Corporate Misconduct Accountability Project
Kochava Inc. · FTC Enforcement Action
Kochava Sold Precise Location Data on 300M Americans Without Consent
Data broker Kochava and its subsidiary CDS collected and sold sensitive geolocation data revealing visits to abortion clinics, places of worship, and domestic violence shelters, enabling identification and targeting of millions of consumers who never consented.
CRITICAL SEVERITY
TL;DR
Kochava Inc. and its wholly-owned subsidiary Collective Data Solutions collected and sold precise geolocation data from hundreds of millions of mobile devices, tracking consumers to sensitive locations including reproductive health clinics, places of worship, addiction recovery centers, and domestic violence shelters. The company linked this location data to personally identifying information such as names, addresses, phone numbers, and email addresses, then sold it through monthly subscriptions costing tens of thousands of dollars with minimal vetting of buyers. Consumers had no knowledge of this collection and no realistic way to avoid the harm, which exposed them to stalking, discrimination, physical violence, and invasions of privacy.
This case shows how data brokers turn your most private moments into corporate profit. Learn what happened and what you can do.
300M+
U.S. consumers profiled in Kochava Database Graph
94B+
Monthly geolocation transactions collected
327M
Rows of location data in a single day sample
61.8M
Unique mobile devices exposed in free seven-day sample
$25,000
Monthly subscription cost for full location data feed
275,000
Mobile apps tracked in Kochava App Graph
11.4M
Devices in ‘Expecting Parents’ audience segment
10,000+
Apps globally with Kochava tracking SDK installed
The Allegations: A Breakdown
Core Allegations
What they did · 8 points
| 01 | Kochava collected precise geolocation data from mobile devices showing timestamped latitude and longitude coordinates accurate to within less than 10 meters, enough to identify not just what building consumers were in but what room. The data tracked movements over days, weeks, months, and even a year. | high |
| 02 | The company sold this geolocation data linked to Mobile Advertising IDs (MAIDs) through monthly subscriptions often costing tens of thousands of dollars, with a free seven-day sample containing over 327 million rows of data covering more than 61 million unique devices. | high |
| 03 | Kochava directly linked MAIDs to personally identifying information including names, home addresses, email addresses, and phone numbers through its Database Graph, which profiles over 300 million U.S. consumers with up to 300 data points each, ensuring MAIDs offered no anonymity. | critical |
| 04 | The precise geolocation data revealed visits to sensitive locations including women’s reproductive health clinics, places of worship (Jewish, Christian, Islamic), homeless shelters, domestic violence shelters, addiction recovery centers, and temporary shelters for at-risk pregnant women. | critical |
| 05 | Kochava’s Database Graph disclosed sensitive characteristics including gender identity, ethnicity, date of birth, political party affiliation, marital status, whether consumers were parents and how many children they had, economic status, and education level. | high |
| 06 | Through its App Graph, Kochava tracked consumer usage of over 275,000 mobile apps including LGBTQ+ dating apps, pregnancy and menstruation tracking apps, Muslim prayer apps, and health information apps, recording how long consumers used each app, what actions they took, and how much money they spent. | high |
| 07 | The company created and sold audience segments that categorized consumers based on sensitive characteristics including pregnancy status, cancer diagnosis, women’s health issues, divorce, bereavement, special needs children, sexual conditions, vaccines, Judaism, Islam, reproductive health, and political affiliation. | critical |
| 08 | Kochava approved access to its free data sample in as little as 24 hours with minimal vetting, accepting requests where applicants identified their company as ‘self’ and described their intended use simply as ‘business,’ with no restrictions on how the data could be used. | high |
Regulatory Failures
How the system enabled this abuse · 5 points
| 01 | The United States lacks a comprehensive federal privacy statute, leaving data brokers to operate in a patchwork system where notice-and-choice pop-ups rarely disclose the downstream sale of consumer information to third parties. | high |
| 02 | Kochava’s consent screens promised consumers cash-back rewards for sharing location data to ‘see nearby stores and offers’ but never mentioned that Kochava would collect the data or sell it to unknown third parties for other uses. | high |
| 03 | The FTC must rely on Section 5’s broad unfair practices standard, which typically results only in injunctive relief rather than punitive damages, making cease-and-desist orders a minor speed bump for a firm commanding five-digit monthly contracts. | medium |
