The Federal Trade Commission (FTC — the U.S. federal agency responsible for consumer protection and competition enforcement) has finalized a settlement that bans data broker Kochava and its subsidiary, Collective Data Solutions (CDS), from selling, licensing, sharing, or disclosing precise location data without explicit consumer consent. The 2-0 Commission vote approved the stipulated final order, ending four years of litigation that began with the FTC's August 2022 lawsuit against the Idaho-based company.
The case centered on Kochava's practice of collecting, aggregating, and selling precise geolocation data obtained from hundreds of millions of mobile devices — data that revealed the physical movements of individuals, including visits to sensitive locations such as health clinics, reproductive health facilities, addiction treatment centers, and places of worship.
What Happened
Kochava built its business as a mobile measurement and attribution platform (a type of service used by app developers and marketers to track which advertising channels led users to install their apps and take actions within them). As part of its measurement infrastructure, Kochava collected device-level location data from a vast network of mobile apps that integrated its SDK (Software Development Kit — a code library that developers embed into their apps, in this case to enable attribution tracking). That data was aggregated into datasets that could be purchased by third parties.
The FTC's 2022 lawsuit alleged that Kochava's data sales practices enabled buyers to trace individual consumers' movements over time with a granularity sufficient to identify where they lived, worked, sought medical care, and worshipped. Kochava challenged the lawsuit, and litigation continued until the May 2026 settlement.
The FTC's specific concern was not location data in aggregate, but the precision and linkability of Kochava's data. The company sold coordinates accurate enough to identify a specific building entrance, paired with persistent device identifiers (unique codes assigned to individual devices) that allowed buyers to stitch together a timeline of an individual's movements — effectively a surveillance record built without the knowledge or meaningful consent of the person being tracked.
Settlement Terms
Under the settlement approved by the FTC, Kochava and CDS are subject to the following requirements:
Prohibition on selling sensitive location data: The companies cannot sell, license, transfer, share, or disclose sensitive location data in any product or service unless:
- Consumers provide affirmative express consent (an active, informed opt-in — not a buried pre-checked box or broad terms-of-service agreement)
- The data is used exclusively to provide a service the consumer directly requested
Sensitive location program: Kochava must establish an internal program that identifies categories of sensitive locations (health facilities, religious sites, schools, etc.) and implements controls to prevent data associated with visits to those locations from being sold or disclosed.
Supplier assessment process: The company must implement a process to verify that any location data it acquires was collected with appropriate consumer consent from the original data source — meaning it cannot simply launder improperly-collected data by purchasing it from intermediaries.
Consumer rights: Consumers may request the names of any business or individual to which Kochava or CDS has sold their precise location data. The companies must provide an easy-to-use mechanism for consumers to withdraw consent for the sale of their device's location data.
The settlement does not include a financial penalty as a headline term, though the operational and compliance costs imposed are substantial.
Why This Matters for Security and Privacy Practitioners
The Kochava case is one of several FTC enforcement actions over the past three years targeting data brokers — companies whose primary business model involves collecting, aggregating, and selling personal data, often without a direct relationship with the individuals whose data is being sold. Previous actions targeted Outlogic (formerly X-Mode Social) and InMarket for similar location data practices.
For security practitioners, the Kochava settlement has direct relevance in several contexts:
Mobile app SDK risk. Any organization that has integrated a mobile measurement SDK — including Kochava's own SDK, or SDKs from competitors in the same market — may be transmitting device location data to third-party data brokers as a side effect of attribution tracking. Security and privacy teams conducting app audits should inventory all third-party SDKs, understand what data each collects and where it sends that data, and assess whether the data collection is disclosed to users and consented to appropriately.
Threat actor use of data broker data. Precise location data of the type Kochava collected is not only commercially valuable — it is operationally useful for threat actors conducting surveillance, corporate espionage, or targeted physical attacks. Adversaries who can purchase or steal data broker datasets obtain detailed movement histories of executives, government officials, military personnel, and security researchers. The FTC's action reduces (but does not eliminate) the commercial availability of such data.
