On May 4, 2026, the Federal Trade Commission announced a stipulated final order resolving its enforcement action against data broker Kochava Inc. and its subsidiary Collective Data Solutions (CDS). The order bans them from selling or sharing sensitive precise location data without affirmative express consumer consent. Kochava and CDS provide a range of digital analytics services, including the Kochava Collective (for which CDS assumed operation in mid-2023) that aggregate certain data made available through Kochava’s proprietary data marketplace.

In a press release announcing the stipulated final order, the FTC said Kochava and CDS’s “collection, use, and disclosure of precise location data invaded consumers’ privacy by revealing their movements, including visits to sensitive locations such as health facilities and places of worship, in violation of Section 5 of the FTC Act. The FTC also said that “because consumers were unaware of and did not consent to this data sharing, consumers had no way of avoiding the harm resulting from its collection and disclosure.”

The FTC’s Allegations

In a case first filed in August 2022 in the U.S. District Court for the District of Idaho, the FTC alleged that Kochava collected and sold precise mobile device location data tied to hundreds of millions of devices in ways that allowed purchasers to track consumers’ visits to sensitive locations, including reproductive health clinics and places of worship. According to the FTC, consumers were unaware their data was being sold and had no meaningful opportunity to avoid the resulting privacy harms.

Under the proposed final order, Kochava and CDS may not sell, license, transfer, or disclose sensitive location data unless (1) the consumer has provided affirmative, express consent and (2) the data is used solely to provide a service directly requested by the consumer. The order was approved by a 2‑0 Commission vote.

Proposed Stipulated Order

The FTC’s proposed consent order would be in effect for 10 years and would restrict Kochava and CDS from misrepresenting the extent to which it collects, uses, discloses, or deletes data, whether or not deidentified. More specifically, the consent order:

  • Prohibits Kochava and CDS from selling or disclosing precise location data associated with sensitive locations unless it has a direct relationship with the consumer related to the sensitive location data, the consumer has provided affirmative express consent, and the sensitive location data is used to provide a service directly requested by the consumer.
  • Requires Kochava and CDS to establish a written sensitive location data program identifying and filtering out sensitive locations, including a quarterly assessment of the accuracy and completeness of the list of sensitive locations, as well as deleting any sensitive location data for which consent has not been confirmed.
  • Requires that Kochava and CDS report to the FTC any incidents of third parties misusing or improperly sharing location data in violation of contractual requirements.
  • Mandates that Kochava and CDS must develop a supplier assessment program verifying that upstream data sources obtained valid consumer consent.
  • Requires that Kochava and CDS provide clear and conspicuous means for consumers to request the identity of any recipient of their data, including the ability for consumers to withdraw consent and request that their data be deleted.
  • Requires that Kochava and CDS develop, implement, and maintain a comprehensive privacy program, including updating their data retention schedule pursuant to the order.

The Commission voted 2-0 to approve the stipulated final order.

Takeaways

The FTC’s extended litigation with Kochava underscores its focus on the commercial sale of precise location, and other sensitive data and reinforces the FTC’s position that such data is inherently sensitive.

Businesses that collect, use, or disclose location data may want to reassess their privacy program to confirm they have in place appropriate consumer disclosures, valid consent mechanisms, vendor diligence and audit procedures, and data retention and deidentification practices.

Tags: Data, data privacy, FTC
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Timothy A. Butler Timothy A. Butler

Tim Butler helps companies thrive by developing tailored strategies to address their regulatory compliance challenges and vigorously defending them in government enforcement actions and bet-the-company lawsuits.

A former prosecuting attorney for the Federal Trade Commission (FTC) and former senior official in the Georgia…

Tim Butler helps companies thrive by developing tailored strategies to address their regulatory compliance challenges and vigorously defending them in government enforcement actions and bet-the-company lawsuits.

A former prosecuting attorney for the Federal Trade Commission (FTC) and former senior official in the Georgia Attorney General’s Office, Tim has led the defense of dozens of government investigations and enforcement actions brought by the FTC, the Consumer Financial Protection Bureau (CFPB), and the various state attorneys general. Tim also regularly defends clients in bet-the-company lawsuits, including complex business disputes and consumer class actions alleging privacy, false advertising, and unfair or deceptive business practice claims.

