Notice & Comment

FTC’s Kochava Settlement Advances Data Privacy Enforcement–But Leaves Critical Gaps in Protecting Consumers

The FTC’s most recent case against a data broker for illegal practices should encourage more consumer protection agencies to follow suit; but important omissions in the FTCs settlement should be considered by states.

A Notable Advance in FTC Unfairness and Privacy Jurisprudence: Banning Sale of Location Data

The Federal Trade Commission’s (“the Commission” or “FTC”) victory in Kochava is the next step in a long line of enforcement actions that sharpened the Commission’s stance on data brokers. It sits alongside policy initiatives responding to growing concerns around opaque surveillance practices and FTC data broker cases against Avast, Cerebral, BetterHelp, GoodRx, Premom, InMarket, and X–Mode Social.

In 2022, the FTC sued data broker Kochava, alleging violations of its prohibition on unfair acts or practices arising from the selling of location data from hundreds of millions of mobile devices. This sent a strong message: It is illegal to sell, license, or transfer precise geolocation data linked to individuals when that data reveals consumers’ visits to sensitive locations.

Data brokers often profit from sharing users’ information, which can expose users to an array of harms including stalking, scams, harassment, threats to physical safety, blackmail and coercion, stigma, and emotional distress. The data can be inaccurate and negatively biased, can lead to targeted ads or discriminatory profiling that can impact employment, insurance, eligibility for public benefits, and credit loans. The data can also be used to expose medical conditions, target vulnerable populations, or threaten national security, and it can end up in data breaches.

Reproductive health clinics, churches, domestic violence shelters, homeless shelters, and addiction recovery clinics are just a few of the locations that Kochava shared as part of its business model. As the complaint says, the “collection and use of their location data are opaque to consumers”—and that lack of control can lead to stigma, stalking, discrimination, job loss, and even physical violence.

In May 2026, the FTC finalized a settlement banning Kochava and its subsidiary, Collective Data Solutions, from selling or sharing sensitive location data unless they obtain a consumer’s consent and the data provides a service the consumer requested. The order’s definition of consent also makes clear that “[o]btaining consent through a user interface that has the effect of subverting or impairing user autonomy, decision-making or choice” does not constitute consent.

This nearly four-year battle ended in a victory for FTC unfairness and privacy jurisprudence.

The settlement comes after an important 2022 decision in which a federal district court denied Kochava’s motion to dismiss. The court found that selling “highly-granular,” essentially non-anonymized personal information about millions of people constitutes substantial injury under Section 5(a) of the FTC Act.[1]

There are a few additional takeaways from the Court’s decision:

  1. Privacy invasion may constitute an injury under Section 5(a). Kochava’s alleged practice of providing its customers non-anonymized information, including location history, age, ethnicity, religion, and economic status was an injury under the FTC Act.[2]
  2. Actual harm is not required, only likelihood of harm under Section 5(a). Harms such as unfair sale of mobile data with unique persistent identifiers that reveal consumers’ visits to sensitive locations satisfied this standard.[3]

This foundational case shows how consumer protection tools, including the prohibition against unfair acts or practices, can fight against the data abuses people face in the surveillance economy. This sort of approach has drawn support across both Democratic and Republican administrations. Both the court’s decision and the FTC settlement herald a robust use of the FTC and broader consumer protection authority to address privacy harms.

Major Gaps in the 2026 Kochava Order: Narrowed Sensitive Location Scope, No Ban on Use of Sensitive Data, and No Explicit Prohibition on Indefinite Retention

Consumer protection litigators, however, should note that the 2026 Kochava settlement walked back prior remedy baselines in the data broker cases mentioned above that address issues including how location data is defined, and how that data is used and retained. In fact, the Trump FTC omitted important safeguards that prior bipartisan FTC orders brought against a similar range of mass data collector firms at the time.

Specifically compared to the 2024 X-Mode Social order, the 2026 Kochava order walked back critical consumer protections in three respects:

  1. It narrowed the scope of sensitive locations—dropping several previously covered categories, including entities providing education or childcare services to minors.
  2. It removed the ban on use of sensitive location data.[4]
  3. It did not require that deletion timeframes be tied to business purpose, nor did it explicitly prohibit indefinite retention.

