Your Body Was a Data Point: How Kochava Sold the Locations of Americans Seeking Abortions

EvilCorporations.com • FTC v. Kochava Inc., Case No. 2:22-cv-00377-BLW (D. Idaho) • 39 min read

What Was Actually Sold

There is a woman somewhere in the United States who drove herself to a reproductive health clinic. She did not announce it. She told maybe one or two people she trusted. She kept her phone in her pocket the whole time, the way everyone does. She had no idea that the GPS chip in that phone was feeding her exact coordinates, to within the length of a car, to a company she had never heard of. She had no idea that company was packaging those coordinates alongside her name, her home address, her email, and her phone number, and selling the whole bundle to anyone willing to pay a monthly subscription fee. She had no idea that the app she uses to track her period had granted a software toolkit embedded in it a “perpetual, irrevocable, worldwide, transferable, unrestricted license” to her data, a license that survives even if the app stops working with the data company tomorrow.

She had no idea that while she sat in a waiting room, her phone’s Mobile Advertising ID was being added to an audience segment. Not “patients at a clinic.” Not an aggregate statistic. Her specific device. Tagged. Sold. Targetable. She had no idea that a buyer could pull up that segment, cross-reference it with her home GPS coordinates from the nights she slept in her own bed, and walk directly to her front door.

Kochava calls this a “360-degree perspective.” The FTC calls it a violation of federal law. The woman in the waiting room would probably call it something else entirely.

The harm here is not abstract. The FTC’s own investigators took Kochava’s free data sample, the one that was available on Amazon Web Services with only a free account and a vague description of “business use,” and they ran it. They traced a real phone from a real women’s reproductive health clinic to a real single-family residence. That is not a hypothetical. That is documented in a federal complaint filed in the United States District Court for the District of Idaho. And that was just the free sample. One day of that free sample covered over 61 million unique devices.

Think about who else is in that data. The woman at a domestic violence shelter who does not want to be found, especially by one person. Her phone was there too. The teenager at a temporary shelter for at-risk pregnant young women. Her phone was there. The person who attended a Muslim prayer service on a Friday, or a Jewish synagogue on a Saturday. Their phones were there. The person who spent six weeks at an addiction recovery center and then returned three months later. Their entire arc of relapse and recovery, timestamped, latitude and longitude, bought and sold.

None of them consented. None of them were told. Kochava’s own marketing materials acknowledge the data can place a consumer’s location down to the specific room of a building. The company bragged about it to buyers. Kochava’s CEO spoke publicly about the dangers of non-anonymized location tracking while his company was doing precisely that, at industrial scale, to hundreds of millions of people.

The most chilling detail is not the scale. It is the granularity. Kochava knows if you reset your phone’s advertising ID to protect your privacy, because it links multiple MAIDs to a single consumer across devices and time. The one tool most people might use to opt out of this surveillance was specifically engineered not to work. Kochava advertised this as a feature.

One-to-one. Not segment-to-segment. Person-to-person. Your specific body. Your specific movements. Your specific fears and medical decisions and religious practices and political beliefs. Packaged. Priced. Shipped.

Straight From the Court Record: What Kochava Said and Did

The following are verbatim statements from the FTC’s Second Amended Complaint (Case 2:22-cv-00377-BLW, filed July 15, 2024). These are not allegations invented by journalists. They are sworn legal filings citing Kochava’s own marketing materials, internal practices, and data products.

“Kochava promises its customers that the data is so precise that it accurately places consumers’ movements to within only a few meters – enough to not only tell what building the consumers are in, but even what room.”

• This is Kochava’s own sales pitch, cited in the complaint. The company was not selling ballpark estimates. It was selling room-level surveillance data drawn from hundreds of millions of phones, and actively bragging about the precision to attract buyers.
• The FTC cites this language as evidence that Kochava understood the identifying power of its data and marketed that power deliberately.