Supply chain data exposure. Organizations that have used Kochava's services — particularly for mobile app attribution — should assess what data they shared with the company and whether that data may have been resold to third parties. The settlement creates a right to request that information.
What You Should Do Right Now
- Audit third-party SDKs in your mobile applications. Use a tool like MobSF (Mobile Security Framework — an open-source tool for static and dynamic analysis of mobile apps), a commercial SAST (Static Application Security Testing) solution, or manual code review to identify all SDKs collecting device identifiers or location data. Understand what each SDK collects and where it sends it.
“bash # Quick check for common attribution SDK packages in Android APK strings yourapp.apk | grep -i "kochava\|appsflyer\|adjust\|branch" “
- Review your app's privacy disclosure for location data accuracy. If your app collects location data — even indirectly through SDKs — your privacy policy and in-app disclosure must accurately describe what is collected, why, and who it is shared with. Inaccurate disclosures create regulatory exposure.
- Minimize location data collection to what is strictly necessary. Apply the principle of data minimization: if your app's core functionality does not require precise GPS coordinates, request only approximate location (or none at all). For attribution purposes, IP-based geolocation is sufficient for most use cases and does not require access to precise device location.
- If you have used Kochava services, request a data accounting. Under the terms of the settlement, you or your organization may be able to request information about what data Kochava or CDS has sold that is associated with your devices or users. Review the FTC settlement for the specific mechanism.
- Track the FTC's broader data broker enforcement program. The Kochava case is part of a pattern. The FTC has taken action against multiple data brokers in the past 24 months. Organizations operating in the mobile data ecosystem should monitor this enforcement trend and proactively align their data collection and sharing practices with the consent and transparency standards the FTC is enforcing.
Background: Understanding the Risk
Data brokers occupy an uncomfortable position in the privacy and security landscape. Their data collection is often technically legal — SDKs disclose data collection in terms of service that users click through — but the practical effect is surveillance-for-sale at a scale and granularity that the average user has no understanding of.
The Kochava case is significant because it directly challenged the "consent buried in ToS" model. The FTC's position, reflected in the settlement terms, is that broad terms-of-service acceptance does not constitute meaningful consent for the sale of sensitive location data to third parties. Affirmative express consent — an active, informed opt-in — is the required standard.
This has implications beyond Kochava. The mobile attribution industry as a whole relies on similar data collection practices, and the consent standard established in this settlement is a signal to the entire sector. Data brokers that cannot demonstrate affirmative consumer consent for sensitive location data sales face the same legal exposure that Kochava faced.
From a threat intelligence perspective, the FTC's action reduces one channel through which adversaries might acquire high-quality location data on individuals, but does not eliminate the risk. Data brokers that have already sold location data cannot un-sell it. Datasets purchased from Kochava before the settlement remain in circulation. And the broader data broker ecosystem, while under increasing regulatory pressure, still provides significant commercial access to personal data that can be weaponized.
The Kochava settlement, alongside legislative developments like state-level privacy laws (California's CPRA, Virginia's CDPA, Colorado's CPA, and others) and ongoing FTC rulemaking on commercial surveillance, represents a gradual tightening of the data broker operating environment in the United States. Security professionals advising on data governance and third-party risk should factor this regulatory trajectory into their risk models.
Conclusion
The FTC has banned Kochava and its subsidiary CDS from selling precise location data without explicit consumer consent, settling a 2022 lawsuit over tracking hundreds of millions of mobile devices to sensitive locations. Security and privacy teams should audit mobile SDKs in their applications, ensure location data collection is accurately disclosed and appropriately consented to, and monitor the FTC's ongoing data broker enforcement program for further developments that may affect their data practices.
For any query contact us at contact@cipherssecurity.com