We examine each of these in detail below. 

(1) Narrowed definition. The 2026 Kochava order significantly narrows the scope of “sensitive locations” compared to other data broker orders, creating risks in locations where more safeguards should reasonably apply.

2024 X-Mode Social Order

M. “Sensitive Locations” means locations within the United States associated with: (1) medical facilities (e.g., family planning centers, general medical and surgical hospitals, offices of physicians, offices of mental health physicians and practitioners, residential mental health and substance abuse facilities, outpatient mental health and substance abuse centers, outpatient care centers, psychiatric and substance abuse hospitals, and specialty hospitals); (2) religious organizations; (3) correctional facilities; (4) labor union offices; (5) locations of entities held out to the public as predominantly providing education or childcare services to minors; (6) associations held out to the public as predominantly providing services based on racial or ethnic origin; or (7) locations held out to the public as providing temporary shelter or social services to homeless, survivors of domestic violence, refugees, or immigrants.

2026 Kochava Order

M. “Sensitive Locations” means locations within the United States associated with: (1) medical facilities; (2) religious organizations; (3) locations of entities held out to the public as predominantly providing education or childcare services to minors; (4) locations held out to the public as providing temporary shelter or social services to homeless, or survivors of domestic violence; or (5) military or federal law enforcement installations, offices, or buildings.

(2) Lack of a ban on use of sensitive location data. Unlike other orders, the 2026 Kochava order does not include a ban on use of data.

This omission is problematic because data brokers do not have to sell data to abuse it. In the FTC’s case against Gravy Analytics Inc., the complaint alleges that the respondents used “geo-fencing” to identify lists of consumers who, for example, visited “breast cancer-related events” or “attendees of Christian churches based in Minnesota.” Further, the complaint alleged that respondents could sort the users into categories like “sports betting enthusiast,” “elder care interest,” “parents with young kids,” or “likely Republican voter.”

A data broker[5] can analyze, infer, and act on that data without necessarily[6] selling that data to a third party.[7] For example, inferences such as “Gen X blue collar worker” or “Medicare Interest” can classify an individual into a sensitive segment. A data broker can use that classification internally or within an advertising system to determine what content, offers, prices, or ads a person sees or to influence what services or pricing tiers they may be eligible for.

II. Prohibitions on the Use, Sale, or Disclosure of Sensitive Location Data: IT IS FURTHER ORDERED that Respondents and Respondents’ officers, agents, employees, whether acting directly or indirectly, must not sell, license, transfer, share, disclose, or otherwise use in any products or services Sensitive Location Data associated with the Sensitive Locations that Respondents have identified within 180 days of the issuance of this Order as part of the Sensitive Locations Data Program established and maintained pursuant to Provision III below. Provided, however, that the prohibitions in this Provision II do not apply if Respondents: (i) use Sensitive Location Data to convert such data into data that (a) is not Sensitive Location Data or (b) is not Location Data; or (ii) have a direct relationship with the consumer related to the Sensitive Location Data, the consumer has provided Affirmative Express Consent, and the Sensitive Location Data is used to provide a service directly requested by the consumer.

2026 Kochava Order

II. PROHIBITIONS ON THE SALE OR DISCLOSURE OF SENSITIVE LOCATION DATA: IT IS FURTHER ORDERED that Defendants and Defendants’ officers, agents, and employees, whether acting directly or indirectly, must not sell, license, transfer, share, or disclose in any products or services Sensitive Location Data associated with the Sensitive Locations that Defendant CDS has identified within 90 days of the entry of this Order as part of the Sensitive Locations Data Program established and maintained pursuant to Provision III below. Provided, however, that the prohibitions in this Provision II do not apply if Defendants have a direct relationship with the consumer related to the Sensitive Location Data, the consumer has provided Affirmative Express Consent, and the Sensitive Location Data is used to provide a service directly requested by the consumer

(3) Weaker data retention limits. The 2026 Kochava order does not require that the timeframe for data deletion be bounded by “time reasonably necessary to fulfill the purpose for which the Covered Information was collected” or that indefinite retention be prohibited.