| 04 | Decades of deregulation have defanged the FTC Act, limiting penalties to amounts that often represent a rounding error compared with subscription revenues, incentivizing companies to treat enforcement as a cost of doing business rather than a deterrent. | high |
| 05 | AWS Marketplace allowed Kochava to distribute sensitive consumer data marked as containing ‘sensitive categories of information’ with no background checks, no contract addendums beyond basic subscription terms, and approval in under 24 hours. | medium |
Profit Over People
How Kochava monetized privacy violations · 6 points
| 01 | Kochava charged $25,000 for location data feed subscriptions and tens of thousands of dollars per month for enterprise packages that provided comprehensive profiles on a minimum of 150 million U.S. consumers monthly. | high |
| 02 | The company marketed its data collection as the ‘world’s largest independent mobile data marketplace’ with 94 billion geo-transactions per month, 125 million monthly active users, and 35 million daily active users, averaging more than 90 daily transactions per device. | medium |
| 03 | Kochava sold its ‘Expecting Parents’ audience segment containing 11.4 million devices identified through pregnancy, ovulation, and menstruation tracking apps, directly monetizing intimate reproductive health information. | critical |
| 04 | The company designed its Database Graph to associate multiple MAIDs with a single consumer, ensuring that even if consumers reset their device identifiers in an attempt to protect their privacy, Kochava could continue tracking them across devices. | high |
| 05 | Kochava’s business model required app developers using its free SDK to grant the company a ‘perpetual, irrevocable, worldwide, transferrable unrestricted license’ to all consumer data collected, a license that survived even after developers terminated their agreements. | high |
| 06 | The more sensitive the consumer detail (health conditions, religious practice, reproductive choices), the higher the advertising premium Kochava could charge, directly incentivizing the collection and sale of the most private information. | critical |
Economic Fallout
Financial harm to consumers and communities · 5 points
| 01 | Consumers face higher insurance premiums when location or app data suggests a medical condition, with predictive models incorporating health-care visits identified through broker data. | high |
| 02 | Job seekers and loan applicants suffer denials when algorithms factor in visits to political rallies, religious sites, or addiction recovery centers revealed by purchased location data. | high |
| 03 | Public-sector agencies must divert scarce budgets to defend clinics, shelters, and houses of worship from doxxing and harassment enabled by brokered data, imposing costs on already stretched communities. | medium |
| 04 | The revenue-to-risk ratio skews upward, with Kochava’s subscription fees flowing to Idaho headquarters and a Delaware subsidiary while households shoulder diffuse costs in the form of higher premiums, credit denials, and security expenses. | high |
| 05 | These downstream expenses, often invisible to individual consumers, magnify wealth disparity by shifting the real price of surveillance capitalism onto communities least able to absorb the financial burden. | medium |
Public Health and Safety
Medical privacy violations and patient harm · 7 points
| 01 | Kochava’s data revealed visits to oncology centers, fertility clinics, and methadone programs, exposing not just medical status but treatment timelines, putting patients at risk of stalking, blackmail, and targeted misinformation. | critical |
| 02 | The FTC identified a mobile device that visited a women’s reproductive health clinic and traced it back to a single-family residence, with data showing the device was at a particular location at least three evenings in the same week, revealing routine patterns. | critical |
| 03 | Location data showed a device that appeared to spend the night at a temporary shelter whose mission is to provide residence for at-risk pregnant young women or new mothers, exposing vulnerable populations. | critical |
| 04 | The company’s data enabled groups to identify ‘abortion-minded women’ and serve them targeted ads, with one such campaign resulting in 14.3 million ad impressions attempting to persuade women to attempt scientifically unsupported ‘abortion reversal’ procedures. | critical |
| 05 | A Massachusetts Attorney General enforcement action found that a data broker used precise geolocation to identify consumers who were ‘close to or entered the waiting rooms of women’s reproductive health clinics’ and then targeted them with ads about alternatives to abortion. | critical |
