After nearly four years of litigation, the Federal Trade Commission has reached a settlement with Idaho-based data broker Kochava and its subsidiary Collective Data Solutions (CDS), prohibiting both companies from selling sensitive consumer location data without obtaining explicit, affirmative consent. The proposed order, approved by the Commission in a 2-0 vote, now awaits final approval from the U.S. District Court for the District of Idaho — and signals one of the most consequential privacy enforcement actions in the FTC’s recent history.
WHAT THE SETTLEMENT REQUIRES
Under the terms of the proposed order, Kochava and CDS are banned from selling, licensing, transferring, or sharing sensitive location data in any product or service unless they first obtain a consumer’s affirmative express consent and the data is used solely to provide a service the consumer directly requested. The agreement goes well beyond a simple sales prohibition. Both companies are now required to:
Build and maintain a comprehensive sensitive location data program that identifies and protects data tied to places including medical facilities, reproductive health clinics, houses of worship, domestic violence shelters, addiction treatment centers, and similar sites.
Implement a supplier assessment program to verify that consumers have actually consented to the collection and use of any location data purchased or obtained from third parties.
Submit incident reports to the FTC whenever a third party is found to have shared consumers’ precise location data in violation of contractual requirements.
Give consumers the right to request a list of every business or individual to whom their precise location data was sold, and provide a simple mechanism for withdrawing consent at any time.
Establish a formal data retention schedule with required deletion timelines — ending the indefinite warehousing of location records that had been standard industry practice.
THE CASE AGAINST KOCHAVA
The FTC first sued Kochava in August 2022, filing its complaint in the U.S. District Court for the District of Idaho. The core allegation was striking in its directness: Kochava was collecting precise GPS-level location data from hundreds of millions of mobile devices and selling it commercially, with no meaningful mechanism for consumer consent or awareness.
The FTC’s complaint argued that the data Kochava sold was specific enough to track individual consumers’ movements over time — and that by correlating device visits to sensitive locations, buyers of that data could make damaging inferences about individuals’ health conditions, religious beliefs, immigration status, and personal lives.
Among the examples cited by the FTC: location data precise enough to show whether a specific mobile device visited a reproductive health clinic, a mosque or church, or an addiction recovery facility — information that, in the wrong hands, could be used for discrimination, harassment, extortion, or targeting of vulnerable individuals.
Kochava initially fought back, arguing that its data practices were lawful and that the FTC had overstepped. The company sought to have the case dismissed, contending that it had contractual protections with data suppliers and that its data was not meaningfully different from information available through other commercial channels. The court rejected Kochava’s motion to dismiss in 2023, allowing the FTC’s case to proceed.
By 2026, with litigation costs mounting and a trial looming, Kochava and its subsidiary agreed to settle. The case has now been transferred to CDS, the subsidiary that took over Kochava’s data broker business during the litigation.
KOCHAVA IN CONTEXT: A PATTERN OF LOCATION DATA ABUSE ACROSS THE INDUSTRY
The Kochava settlement does not exist in isolation. It is the latest in a string of FTC enforcement actions and broader regulatory and journalistic findings that paint a troubling picture of how location data is collected, sold, and weaponized across the digital advertising industry.
X-Mode / Outlogic (2024): The FTC reached a settlement with X-Mode Social and its successor company Outlogic, prohibiting the sale of sensitive location data and requiring the deletion of historical location datasets. Like Kochava, X-Mode had been selling location data tied to movements near sensitive locations. The company had also supplied data to U.S. military contractors — raising national security dimensions the FTC declined to address directly in its order.
InMarket Media (2024): Also in 2024, the FTC settled with InMarket Media, a company that embedded location-tracking SDKs in popular consumer apps — including weather and utility applications — to harvest precise location data without adequate consumer disclosure. The settlement banned InMarket from selling precise location data and required it to create an opt-out mechanism for targeted advertising.