2024 X-Mode Social Order

XII. Data Retention Limits: IT IS FURTHER ORDERED that Respondents, in connection with the collection, maintenance, use, or disclosure of, or provision of access to, Covered Information, must: A. Within 60 days of the effective date of this Order, document, adhere to, and make publicly available through a link on the home page of their website(s), in a manner that is Clear and Conspicuous, a retention schedule for Covered Information, setting forth: (1) the purpose or purposes for which each type of Covered Information is collected or used; (2) the specific business needs for retaining each type of Covered Information; and (3) an established timeframe for deletion of each type of Covered Information limited to the time reasonably necessary to fulfill the purpose for which the Covered Information was collected, and in no instance providing for the indefinite retention of any Covered Information; and…

2026 Kochava Order

XI. DATA RETENTION LIMITS: IT IS FURTHER ORDERED that Defendant CDS in connection with the collection,
maintenance, use, or disclosure of, or provision of access to, Covered Information, must: A. Within 60 days of the entry of this Order, document, adhere to, and make publicly available through a link on the home page of their website(s), in a manner that is Clear and Conspicuous, a retention schedule for Covered Information, setting forth: (1) the purpose or purposes for which each type of Covered Information is collected or used; (2) the specific business needs for retaining each type of Covered Information; and (3) an established timeframe for deletion of each type of Covered Information. Defendant Kochava must comply with, and
thereafter adhere to, the requirements of this Provision before selling, using, licensing, transferring, sharing, or disclosing Covered Information.

Given the bipartisan support for these protections in prior orders, the exclusions should be seen as unnecessary and unpersuasive departures from prior practice, not as a new baseline. Individuals deserve meaningful protections when their data is sold and when it is collected, used, retained, or otherwise exploited.

Why States Are Well Positioned to Continue Leading Privacy Enforcement

Americans continue to be besieged by abusive surveillance and data collection practices. State and local enforcers should use their consumer protection tools, including unfairness, as they build out their important privacy related efforts. These efforts could include steps such as

  1. Using unfairness to go after data abuses—the Kochava model. The Kochava case showed that data broker business activities can constitute unfair practices under Section 5 authority. When data brokers sell location data in ways that cause significant consumer harm, cannot be reasonably avoided by consumers, and are not outweighed by any benefits, that conduct fits the unfairness standard. Regulators with similar authority should consider using this framework.

  2. Investigating all precise geolocation data, not just “sensitive” data. Even if geolocation data is not “sensitive,” tracking it can reveal patterns of movement that expose where a person sleeps, works, and spends time. A stalker does not need to know that a victim visited a domestic violence shelter if they can infer her daily routine from a week of coffee shop check-ins. The harm is not in any one “sensitive” location, but in the patterns of movement. Law enforcement officials must ensure that limitations on the sharing of data reflect the full extent to which data can be used. This means examining how the sharing, sale, or misuse of precise geolocation data can cause or be likely to cause injury.         

  3. Investigating and prosecuting “upstream” actors to tackle and address harm at the root. Law enforcement should ask the following questions and be guided by the following principles.
    1. Ban data collection: Does certain data need to be collected in the first place to use the product? How are third-party data brokers or vendors accountable for the data they sell—in addition to first-party platform actors?
    2. Ban data uses: Should there be restrictions on how data can be used to close gaps that collection- and sale-focused rules may miss?
    3. Re-examine unnecessary carveouts: Should lawmakers examine whether current carveouts in legislation should be re-examined, particularly those that permit data use for purposes like “product improvements” or “A/B testing,” given that such broad categories may function as catch-all justifications for extensive data practices that users do not meaningfully anticipate or consent to? How do these carveouts blur the distinction between legitimate product development uses and more expansive activities such as cross-context tracking, data repurposing, or unrelated monetization strategies like targeted advertising or consumer profiling?