Tim is an experienced guide for companies struggling with regulatory complexity. He offers clear advice that helps his clients meet the demands of the ever-growing set of laws and regulations governing data privacy and cybersecurity, advertising and marketing practices, and consumer financial products and services. Clients rely on Tim’s business-minded and practical strategies to address their most difficult regulatory compliance challenges.

A graduate of the University of Chicago and Stanford Law School, Tim is a prolific author and regularly speaks to industry and trade groups about the evolving privacy landscape, about cutting-edge issues affecting payments and fintech companies, and about developments at the FTC, the CFPB, and within the state attorneys general community.

Read more about Timothy A. ButlerTimothy's Linkedin Profile
Show more Show less
Photo of Matthew White Matthew White

Matt White guides clients through regulatory compliance challenges and represents clients in regulatory and civil investigations and litigation.

Matt has counseled fintech and payment companies on regulatory compliance matters, including those involving the Electronic Fund Transfer Act, the Fair Credit Reporting Act, the…

Matt White guides clients through regulatory compliance challenges and represents clients in regulatory and civil investigations and litigation.

Matt has counseled fintech and payment companies on regulatory compliance matters, including those involving the Electronic Fund Transfer Act, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Truth in Lending Act, and their respective implementing regulations (Regulations E, V, P, and Z). Adept with the Consumer Financial Protection Bureau’s (CFPB) Prepaid Rule, Matt has provided guidance regarding prepaid cards and related compliance.

Matt has also aided clients in developing regulatory compliant products and functionalities, including an earned wage access program, reimbursement prepaid card programs, new merchant cash advance products, and tokenized payment capabilities. In connection with products on which Matt advises, he has also negotiated high-stakes technology sales agreements involving complex regulatory issues, including compliance with data privacy laws, financial regulations, and card network rules.

Beyond helping clients strategize for regulatory complexity, Matt also helps clients navigate government investigations and enforcement actions brought by the Federal Trade Commission (FTC), CFPB, and state attorneys general.

Read more about Matthew WhiteMatthew's Linkedin Profile
Show more Show less
Photo of Tessa Cierny Tessa Cierny

Tessa Cierny advises companies on financial technology and data privacy issues. She has experience counseling companies on state and federal regulatory compliance, including existing and emerging privacy laws, such as the E.U.’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act

Tessa Cierny advises companies on financial technology and data privacy issues. She has experience counseling companies on state and federal regulatory compliance, including existing and emerging privacy laws, such as the E.U.’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as well as financial and banking regulations, such as the CFPB’s Section 1071 Small Business Lending Rule (Regulation B). In addition, she assists clients in defending business disputes and data breach litigation.

Prior to joining Greenberg Traurig, she served as global records manager for WestRock, where she developed and implemented email and data retention policies for global data privacy regulation compliance. In this role, she also advised on data privacy concerns related to data retention, data loss prevention, and data governance.

Read more about Tessa CiernyTessa L.'s Linkedin Profile
Show more Show less
Photo of Cody B. Davis Cody B. Davis

Cody Davis advises clients on regulatory compliance, data privacy, and consumer protection matters within the financial technology sector, with a focus on payments, emerging platforms, and evolving regulatory frameworks. He works with companies navigating complex federal and state requirements, including regulatory compliance, government…

Cody Davis advises clients on regulatory compliance, data privacy, and consumer protection matters within the financial technology sector, with a focus on payments, emerging platforms, and evolving regulatory frameworks. He works with companies navigating complex federal and state requirements, including regulatory compliance, government investigations, and risk management across the fintech ecosystem.

Cody also has prior experience working with clients in the health care space on mergers and acquisitions as well as regulatory compliance with HIPAA, state telehealth rules, and facility licensure requirements.

Read more about Cody B. DavisCody B.'s Linkedin Profile
Show more Show less
Related Posts
fruits vegetables produce supermarket grocery store Shutterstock_2560984363
Maryland Enacts Food-Sector Personalized Pricing Law
May 6, 2026
Protect cloud information data concept. Security and safety of cloud data.
CFPB Issues Proposed ‘Personal Financial Data Rights’ Rule
October 20, 2023
child smartphone children online protection privacy Shutterstock_2666826849
FTC Signals Relaxed COPPA Enforcement for Age-Verification Technologies
March 4, 2026