| 06 | The chilling effect of potential exposure pushes vulnerable individuals away from essential medical care, compromising public health outcomes in service of ad-tech profits. | high |
| 07 | Kochava’s marketing materials explicitly acknowledged that its data included ‘visitation to essential brick-and-mortar stores, hospitals, testing sites’ in the context of COVID-19 tracking. | medium |
Community Impact
Harm to vulnerable populations and local institutions · 7 points
| 01 | Kochava’s data exposed devices inside Jewish, Christian, and Islamic places of worship, revealing religious practices and affiliations that put consumers at risk of discrimination and extremist targeting. | high |
| 02 | The company tracked visits to domestic violence shelters and addiction recovery centers, collecting data on length of stay and repeat visits that could enable abusers to track survivors or employers to discriminate against recovering individuals. | critical |
| 03 | Data revealing visits to homeless shelters and temporary housing exposed at-risk populations and could be used to identify consumers’ past conditions such as homelessness, creating long-term stigma. | high |
| 04 | A well-publicized case used precise mobile geolocation data to identify by name a Catholic priest who visited LGBTQ+-associated locations, exposing his sexual orientation and forcing him to resign his position. | critical |
| 05 | Journalists who purchased precise geolocation from a data broker successfully tracked and identified by name several consumers including military officials, law enforcement officers, and a woman attending a prayer service at a church. | high |
| 06 | Kochava’s audience segments allowed customers to target ‘New Parents/Expecting’ consumers by identifying those ‘attending Lamaze, birthing, breastfeeding, new parent support groups, etc. events’ based on their physical locations. | high |
| 07 | The company sold a ‘Likely Republican Voter’ segment based on consumers’ visits to ‘Republican focused political events and events and venues affiliated with conservative topics,’ enabling political micro-targeting based on physical presence. | medium |
Corporate Accountability Failures
How Kochava evaded responsibility · 7 points
| 01 | In or around July 2023, after the FTC commenced its investigation, Kochava transferred at least part of its data broker business to its wholly-owned subsidiary Collective Data Solutions (CDS), diffusing liability while continuing the same practices. | high |
| 02 | CDS continued offering the same precision location data, Database Graph, App Graph, and audience segments under a new banner, with the same or substantially the same third-party data suppliers and customer contracts. | high |
| 03 | Kochava’s Chief Financial Officer serves as a director of CDS, and Kochava provides CDS’s accounting, human resources, legal, and financial planning functions, maintaining operational control while attempting to shield itself from liability. | medium |
| 04 | After the FTC commenced its investigation in August 2022, Kochava announced a ‘Privacy Block’ function that purportedly removes certain sensitive locations, but the feature does not block all sensitive locations and the company implemented no other adequate privacy controls. | medium |
| 05 | Kochava may have stopped using its own SDK data in the App Graph feed after the FTC filed its complaint in October 2022, but data from third-party suppliers continues to feed the same product, maintaining the surveillance infrastructure. | medium |
| 06 | Kochava’s CEO Charles Manning publicly criticized a competitor’s COVID tracking demo for lacking ‘any notion of anonymized, aggregated data’ because ‘you’re looking at specific devices,’ yet his own company sold precisely the same type of unanonymized precise geolocation data. | high |
| 07 | The company labeled its AWS data sample as marked ‘sensitive categories of information’ but this warning functioned as legal decoration rather than a meaningful deterrent, with no change to access controls or buyer vetting. | medium |
The PR Machine
How Kochava marketed surveillance as innovation · 7 points
| 01 | Kochava marketed its data collection with promotional graphics promising a ‘360-degree perspective’ that ties together precision location, email, demographics, devices, households, and channels to create comprehensive consumer profiles. | medium |
| 02 | The company told potential buyers they could use its data to ‘target parents with different ages of children, new parents, single individuals in the dating market, etc.,’ explicitly promoting the ability to segment consumers based on intimate family circumstances. | high |
| 03 | In marketing materials for political campaigns, Kochava promised to ‘find devices that intersect with important events or locations’ and ‘understand voter visitation to home, work, places of business, government buildings, and more.’ | medium |
