It took nearly four years, two complaints, a motion to dismiss, a judge’s reversal, a class action, and a settlement that preceded the FTC’s own resolution, but the most significant geolocation data enforcement case in American regulatory history has finally reached its conclusion and now the data broker industry has no more excuses. Last week, Kochava and the Federal Trade Commission filed notice with an Idaho federal court that they had reached a settlement, ending a legal saga that began in August 2022 and that has reshaped — or at least should reshape — how the entire location data industry understands the line between commercial data monetization and consumer harm.
The details of the FTC settlement remain under review pending formal commissioner approval. But the arc of what happened to Kochava, and why it happened, is already fully legible. For privacy professionals, compliance teams, and any organization that touches location data in its business model, this case is not a cautionary footnote. It is a definitive statement about what the law now considers unfair, what the industry has been doing for years under the assumption that nobody was watching, and what comes next.
What Kochava Was Actually Selling
Before the legal analysis, the facts deserve to be stated plainly, because the business practices at the center of this case were not edge-case violations or technical compliance failures. They were the core product.
The FTC alleges that by selling data tracking people, Kochava is enabling others to identify individuals and exposing them to threats of stigma, stalking, discrimination, job loss, and even physical violence. The data in question was not generic web traffic statistics or anonymized demographic segments. Kochava’s data can reveal people’s visits to reproductive health clinics, places of worship, homeless and domestic violence shelters, and addiction recovery facilities.
The FTC says Kochava sells a “360-degree perspective” on individuals and advertises it can “connect precise geolocation data with email, demographics, devices, households, and channels.” Kochava says that its “Database Graph” of consumer profiles identifies “over 300 million unique individuals in the US” with up to “300 data points” linkable to each profile. This was not a data broker operating on the fringes of commercial surveillance. It was, by its own marketing, one of the most comprehensive consumer tracking operations in the United States.
The information is packaged into customized data feeds that match unique mobile device identification numbers with timestamped latitude and longitude locations. According to Kochava, these data feeds can be used to assist clients in advertising and analyzing foot traffic at their stores and other locations. People are often unaware that their location data is being purchased and shared by Kochava and have no control over its sale or use.
The specific examples cited in the FTC’s complaint are worth reading in full, because they make concrete what abstract references to “sensitive location data” tend to obscure. A data sample identifies a mobile device that appears to have spent the night at a temporary shelter whose mission is to provide residence for at-risk, pregnant young women or new mothers. The data could show how long consumers stayed at an addiction recovery center and whether a consumer potentially relapses and returns to a recovery center. This is not advertising optimization data. It is a surveillance product.
The Legal Fight: How It Unfolded
The FTC’s original lawsuit in August 2022 was dismissed — not on the merits, but because the court found the agency had not adequately demonstrated substantial consumer harm. The FTC refiled an amended complaint in June 2023, adding specific examples of real-world harms and dramatically strengthening the identifiability evidence. That amended complaint was then unsealed, giving the public its first comprehensive look at the specifics of what Kochava’s products actually contained and how they were marketed.
On February 3, 2025, U.S. District Judge B. Lynn Winmill denied Kochava’s motion to dismiss the FTC’s suit. In his order, Winmill rejected Kochava’s argument that Section 5 of the FTC Act is limited to tangible injuries and wrote that the FTC had plausibly pled that Kochava’s practices are unfair within the meaning of the FTC Act.
The judge’s reasoning in denying that motion is as important as the settlement itself. The specific lesson from the court’s analysis is as follows: sharing identifiable geolocation data that reveals visits to sensitive locations is an unfair practice. Kochava had argued throughout the litigation that because the harms — discrimination, stalking, physical violence — would be caused by the customers who purchased its data rather than by Kochava itself, the company bore no legal responsibility. The FTC’s settlement order with X-Mode presents a roadmap for how to establish a “sensitive location data program,” by empowering a chief privacy officer to implement robust policies and procedures that identify and remove sensitive locations from datasets, continuously auditing and documenting the accuracy of the list of sensitive locations. The court’s rejection of Kochava’s third-party causation defense closes that escape route for the entire industry.
The decision was described as “the clearest statement yet by a court that selling location data can be an unfair trade practice,” by John Davisson, the director of litigation at the Electronic Privacy Information Center. “Kochava and other data brokers have built a business off of bootlegging the most sensitive details of our lives.”
