Washington (CNN Business)The Federal Trade Commission is suing a data broker that the agency claims has sold sensitive location data that can identify specific abortion-seekers, religious worshipers or others who may be at risk of discrimination, intimidation or even violence.
Monday’s suit targets Kochava, a marketing data company that lists major brands including Disney, McDonald’s and Hilton among its clients.The FTC complaint alleges that Kochava failed to protect consumers when it publicly published samples of actual consumer data on Amazon’s cloud services marketplace, and offered even more data to those who paid. In a statement Monday, Kochava said it has spent the past several weeks trying to explain its practices to the FTC, adding that it is currently rolling out a new feature called Privacy Block that “effectively removes” the sensitive location data from the data marketplace. The company’s general manager, Brian Cox, accused the FTC of “flamboyant press releases and frivolous litigation” and said Kochava complies with all laws and privacy regulations. “Unfortunately the only outcome the FTC desired was a settlement that had no clear terms or resolutions and redefined the problem into a moving target,” Cox said.Read MoreThe suit comes amid mounting scrutiny of data brokers, tech platforms and other companies that handle consumers’ location data generated by smartphones and other devices, as privacy advocates have warned new state laws restricting abortion could lead to abortion-seekers’ location histories being used against them as evidence of wrongdoing.According to the FTC, Kochava’s data had not been anonymized, so by combining its location records with data from other sources, it would be possible to deduce a person’s actual identity based on the information Kochava was offering. In conducting the investigation that led to the suit, the FTC said it analyzed a Kochava sample set that covered more than 60 million unique mobile devices over the span of a single week. Kochava’s data includes precise, timestamped latitude and longitude information for individual consumers, according to the complaint, which highlighted data linked to one specific person to illustrate how revealing the information can be. “The data may be used to identify consumers who have visited an abortion clinic and, as a result, may have had or contemplated having an abortion,” the complaint said. “In fact, in just the data Kochava made available in the Kochava Data Sample, it is possible to identify a mobile device that visited a women’s reproductive health clinic and trace that mobile device to a single family residence. The data set also reveals that the same mobile device was at a particular location at least three evenings in the same week, suggesting the mobile device user’s routine. The data may also be used to identify medical professionals who perform, or assist in the performance, of abortion services.”Under its charter, the FTC is authorized to prosecute unfair or deceptive business practices. In this case, the agency alleges that Kochava’s data practices are unfair because the practices could cause harm to consumers they cannot avoid. In the wake of the Supreme Court’s decision rolling back federal abortion rights this year, the FTC has signaled an increasing focus on protecting health-related data. Following a White House executive order in July that called on the FTC to protect abortion seekers’ privacy, the agency reiterated that it would hold data brokers and others accountable for misuse of data or mischaracterizations of data policies. Regulators at the agency are also mulling possible new data privacy rules that could have sweeping ramifications for how businesses can collect, use and share personal information, including location information.