| 04 | Kochava advertised that customers could identify voters’ ‘political leanings based on apps the voter has installed on their mobile device,’ combining location tracking with app surveillance for political micro-targeting. | medium |
| 05 | The company promoted ‘household mapping’ as a use case, explicitly telling customers to ‘group devices by dwelling time and frequency at shared locations to map individual devices to households,’ acknowledging the re-identification capability. | high |
| 06 | Kochava described its capability to determine home locations ‘by looking at the resting lat/long of a given device between the hours of 10pm and 6am and omit known business locations,’ openly advertising its ability to identify where consumers sleep. | high |
| 07 | CDS advertises the ability to ‘dynamically segment audiences’ for ‘Political Audience Targeting’ based on ‘Political Affiliation,’ ‘Geographic Region,’ ‘Demographics,’ and ‘other attributes,’ continuing Kochava’s political surveillance marketing. | medium |
Wealth Disparity
How surveillance profits flow upward · 5 points
| 01 | Kochava’s full location feed subscription cost $25,000, with enterprise contracts running tens of thousands of dollars per month, generating substantial revenue that flowed to Idaho headquarters and Delaware corporate entities rather than the communities whose data fueled the product. | high |
| 02 | One customer contracted with Kochava to receive profiles on a minimum of 150 million U.S. consumers every month, requesting every available data point including all sensitive characteristics, in a deal worth tens of thousands per month. | high |
| 03 | The company’s Database Graph profiles over 300 million U.S. consumers (nearly the entire U.S. population of 330 million) with up to 300 data points each, representing an enormous asset created by extracting value from personal information without compensation. | high |
| 04 | Kochava’s business model is ‘low friction, high margin,’ with largely automated distribution through cloud marketplaces generating revenue from every GPS ping, screen time heartbeat, or swipe in a niche community app. | medium |
| 05 | Executives monetize ‘behavioral gold’ while gig-economy drivers, contract engineers, and call-center staff remain exposed to low wages and minimal protections, with corporate value flowing from mining datapoints rather than compensating human labor. | medium |
Exploiting Delay
How time became a profit strategy · 4 points
| 01 | From the moment regulators first flagged concerns until the filing of this second amended complaint, Kochava enjoyed months or years of uninterrupted sales as litigation wound through motions and amended pleadings. | high |
| 02 | During the delay between investigation and enforcement, Kochava’s database expanded to profile over 300 million identified Americans with up to 300 data points each, making it harder to roll back what had already been captured. | high |
| 03 | In surveillance capitalism, every procedural pause is billable: the longer the courtroom clock ticks, the richer the data trove grows and the more entrenched the surveillance infrastructure becomes. | medium |
| 04 | Kochava’s spin-off of CDS in July 2023, during active litigation, created additional procedural complexity requiring amended complaints and establishing a new corporate entity that could claim it was implementing changes. | medium |
The Bottom Line
What this case reveals about corporate power · 5 points
| 01 | This is not a rogue glitch but the logical result of a deregulated data economy that rewards any firm that can convert everyday behavior into tradeable signals, with weak federal privacy law ensuring the fastest extractors win. | high |
| 02 | Behind every ‘device_id_value’ lies a person navigating health crises, faith, relationships, and survival, yet Kochava’s business turned those private journeys into a real-time map for bidders with cash. | high |
| 03 | Consumers are unable to avoid this harm because they do not know Kochava is collecting their data, have no realistic way to opt out, and cannot anticipate that consent screens promising cash-back rewards will result in their precise movements being sold to unknown third parties. | high |
| 04 | Until law enforces penalties that truly outweigh profits, precise location will remain the raw material of corporate greed, feeding ever-richer profiles and ever-deeper inequality. | high |
| 05 | The complaint documents live data that pinpoints abortion patients, reveals prayer routines, and logs shelter stays, all traded with almost no gatekeeping. By any rational measure, this lawsuit is not only serious but a crucial test of whether privacy law can still protect Americans from a surveillance market designed to treat personal life as limitless inventory. | critical |
Timeline of Events
Pre-2022
Kochava builds data marketplace collecting 94 billion monthly geo-transactions and profiling 300 million U.S. consumers with precise location, app usage, and identifying information.
