The battle for location privacy the FTC stops Kochava and redefines the data business

The Federal Trade Commission (FTC) reached an agreement that would prohibit the Kochava data runner and its subsidiary Collective Data Solutions from selling accurate location data without the express and affirmative consent of consumers, a resolution that closes - at least in part - the research started in 2022 on the mass marketing of mobile paths. The case revealed how apparently anodyne data flows can be monetized to follow the movements of hundreds of millions of devices and associated to visits to sensitive places such as reproductive health clinics, treatment centres, temples and shelters.

According to the FTC's own complaint, Kochava offered access to a geolocation feed to customers who paid high subscriptions and did so through platforms such as the AWS Market, with the promise of huge volumes of geographical transactions per month. The prosecution stressed that many users were never informed or given their consent to such use, exposing them to real and concrete risks: from harassment and discrimination to physical violence. The original demand can be reviewed in the FTC public document Here..

The order proposed by the FTC imposes a number of requirements which, if approved by a federal judge, will have the force of law: prohibition of selling or licensing precise location without affirmative consent, limitation of use to services requested by the consumer itself, creation of a specific programme to protect sensitive locations, assessments of suppliers to verify consent, mechanisms for users to ask who received their data and to withdraw such consent, notification of incidents to the regulator and formal data retention and removal schedules. The text of the proposed agreement is available on the FTC website Here..

This failure is not an isolated case: it is part of a broader regulatory trend in which the FTC has intensified monitoring of data runners and the market for commercial surveillance. Since 2022 the agency has announced its intention to explore specific rules against mass surveillance and has sanctioned several intermediaries who traded location data. This context reveals that regulatory and public pressure is pushing to change business models that used to operate with opaque infrastructure and contracts between companies.

What does this mean to people? First of all, the judgment reduces a risk vector but it does not eliminate it: data corridors are still out of the immediate reach of the agreement, and the collection of location signals can be produced by multiple ways (apps, SDKs, Wi-Fi networks, beacons). Users should understand that the simple installation of applications or acceptance of permits often allows automated aggregation and sales processes.

Users can and should take practical steps: review and reduce location permissions in operating system settings, choose to share only an approximate location when the platform allows, disable access to the location in the background, remove applications that request data without clear justification and use the privacy panels offered by Apple and Google to see which companies process data. It is also recommended to demand transparency using privacy tools and complaints mechanisms to local authorities when identifying suspicious practices.

For companies and developers the lesson is equally clear: The era of contractual ambiguity and hidden consensus is running out. Product managers should implement privacy designs from conception (privacy by design), limit collection to what is strictly necessary, document privacy impact assessment exercises, require contractual controls and audits to suppliers and offer simple processes for users to withdraw their consent and meet third parties who receive their data. The combination of technical controls (minimization, on-device processing) and contractual obligations will be key to continue to operate without being exposed to sanctions.

From a public policy and technology perspective, this case underlines the need for clearer rules that define a "sensitive" location and set minimum standards for data market consent, transparency and governance. It also poses a technical challenge: how to allow legitimate services based on location (navigation, emergencies, anonymous analysis) without opening the door to mass commercial surveillance. Techniques such as device processing, boundary aggregation and differential privacy can help, but require standardization and supervision.

The resolution against Kochava is a victory for the protection of privacy, but it must not lead to complacency: continued monitoring, best technological practices and more precise legislation will be needed to close gaps. To follow the case and the FTC's statements on commercial surveillance, please see the agency's page where the related actions and announcements have been collected. Here.. To learn about the industry's public response to changes in Kochava's service, the company published information about its "Privacy Block" proposal that seeks to limit the visibility of health locations in its marketplace Here..