chevron-down Created with Sketch Beta.

ARTICLE

FTC v. Kochava and What’s Next for the FTC’s Section 5 Unfairness Authority

Reema Moussa

FTC v. Kochava and What’s Next for the FTC’s Section 5 Unfairness Authority
d3sign via Getty Images

On May 4, 2023, a federal judge for the District of Idaho dismissed the Federal Trade Commission’s (the “Commission” or “FTC”) lawsuit against Kochava, a Sandpoint, Idaho-based data broker alleged to have sold “geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations.” The lawsuit represents the Commission’s first attempt at bringing an action based solely on an “unfair” practice, pursuant to the FTC Act’s proscription on “unfair or deceptive trade practices.” Although the dismissal delivered a blow to the FTC’s latest effort to crack down on privacy invasions, it can be considered a win for the Commission as they endeavor to bring privacy cases as its framework for doing so was reinforced by the court. What remains to be seen is how the “likelihood” of privacy harms will be borne out in future cases brought by the Commission and other regulators.

Practitioners should continue to be vigilant in evaluating their data protection measures through a forward-looking lens, as this case largely reinforces the Commission’s ability to bring privacy cases against companies whose practices could violate consumers’ privacy in the future. The Commission’s expansive reading of its statutory authority in challenging Kochava’s geolocation sales underscores the current administration’s willingness to push the boundaries of existing law and target a wider range of conduct.

The Commission’s Case and Kochava’s Countersuit

In its 2022 complaint, the Commission alleged that Kochava had engaged in unfair trade practices when it collected and published precise mobile geolocation data on its “Kochava Marketplace.” It argued that the practice was “unfair” because the geolocation data, when combined with mobile advertising IDs (MAIDs), could be used to make sensitive inferences about a person’s race, religion, sexual orientation, and seeking of reproductive healthcare (poignant in the wake of the Dobbs v. Jackson Women’s Health Organization decision overturning a constitutional right to seek an abortion), among other things. The Commission sought a permanent injunction barring Kochava’s sale of “precise location data associated with unique persistent identifiers that reveal consumers’ visits to sensitive locations.”

In addition to its 12(b)(6) motion to dismiss the Commission’s case (filed on October 28, 2022), Kochava filed a preemptive countersuit against the Commission in early August, and pointed to its “Privacy Block” product released in September 2022 as rendering Kochava’s complaint moot, among other arguments. The countersuit also referenced the Axon v. FTC case as an offensive on the constitutionality of the Commission’s structure.

“Likelihood of Substantial Harm” in Proving Privacy Harms

Judge B. Lynn Winmill of the District of Idaho’s decision to grant Kochava’s motion to dismiss addresses whether Kochava’s sale and publication of consumers’ geolocation data poses a substantial risk of substantial harm - and while the court acknowledged that third party entities could access this data, the decision states that the Commission fell short in providing evidence that this did or is likely to actually cause substantial harm to consumers. The court allowed the FTC to refile its complaint against the data broker, which it did on June 5. This is reflective of a core problem within remediating privacy concerns - harm is tricky to prove in the privacy context.

The Court also addressed the FTC’s ability to pursue enforcement actions on privacy issues on a broader level. The court concluded that “an invasion of privacy, alone, [can] constitute “substantial injury” under Section 5(n) of the FTC Act[.]” The court articulates; “if injury is the invasion of a legally protected interest, and privacy is a legally protected interest, then an

invasion of privacy may constitute injury,” and points to the absence of language contrary to the notion “that a severe invasion of privacy cannot constitute substantial injury” in the text of Section 5(n), its legislative history, and case law, as evidence for this.

However, it decided that in this case, Kochava’s intrusion of consumers’ privacy did not meet this threshold of “substantially severe” enough to constitute a “substantial injury.” The court acknowledges that the Commission’s privacy concerns with Kochava are “certainly legitimate,” and it points to three factors that mitigate the severity of the risk of substantial injury to consumers originating from Kochava’s data collection practices. Those are;

  1. “The data Kochava sells is not, on its face, sensitive or private” - rather, any private information “can only be ascertained by inference,” which can be unreliable.
  2. The sensitive inferences that can be made from Kochava’s data are “generally accessible through other, lawful means” - property records and movements in public can be requested or observed lawfully, as opposed to financial or medical records which are not available publicly.
  3. The Commission failed to indicate “even generally” the amount of “device users [that] may suffer privacy intrusions,” which is key for proving substantiality. And since extra steps would be required to “tie back” consumers’ movements to them personally, and the Commission did not indicate the likelihood of this, the severity of risk to consumers is mitigated.

Other than these issues, the court generally acknowledged and agreed with the points raised in the Commission’s complaint. The Court also addressed the points raised in Kochava’s countersuit, as well as its Privacy Block product. The court references FTC v. Affordable Media (1999) in reinforcing that regulators can bring an action against companies even for “cured” past violative actions, and points to the lack of clarity provided by Kochava to indicate what Privacy Block does, or why (despite its easily-reversible nature) the feature “makes it unlikely that Kochava will resume its former practices in the future.”

Implications for the Commission’s Unfairness Authority

The ruling marked an initial loss for the Commission as it endeavors to bring more cases based on its unfairness authority; but the court’s acknowledgement of privacy harms as a substantial injury holds a win for the agency’s efforts to address privacy and security issues, and the outcome of the revised lawsuit may bring more definitive answers on the future of privacy enforcement.

The Commission under Chair Lina Khan’s leadership seems so far undeterred in its novel approaches to addressing the issue of fair data usage and digital civil rights in the 21st century. And although it doesn’t address privacy, data, or security issues in particular, the Commission’s policy statement on its Section 5 unfairness authority issued in November 2022 indicates the Commission’s intention of “faithfully discharging its statutory obligations, including through enforcing and administering the prohibition against ‘unfair methods of competition’ on a standalone basis.”

It remains to be seen which arguments the Commission will use within its amended complaint (which was filed under temporary seal) or whether the Commission will pursue additional cases against data brokers or other companies under its unfairness, rather than deception authority in the future. Proving that the likelihood of data abuses and privacy harms that have not yet come to pass can be a tricky endeavor. But as the data economy pervades and the sophistication and volume of threat actors is on the rise, a security-driven approach looking towards the potential of sensitive data to fall into the wrong hands may hold more fruitful arguments for the severity of harm posed to consumers in the age of “surveillance capitalism.”

In the meantime, the court’s decision provides a treasure trove for privacy experts to evaluate a judicial response to complex privacy issues in the digital age. While the practical use of the Commission’s unfairness authority in particular still hangs in the balance, the court’s decision in Kochava establishes that privacy harms can constitute a substantial injury within the Commission’s authority, further cementing its position as the nation’s regulator of data privacy and security issues. Businesses seeking answers on responsible and compliant uses of consumer data, particularly sensitive data, can pose the central question when evaluating their products and features: what are the risks to consumers of being injured from the sale, publication, or leakage of their data - and how likely are those risks?

Sources

This article was prepared by the Antitrust Law Section's Privacy and Information Security Committee.

    Author