Through June 2022
Kochava offers free seven-day data sample on AWS Marketplace with 327 million rows exposing 61.8 million devices, approving requests in as little as 24 hours with minimal vetting.
August 2022
After FTC commences investigation, Kochava announces ‘Privacy Block’ feature that purportedly removes some sensitive locations but does not block all sensitive sites or implement other adequate controls.
October 2022
FTC files initial complaint. Kochava may stop using its own SDK data in App Graph feed but continues using third-party supplier data for the same surveillance products.
July 2023
Kochava transfers at least part of its data broker business to wholly-owned subsidiary Collective Data Solutions (CDS), which continues offering precision location, Database Graph, App Graph, and audience segments.
July 15, 2024
FTC files second amended complaint documenting ongoing practices by both Kochava and CDS, alleging unfair acts causing substantial consumer injury through sale of sensitive geolocation and personal data.
Direct Quotes from the Legal Record
QUOTE 1
Selling access to precise tracking of 300 million Americans
allegations
“Kochava brags that its Database Graph identifies ‘over 300M unique individuals in the US’ with up to ‘300 data points that can be tied to those profiles.'”
💡 Kochava profiles nearly the entire U.S. population with hundreds of sensitive data points each, demonstrating the massive scale of surveillance.
QUOTE 2
Location data accurate enough to identify specific rooms
allegations
“Kochava promises its customers that the data is so precise that it accurately places consumers’ movements to within only a few meters – enough to not only tell what building the consumers are in, but even what room.”
💡 This level of precision turns every building into a transparent box, exposing even the most private indoor activities.
QUOTE 3
Admitting the data is not anonymous
allegations
“Kochava itself concedes that this data is not anonymous, but rather can be, and is, used to track and identify individual consumers.”
💡 Kochava’s own admission destroys any claim that Mobile Advertising IDs provide privacy protection.
QUOTE 4
Directly linking device IDs to real names and addresses
allegations
“In many cases, Kochava provides data that directly links this precise geolocation data to identifying information about individual consumers, such as names, addresses, email addresses, and phone numbers.”
💡 Kochava eliminates any technical barrier to identifying consumers, making tracking both comprehensive and immediately actionable.
QUOTE 5
Tracking visits to abortion clinics
health
“Kochava’s precise geolocation data can be used to identify consumers who have visited an abortion clinic and, as a result, may have had or contemplated having an abortion. In fact, in just the data Kochava made available in the Kochava Data Sample, Plaintiff identified a mobile device that visited a women’s reproductive health clinic and traced that mobile device to a single-family residence.”
💡 This is the FTC demonstrating with actual data that Kochava enables tracking of one of the most sensitive and legally precarious medical decisions.
QUOTE 6
Exposing religious worship
community
“As another example, the data can be used to track consumers to places of worship, and thus reveal the religious beliefs and practices of consumers. In fact, Plaintiff identified in the Kochava Data Sample mobile devices that were located at Jewish, Christian, Islamic, and other religious denominations’ places of worship.”
💡 Kochava’s data exposes religious affiliations, putting consumers at risk of discrimination and extremist targeting.
QUOTE 7
Tracking domestic violence survivors
community
“As another example, the data can be used to track consumers who visited a homeless shelter, domestic violence shelter, or other facilities directed to at-risk populations. This information can reveal the location of consumers who are escaping domestic violence or other crimes.”
💡 This tracking capability directly endangers people fleeing abuse by potentially revealing their safe locations to abusers.
QUOTE 8
Identifying pregnant teens in shelters
health
“In fact, Plaintiff identified in the Kochava Data Sample a mobile device that appears to have spent the night at a temporary shelter whose mission is to provide residence for at-risk, pregnant young women or new mothers.”
💡 Kochava’s data exposes the most vulnerable populations, including minors in crisis seeking confidential shelter.
QUOTE 9
Minimal vetting of data buyers
accountability
“A purchaser could use an ordinary personal email address, identify the company as ‘self,’ and describe the intended use simply as ‘business.’ The request would then be sent to Kochava for approval. Kochava has approved such requests in as little as 24 hours without any additional inquiries or requesting additional information about the purchaser or their intended use.”