The Class Action That Came First
What often gets lost in the focus on the FTC litigation is that consumers moved faster than the regulator. After the FTC’s original complaint was filed, private plaintiffs brought a class action against Kochava alleging similar violations. That case settled before the FTC matter resolved, with Kochava agreeing to implement a “privacy block” feature that prevents the sharing or use of raw location data associated with healthcare facilities, schools, jails, and other sensitive venues. Through Privacy Block, Kochava has been blocking over 2.1 million locations from its data products on an ongoing basis.
The irony is significant. Kochava’s own settlement terms in the class action — the implementation of a sensitive location blocking system — effectively conceded the core of the FTC’s argument. If the data presented no meaningful privacy risk and was genuinely non-identifying, there would be no need to block 2.1 million sensitive locations from it. The privacy block is an admission of what the product was capable of, dressed in the language of voluntary corporate responsibility.
The Argument Kochava Made — And Why It Failed
Throughout the litigation, Kochava advanced two primary legal defenses that deserve examination because they are the same defenses that most of the location data industry would reach for in a similar enforcement scenario.
The first was that its data was not “personally identifiable information.” This argument has been central to the data broker industry’s self-regulation posture for over a decade — the claim that location data attached to a mobile advertising ID (MAID) rather than a name is anonymous, and therefore outside the scope of privacy protection. The court rejected this comprehensively. The FTC’s recently unsealed amended complaint makes clear that Kochava advertises it can “connect precise geolocation data with email, demographics, devices, households, and channels.” The location of a mobile device at night is likely the user’s home address and could be combined with property records to uncover their identity. Pseudonymous is not anonymous. A data product that its own vendor advertises as re-identifiable cannot credibly claim the protection of anonymization.
The second defense was that any harms resulting from the data’s use would be caused by third parties — the customers who purchased and used the data — rather than by Kochava. This is the “we just sell it, what happens next isn’t our problem” argument, and it is the foundational assumption on which the entire data broker intermediary model rests. Companies that share location data bear some responsibility for what happens to this data later. The court’s willingness to find plausible harm in the sale itself, independent of downstream misuse, fundamentally undermines the intermediary defense that data brokers have relied upon to insulate themselves from accountability.
What the Settlement Requires
The full terms of the FTC settlement remain pending commissioner approval and have not been publicly released in detail. What is known is that the settlement resolves the FTC’s claims, and that the privacy block framework Kochava implemented in the consumer class action settlement — blocking sensitive location categories including healthcare facilities, schools, jails, and domestic violence shelters — forms part of the behavioral relief. For at least two years, Kochava will implement a privacy block feature that aims to prevent the sharing or use of raw location data associated with health care facilities, schools, jails, and other sensitive venues.
This is a meaningful but limited remedy. Two years of sensitive location blocking, applied only to raw location data, addresses the most egregious harm pathway while leaving significant questions unanswered about broader data practices, the ongoing collection and sale of non-location sensitive data, and the long-term fate of the data already collected.
The FTC’s precedent settlements in analogous cases — particularly the X-Mode/Outlogic settlement — provide a template for what comprehensive remedies in this space look like. In the X-Mode matter, the settlement empowered a chief privacy officer to implement robust policies and procedures that identify and remove sensitive locations from datasets and continuously audit and document the accuracy of the list of sensitive locations. Whether the Kochava settlement achieves equivalent structural reform will become clear when the full terms are released.
The Broader Industry Implications
The Kochava case did not happen in isolation. It was the most prominent case in a series of FTC enforcement actions against location data brokers that together constitute a coherent regulatory strategy. The X-Mode settlement established the first-ever ban on the use and sale of sensitive location data. The InMarket settlement imposed similar constraints. Kochava’s settlement completes the enforcement trilogy, and the cumulative effect is a clear FTC position: selling precise geolocation data that can be used to identify individuals at sensitive locations is an unfair trade practice under Section 5 of the FTC Act.
This lawsuit exemplifies how companies’ data-gathering practices could constitute unfair trade practices when they violate consumer privacy at such scale and with such obfuscation that it is virtually impossible for consumers to avoid. It underscores the need for U.S. federal privacy laws that substantially empower agencies like the FTC to enforce against harmful uses of Americans’ data.