“Kochava itself concedes that this data is not anonymous, but rather can be, and is, used to track and identify individual consumers.”

• This is not the FTC’s interpretation. This is Kochava’s own concession, as documented in the complaint. The company knew the data was not anonymized and sold it anyway.
• This admission directly undercuts any defense Kochava could raise that it believed consumers were protected from identification. The company’s own words remove that argument.

“In just the data Kochava made available in the Kochava Data Sample, Plaintiff identified a mobile device that visited a women’s reproductive health clinic and traced that mobile device to a single-family residence. The data set also reveals that the same mobile device was at a particular location at least three evenings in the same week, suggesting the mobile device user’s routine.”

• The FTC did not theorize this. FTC investigators actually ran the free sample data and produced a specific tracing: clinic visit, home address, weekly routine. This is the core harm made concrete.
• The free sample required nothing more than a free AWS account and a one-word description of intended use. Kochava approved such requests in as little as 24 hours. The tracing the FTC documented was accessible to essentially anyone.
• The complaint notes this same data can be used to identify “medical professionals who perform, or assist in the performance, of abortion services,” meaning providers themselves are exposed and targetable.

“Kochava’s Chief Executive Officer, Charles Manning, criticized, on privacy grounds, a competitor’s use of precise geolocation data to publicly track the spread of COVID: ‘But one of the challenges I saw in that demo, although it was very slick and very appealing to watch, there was really no notion of anonymized, aggregated data there. You’re looking at specific devices.’ Mr. Manning made such criticism despite Kochava’s own collection, use, and sale of precisely the same type of data and the company’s lack of any meaningful controls for the use of that data.”

• This is an on-record public statement by Kochava’s CEO, documented in the complaint. Manning named the exact privacy risk that Kochava itself was creating for hundreds of millions of people.
• The FTC explicitly notes the contradiction: the complaint characterizes Manning’s public criticism as being made “despite” his company doing the identical thing. This is the definition of bad faith.

“One such [ad] read, ‘Took the first pill at the clinic? It may not be too late to save your pregnancy.’ According to the reports, the ads pointed consumers to websites that attempted to persuade consumers to attempt a scientifically unsupported ‘abortion reversal’ procedure. The group further alarmingly asserted on its website that its product ‘takes the guesswork out of the marketing equation’ because its customers will ‘no longer have to wonder if women can find you. Now, you’ll find them!’ These ads served by the group were seen 14.3 million times.”

• While this particular ad campaign involved a different data broker, the FTC included it in the Kochava complaint to document that this exact harm, targeting abortion patients with misleading medical misinformation using MAID-based geolocation data, is not theoretical. It already happened, at 14.3 million impressions.
• The complaint uses this example to establish that the audience segments and MAID-linked location data Kochava sells create a foreseeable pathway to harassment, coercion, and medical misinformation targeting people in a medically vulnerable moment.

“Kochava brags that its Database Graph identifies ‘over 300M unique individuals in the US’ with up to ‘300 data points that can be tied to those profiles.’ In other words, Kochava’s Database Graph encompasses nearly the entire United States, which has a population of 330 million individuals.”

• The FTC explicitly translates the marketing figure into plain terms: Kochava’s database covers nearly every person in the country. This is not a niche surveillance operation. It is comprehensive population-scale tracking.
• With 300 data points per profile, the database includes name, address, phone, email, ethnicity, gender identity, political affiliation, marital status, number of children, income, and app usage, all linked to precise movement history.

“In or around August 2022, after the FTC commenced its investigation of Kochava, Kochava announced that it was implementing a function titled, ‘Privacy Block.’ … However, on information and belief, Privacy Block does not block all sensitive locations and Kochava and CDS do not implement other adequate controls to protect the privacy of consumers’ visits to those locations.”