💡 Kochava placed almost no barriers between sensitive consumer data and anyone with an email address and a credit card.
QUOTE 10
Advertising one-to-one consumer targeting
pr_machine
“Kochava emphasizes its ability to identify individual consumers by bragging that: ‘the Collective can tie the IDs to a single user using a match key (e.g., email address, phone number, mobile advertising ID [MAID], cookie, addresses, etc.) for one-to-one advertising’ (emphasis added).”
💡 Kochava explicitly markets the ability to target individual named people, not anonymous aggregated groups.
QUOTE 11
Revealing home addresses by tracking nighttime locations
pr_machine
“We determine a home location by looking at the resting lat/long of a given device between the hours of 10pm and 6am and omit known business locations.”
💡 Kochava openly tells customers it can identify where people sleep, revealing home addresses from location data alone.
QUOTE 12
CEO criticizes competitor while doing the same thing
accountability
“In a news article about Kochava’s data, Kochava’s Chief Executive Officer, Charles Manning, criticized, on privacy grounds, a competitor’s use of precise geolocation data to publicly track the spread of COVID: ‘But one of the challenges I saw in that demo, although it was very slick and very appealing to watch, there was really no notion of anonymized, aggregated date there. You’re looking at specific devices.’ Mr. Manning made such criticism despite Kochava’s own collection, use, and sale of precisely the same type of data and the company’s lack of any meaningful controls for the use of that data.”
💡 Kochava’s CEO publicly acknowledged that this type of tracking identifies specific individuals, then sold the same data himself.
QUOTE 13
Perpetual rights to consumer data through SDK
profit
“In exchange for the free use of Kochava’s FAA SDK, Kochava requires app developers to agree to grant Kochava a ‘perpetual, irrevocable, worldwide, transferrable unrestricted license’ to consumer information collected via the FAA SDK. Kochava’s license even survives a termination of the agreement between Kochava and the app developer, allowing Kochava to use the data forever.”
💡 Kochava structured contracts to ensure it would own consumer data permanently, regardless of what happens to the apps that collected it.
QUOTE 14
No meaningful way for consumers to avoid harm
conclusion
“Consumers do not expect or want data brokers to collect their precise geolocation data. Indeed, data brokers’ collection, aggregation, and disclosure of location data violate consumers’ expectations of privacy. Consumers disapprove even more strongly when entities collecting their location data use it to make inferences about them. Consumers also do not consent to such collection or disclosure. And because consumers do not know that Kochava is collecting this data, consumers cannot avoid the harm resulting from the collection, use, or subsequent disclosure.”
💡 The FTC establishes that consumers have no realistic way to prevent this surveillance because they don’t know it’s happening.
QUOTE 15
Spin-off to evade accountability
accountability
“In or around July 2023, Kochava transferred at least part of its data broker business to its wholly-owned subsidiary, Defendant Collective Data Solutions, LLC (‘CDS’). CDS continues Kochava’s practices of collecting, using, and disclosing enormous amounts of private and sensitive information about consumers, including, on information and belief, the data feeds and products discussed below.”
💡 Kochava responded to enforcement by creating a subsidiary to continue the same practices, attempting to diffuse legal liability.
Frequently Asked Questions
What exactly did Kochava do wrong?
Kochava collected precise location data from hundreds of millions of mobile devices without consumer knowledge or consent, tracking movements to sensitive locations like abortion clinics, places of worship, domestic violence shelters, and addiction recovery centers. The company then linked this location data to personally identifying information (names, addresses, phone numbers, emails) and sold it through monthly subscriptions costing tens of thousands of dollars with minimal vetting of buyers.
How did Kochava get my location data?
Kochava obtained location data from other data brokers and through a free software development kit (SDK) that app developers installed in their apps. When you used an app with Kochava’s SDK, it collected your precise GPS coordinates and sent them to Kochava. The company also bought location data from third-party brokers who collected it from other apps on your phone. In most cases, consent screens promised rewards or app features without disclosing that Kochava would receive your data or sell it to others.
Is my Mobile Advertising ID (MAID) anonymous?