For privacy professionals advising organizations that work with location data — whether as data brokers, location data purchasers, mobile app developers, or advertising technology providers — the Kochava case creates a set of compliance obligations that are now difficult to characterize as ambiguous.
What Organizations Must Do Now
The Kochava settlement is not the end of this story. It is the end of the beginning. The FTC’s three-settlement streak against geolocation data brokers, combined with the court’s clear articulation of the legal theory, means that every organization touching location data should be conducting an immediate compliance review against the following framework.
First, audit your location data sources and products for sensitive location exposure. If your organization purchases, processes, or sells location data feeds that include timestamped coordinates from mobile devices, you need to assess whether those feeds can reveal visits to healthcare facilities, reproductive health clinics, places of worship, domestic violence shelters, addiction recovery facilities, schools, immigration facilities, or mental health centers. Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder. That principle is now legally enforced, not merely aspirational.
Second, re-examine your re-identification risk assessment. The argument that MAID-linked data is anonymous has been litigated and lost. Kochava’s secretive data acquisition and AI-aided analytics practices are commonplace in the global location data market. The stakes are high because in addition to numerous lesser-known data brokers, the mobile data market includes larger players like Foursquare and data market exchanges like Amazon’s AWS Data Exchange. Every organization relying on pseudonymization as its primary privacy protection for location data should conduct a fresh re-identification risk assessment that accounts for the matching capabilities its own marketing materials may describe.
Third, review downstream use restrictions in your data licensing agreements. Kochava’s third-party causation defense — we are not responsible for what buyers do with our data — did not survive judicial scrutiny. Organizations that sell or license location data cannot insulate themselves from liability by pointing to contractual prohibitions on misuse if those prohibitions are not enforced. Due diligence on purchaser identity, use case review, and contractual audit rights are now necessary elements of responsible data commercialization, not optional ones.
Fourth, build a sensitive location program now, before enforcement arrives. The X-Mode settlement’s model — a chief privacy officer with specific mandate to maintain and audit a sensitive location exclusion list — is the FTC’s articulated standard for what adequate protection looks like. Continuously auditing and documenting the accuracy of the list of sensitive locations is not a one-time exercise. It requires operational infrastructure, dedicated ownership, and a governance process that updates the exclusion list as new sensitive facilities open or as geofencing boundaries shift.
Fifth, prepare for the federal legislative acceleration that this case may trigger. The case underscores the need for U.S. federal privacy laws that substantially empower agencies like the FTC to enforce against harmful uses of Americans’ data. The absence of a comprehensive federal data broker statute has forced the FTC to pursue these cases under Section 5’s general prohibition on unfair practices — a workable but imperfect tool. Congressional attention to the data broker sector has been building for years, and the Kochava litigation has provided a sustained public record of what data brokers’ products contain and what harms they enable. Federal legislation in this space is no longer a distant possibility.
The Compliance Lesson That Cannot Be Outsourced
Kochava’s CEO said during the litigation that “this case is really about the FTC attempting to make an end-run around Congress to create data privacy law.” That framing was always somewhat convenient — the case was about whether selling a data product that enables the tracking of domestic violence survivors, pregnant women in at-risk shelters, and people seeking addiction recovery treatment constitutes an unfair business practice. The court answered that question in the affirmative, twice.
The compliance lesson here is not a technical one about data formats or anonymization standards. It is a more fundamental one about the relationship between commercial data practices and the people whose lives those practices touch. Data that was collected without meaningful consent, aggregated at a scale that makes individual evasion impossible, and sold to buyers with no vetting process or use restrictions is not a neutral commercial product. It is a surveillance service, and it will increasingly be regulated as one.
The ruling is a bright red warning to those companies and another boost to the FTC’s efforts to rein in a fundamentally exploitative industry. Organizations in the location data ecosystem that are still waiting for a federal comprehensive privacy law before updating their practices are misreading the enforcement environment. The FTC has demonstrated, through three settlements and a sustained litigation campaign, that it does not need new statutory authority to enforce against the most harmful location data practices. It already has it.
The Kochava case is closed. The accountability question it raised for the rest of the industry is very much still open.
