, “This lawsuit shows the unfortunate reality that the FTC has a fundamental misunderstanding of Kochava’s data marketplace business and other data businesses. Kochava operates consistently and proactively in compliance with all rules and laws, including those specific to privacy.”

Aaron Nicodemus covers regulatory policy and compliance trends for Compliance Week. He previously worked as a reporter for Bloomberg Law and as business editor at the Telegram & Gazette in Worcester, Mass.

Topics