Gravy Analytics / Venntel (2025): In one of the most significant location data actions to date, the FTC moved against Gravy Analytics and its subsidiary Venntel, which had been supplying precise location data — including data tied to sensitive locations — to both commercial buyers and U.S. government agencies. The FTC alleged that Gravy had collected location data from millions of Americans through the real-time bidding (RTB) advertising ecosystem, a process through which consumer location signals are broadcast to thousands of ad buyers simultaneously with no meaningful consumer consent or awareness.
Google (2022 & 2023): Google paid a combined $391.5 million in settlements with 40 U.S. states related to allegations that the company continued tracking users’ location even after they had explicitly disabled Location History in their account settings. Investigators found that Google was capturing location data through separate settings — Web & App Activity — that many users did not realize also enabled location tracking.
Apple Location Data Concerns: While Apple has not faced equivalent FTC enforcement, researchers and journalists have repeatedly documented how the company’s advertising identifier (IDFA) and third-party SDK ecosystem have been exploited to harvest location data from users of apps on the App Store, despite Apple’s stated privacy policies.
The New York Times Investigation (2020): A landmark investigation by the New York Times Opinion section, using data from a commercial location broker, demonstrated that the data being sold commercially was trivially easy to de-anonymize. Reporters identified specific individuals — including Secret Service agents and military personnel — from “anonymous” location datasets. The investigation remains the most widely cited demonstration of the gap between industry claims of anonymization and real-world re-identification risk.
THE REAL-TIME BIDDING PROBLEM
Many of these cases share a common thread: the RTB advertising ecosystem. Every time a consumer loads a webpage or opens an app that serves programmatic advertising, their device’s location — sometimes precise to within meters — is broadcast in milliseconds to dozens or hundreds of ad buyers as part of the bidding process. Even if no ad is ultimately served, the location signal has already been transmitted and, in many cases, logged.
Privacy researchers have estimated that precise location data for a significant portion of U.S. mobile device users is available for purchase through the RTB ecosystem, often without any direct contractual relationship between the consumer and the companies that ultimately receive their data. The FTC has signaled awareness of this problem but has not yet issued comprehensive rulemaking targeting RTB location data practices.
WHAT THE KOCHAVA SETTLEMENT MEANS — AND WHAT IT DOESN’T
The Kochava settlement is significant for several reasons. It establishes clear precedent that the FTC views the sale of sensitive location data without affirmative consent as an unfair practice under Section 5 of the FTC Act — even in the absence of a specific federal privacy statute. The sensitive location categories it targets are broad and meaningful. The supplier assessment program requirement, if enforced, could create accountability upstream in the data supply chain.
But critics argue the settlement doesn’t go far enough. It applies only to Kochava and CDS — not to the dozens of other data brokers engaging in comparable practices. It imposes no financial penalty, a recurring criticism of FTC privacy settlements that opponents say removes deterrence. And it leaves the underlying RTB ecosystem — the mechanism through which much sensitive location data is harvested in the first place — entirely untouched.
For consumers, the practical reality is unchanged: precise location data continues to be collected, aggregated, and sold by a sprawling ecosystem of brokers, advertising platforms, and data aggregators. Without federal privacy legislation establishing baseline consent requirements for location data collection, enforcement actions like the Kochava settlement will remain reactive — catching individual bad actors while the structural conditions that enable the industry persist.
WHAT BUSINESSES SHOULD TAKE FROM THIS
For any organization that collects, purchases, or uses location data, the Kochava settlement — combined with the pattern of FTC enforcement actions preceding it — sends a clear message: affirmative consent is now the non-negotiable baseline, not a best practice. The FTC has shown it will pursue litigation even against well-funded companies that contest its authority. And with the agency’s 2-0 vote on this settlement reflecting continued bipartisan willingness to act on location privacy, enforcement appetite shows no signs of diminishing.
Organizations that rely on third-party location data should audit their data supplier relationships, review consent documentation, and assess whether their current practices would survive the kind of scrutiny applied to Kochava. Those that cannot demonstrate a clear chain of consumer consent should consider this settlement their final warning.