The Kochava line of data broker cases brought by the FTC stands for a fundamental shift in how consumer protection officials should approach privacy abuses. As former FTC regulators have argued, these cases represent a paradigm shift on notice-and-consent, directly rejecting former FTC Chair Tim Muris’ “harms-based” framework that “treated invasions of privacy as cognizable injuries only if they resulted in some separate downstream harm.” The era of notice-and-consent should be behind us, and future cases should not revert to it. The Kochava case makes it clear: when data can reveal the most intimate, most vulnerable details of our lives, the question is not only about who sells it—it’s about who collects it, who gets to use it, and for what.

Until regulators and policymakers can address these questions, dangerous uses of consumer data will continue to go unchecked. Law enforcement and regulators already have many of the tools. Now they need to use them.

Stephanie T. Nguyen is a Senior Fellow at the Center for Law and the Economy, and previously served as Chief Technologist at the Federal Trade Commission, where she founded and led the agency’s first Office of Technology.

Robin Moore is a Senior Fellow at the Center for Law and the Economy. Prior to joining the Center, she served at the Federal Trade Commission for more than two decades, most recently as Principal Deputy General Counsel.

Seth Frotman is a Senior Fellow at the Center for Law and the Economy and a Lecturer in Law at Columbia Law School. He formerly served as General Counsel and Senior Advisor to the Director at the Consumer Financial Protection Bureau.


[1] Notably, the FTC’s complaint highlighted the lack of consumer consent in the collection and disclosure of this personal information. See e.g., Second Amended Complaint for Permanent Injunction & Other Relief ¶¶ 2, 46, 58, 66, FTC v. Kochava, Inc., No. 2:22-cv-00377 (D. Idaho July 15, 2024) (“Complaint”). While not specifically relevant to the injury analysis, whether consumer consent was given could impact the analysis of whether the harm is reasonably avoidable. See e.g., id. at ¶ 46 (alleging that “because consumers do not know that Kochava is collecting this data, consumers cannot avoid the harm resulting from the collection, use, or subsequent disclosure.”) However, there could be circumstances in which—even where a consumer provides nominal or “check-the-box” consent—the elements of unfairness may still be satisfied. See e.g. Complaint, In re Gravy Analytics, No. 212-3035 (Dec. 3, 2024), https://www.ftc.gov/system/files/ftc_gov/pdf/2123035gravyanalyticscomplaint.pdf; See generally, https://x.com/wired/status/2057024714380280236?s=46&t=I41S-_6HTDCUVmJ5HUDfHw.

[2] The Court explained that “privacy has long been a legally protected interest at the state, local, and federal levels” and that “an invasion of privacy may constitute an injury that gives rise to liability under Section 5(a).” Memorandum Decision and Order 10, FTC v. Kochava, Inc., No. 2:22-cv-00377 (D. Idaho Feb. 3, 2024) (citing Mem. Decision and Order at 19, Dkt. 24)) (“Decision and Order”).

[3] The court rejected Kochava’s argument that none of the FTC’s examples of harm involved its data, noting that the argument “misses the point.” Decision and Order, supra note 3, at 9. The court further explained that “[u]nder Section 5(n), the FTC must allege that Kochava’s acts or practices cause or are likely to cause substantial injury to consumers” and that “[b]y demonstrating that harms have resulted from the sale of similar mobile device data, the FTC supports its claim that Kochava’s practices are likely to cause consumer injury.” Id. at 9-10 (emphasis added).

[4] The lack of a ban on use is particularly stark in this case, where the complaint specifically alleged that the company collected sensitive information without consumer consent. Complaint, supra note 2, at ¶ 58 (alleging that “Kochava collects and discloses consumers’ personally identifying information and sensitive information to third parties without consumers’ knowledge or consent. Indeed, consumers do not know that Kochava has collected their information or is disclosing it to third parties”). Omitting a ban on use under these conditions could allow the defendants to use allegedly unlawfully collected data to profile, track, and target individuals based on sensitive data and/or inferences.

[5] We generally define data broker as any company “that collect[s] consumers’ personal information and resell or share that information with others.”

[6] (e.g., “Connecting information to unique individuals becomes especially significant when sensitive information is involved.”)

[7] (e.g., “taking data collected to authenticate a user and selling it for advertising purposes” or “use by data brokers trafficking in consumer profiles”)