• Kochava only announced a privacy protection after a federal investigation began. This is reactive compliance theater, not proactive consumer protection.
• The FTC alleges Privacy Block is incomplete: it does not cover all sensitive locations and does not address the other data products (Database Graph, App Graph, audience segments) that can be used to identify the same consumers through different vectors.
• Kochava’s response to being caught was to create a subsidiary (CDS) and transfer the business there. The FTC alleges CDS operates identically to Kochava and both companies remain jointly liable.

Who Gets Hurt and How

Public Health

The medical privacy violations in Kochava’s data catalog are not incidental. They are a core product feature, designed and marketed to buyers.

• Kochava’s geolocation data tracks visits to reproductive health clinics and can identify individuals who have had or were considering an abortion. The FTC documented a real trace from clinic to home address using only the free data sample.
• An “Expecting Parents” audience segment built from pregnancy, ovulation, and menstruation tracking apps contains over 11.4 million MAIDs, each linked to a real person’s name, address, and contact information through the Database Graph.
• Kochava’s App Graph includes apps related to cancer, sexually transmitted infections, and women’s health. Buyer access to this data exposes the health status of users who have never agreed to share that information outside the app they chose to use.
• Kochava’s data can track addiction recovery center visits over time, including whether a person relapses and returns. This data can be purchased by employers, insurers, or anyone willing to pay the subscription fee, with no stated restrictions on use.
• Kochava’s taxonomy of audience segments includes “Reproductive Health,” “Cancer,” “Women’s Health,” “Sexual Conditions,” “Pregnancy,” and “Vaccines” as distinct targetable categories. Each represents a searchable, purchasable list of real people sorted by their medical situations.
• Providers who perform or assist with abortion services are also identifiable in the geolocation data, according to the FTC. This creates a surveillance risk for healthcare workers that extends beyond patients.
• Ads for a scientifically unsupported “abortion reversal” procedure were served 14.3 million times to women identified via clinic-visit geolocation data, using the same MAID-based targeting infrastructure Kochava sells. The harm from this data infrastructure is documented and real.

Economic Inequality

Kochava’s data products are priced to serve corporations and institutions, while the people being tracked have no knowledge, no recourse, and no compensation.

• Monthly subscriptions to Kochava’s data feeds run “often in the tens of thousands of dollars.” The buyers are corporations with legal teams and data science departments. The people whose data is sold receive nothing and are told nothing.
• One documented customer contracted with Kochava to receive profiles on a “minimum of 150 million” U.S. consumers every month, with every available data point included. The scale of this transaction illustrates the commercial value extracted from surveilling ordinary people without compensation.
• Kochava’s audience segments include economic markers such as “yearly income,” “economic stability,” “home ownership,” and “education level.” Buyers can sort the population by financial vulnerability and target accordingly.
• People experiencing homelessness are specifically identifiable in Kochava’s data through shelter visits, creating a searchable class of the most economically vulnerable Americans who have the fewest resources to protect themselves or seek legal relief.
• The data broker supply chain means the same consumer data is sold multiple times: Kochava buys data from other brokers, enriches it, and resells it, with each transaction generating revenue for the industry while producing zero benefit for the tracked individuals.
• Kochava’s FAA SDK is embedded in at least 10,000 apps globally. Developers use it for free in exchange for granting Kochava a perpetual, irrevocable license to all user data collected through the app. App users, especially those using free apps, bear the privacy cost of a commercial arrangement they never agreed to and cannot exit.
• Resetting a phone’s Mobile Advertising ID, the one user-accessible privacy tool designed to limit tracking, is explicitly defeated by Kochava’s product. Kochava links multiple MAIDs to a single consumer, so a reset does not break the tracking chain. The people most likely to attempt this reset are those already worried about privacy; Kochava’s system was designed to ensure that concern does not work.

What You Were Told vs. What Was Happening

At every level of Kochava’s operation, the story consumers and regulators were told diverged sharply from documented reality.