No. Although tech companies claim MAIDs provide anonymity, Kochava itself admits the data is not anonymous and can be used to track and identify individual consumers. Kochava directly linked MAIDs to real names, home addresses, email addresses, and phone numbers through its Database Graph. Even without that direct link, location data alone reveals identity: by tracking where your phone rests between 10pm and 6am, Kochava identifies your home address.
How many people were affected?
Kochava’s Database Graph profiled over 300 million U.S. consumers (nearly the entire U.S. population of 330 million). The company collected 94 billion geolocation transactions per month from 125 million monthly active users. Even a free seven-day sample exposed over 61 million unique devices with more than 327 million rows of location data. Specific audience segments like ‘Expecting Parents’ contained 11.4 million devices.
What sensitive information did Kochava sell?
Kochava sold location data revealing visits to reproductive health clinics, places of worship, domestic violence shelters, homeless shelters, addiction recovery centers, and hospitals. It also sold comprehensive profiles including names, addresses, phone numbers, emails, gender identity, ethnicity, political affiliation, marital status, number of children, income, and app usage (including LGBTQ+ dating apps, pregnancy trackers, and mental health tools). The company categorized consumers into audience segments based on pregnancy status, medical conditions, religion, and political beliefs.
Who could buy this data?
Anyone with an email address and a credit card. Kochava approved access to its free data sample in as little as 24 hours, accepting requests where buyers identified their company as ‘self’ and described their purpose as ‘business.’ Full subscriptions cost $25,000 or more per month but required no meaningful background checks or restrictions on use. The company made data available through the AWS Marketplace with minimal gatekeeping.
Has anyone been harmed by location data like this?
Yes. A Catholic priest was identified by name and forced to resign after location data revealed his visits to LGBTQ+ venues. Anti-abortion groups used precise location data to identify ‘abortion-minded women’ at clinics and target them with ads, generating 14.3 million ad impressions. Journalists purchased location data and successfully tracked military officials, law enforcement officers, and individuals attending religious services. The FTC’s complaint documents actual tracking from reproductive health clinics and domestic violence shelters back to individual homes.
What is Collective Data Solutions (CDS)?
CDS is a wholly-owned subsidiary of Kochava created in July 2023 after the FTC commenced its investigation. Kochava transferred at least part of its data broker business to CDS, which continues offering the same precision location data, Database Graph, App Graph, and audience segments. Kochava’s Chief Financial Officer serves as a director of CDS, and Kochava provides CDS’s infrastructure and business functions. The FTC alleges this corporate restructuring was designed to evade accountability while maintaining the same surveillance practices.
Did Kochava do anything to protect privacy?
Kochava implemented a ‘Privacy Block’ feature after the FTC investigation began, but the FTC alleges it does not block all sensitive locations and the company implemented no other adequate controls. Kochava labeled its data sample as containing ‘sensitive categories of information’ but this warning was cosmetic and did not change who could access the data or how quickly. The company’s business model depends on precise tracking and identification, making meaningful privacy protections incompatible with its revenue stream.
What can I do to protect myself?
Individual action is limited because Kochava operates behind the scenes without consumer knowledge. You can review app permissions and deny location access except when necessary, reset your Mobile Advertising ID periodically (though Kochava’s Database Graph may still link you across resets), use privacy-focused apps that don’t include tracking SDKs, and support comprehensive federal privacy legislation that bans the sale of precise location data without explicit consent. Most importantly, recognize that true protection requires regulatory action, not individual consumer choices.
FTC Commissioner Melissa Holyoak released a concurring statement about this travesty: https://www.ftc.gov/system/files/ftc_gov/pdf/2024-7-15-Commissioner-Holyoak-Statement-re-Kochava-final.pdf
💡 Explore Corporate Misconduct by Category
Corporations harm people every day — from wage theft to pollution. Learn more by exploring key areas of injustice.
- 💀 Product Safety Violations — When companies risk lives for profit.
- 🌿 Environmental Violations — Pollution, ecological collapse, and unchecked greed.
- 💼 Labor Exploitation — Wage theft, worker abuse, and unsafe conditions.
- 🛡️ Data Breaches & Privacy Abuses — Misuse and mishandling of personal information.
- 💵 Financial Fraud & Corruption — Lies, scams, and executive impunity.