Scale of the Surveillance Operation

What “360-Degree Perspective” Actually Means

Kochava marketed its flagship product as a “360-degree perspective” on consumers. Here is what that phrase actually describes, broken out by component.

The People Running This and What You Can Do About It

Kochava and its subsidiary CDS are still operating. The FTC has filed suit but no final order has been entered as of the complaint date. Here is who is running the operation and where pressure can be applied.

Leadership Named in the Complaint

• Kochava CEO: Charles Manning. Named in the complaint for public statements that contradict Kochava’s own practices. He publicly criticized non-anonymized location tracking while running a company that built its entire business model around it.
• Kochava CFO: Also serves as a director of CDS, the subsidiary created after the FTC investigation began. The complaint uses this dual role as evidence that Kochava and CDS operate as a common enterprise, making both jointly liable.
• Former General Manager of Kochava’s data broker business: Now serves as CEO of CDS. The person who ran the original operation was installed to run the subsidiary that replaced it.

Watchlist: Regulatory Bodies With Jurisdiction

• Federal Trade Commission (FTC): The lead plaintiff in this case. The FTC is seeking a permanent injunction against Kochava and CDS. File a consumer complaint at ftc.gov/complaint. The FTC’s case is the central pressure point right now.
• State Attorneys General: The Massachusetts AG already brought a 2018 enforcement action against a different data broker for the same MAID-based targeting of abortion patients. Several states have now passed health data privacy laws. Your state AG may have jurisdiction Kochava has not yet been held to.
• Consumer Financial Protection Bureau (CFPB): The CFPB has been expanding scrutiny of data brokers under its supervisory authority. The commercial profiling of financial vulnerability data (income, economic stability, home ownership) in Kochava’s Database Graph sits in its lane.
• U.S. Congress, Senate Commerce Committee: No comprehensive federal privacy law yet exists, which is the structural gap that makes Kochava’s operation legal enough to still be running while a lawsuit grinds through courts. Constituent pressure on this committee directly affects whether that law gets passed.
• Amazon Web Services: AWS hosted Kochava’s data marketplace and free sample until approximately June 2022. AWS’s marketplace policies for sensitive data products are a chokepoint. AWS removed the listing, but the data was sold through that channel for years. AWS’s policies for data brokers warrant ongoing scrutiny.

Grassroots Action and Mutual Aid

• Reset your Mobile Advertising ID and disable ad tracking immediately. On iPhone: Settings > Privacy and Security > Tracking, turn off “Allow Apps to Request to Track.” On Android: Settings > Google > Ads, select “Delete advertising ID.” Know that Kochava’s system links multiple IDs to one person, so this is not foolproof, but it reduces your exposure in other data broker pipelines.
• If you or someone you know is seeking reproductive healthcare, leave your phone at home or in your car. The FTC’s own investigators proved that a single clinic visit with a phone in your pocket can be traced to your home address using commercially available data that costs a monthly subscription anyone can afford.
• Support reproductive justice organizations that provide practical support for people navigating healthcare access. Organizations like the National Network of Abortion Funds provide financial assistance. Local mutual aid networks can help coordinate travel and logistics in ways that do not generate a digital footprint.
• Contact app developers directly and ask whether they embed the Kochava FAA SDK. If an app uses it, the developer has granted Kochava a perpetual, irrevocable license to your data. Developers respond to user pressure and app store reviews. Name the SDK specifically: “Does your app include the Kochava FAA SDK?”
• Organize locally around data broker opt-out legislation. Several states (California, Virginia, Colorado, Texas, and others) have passed privacy laws with data broker opt-out requirements. If your state has not, local organizing and contacting state legislators is the most direct path. The FTC’s lawsuit is federal, but state laws with private rights of action give individuals standing to sue.
• Share this investigation with people who use period-tracking, health, or dating apps. The harm is invisible until it isn’t. Most people using these apps have no idea their data is feeding a surveillance marketplace. The Massachusetts AG’s 2018 case showed that harm already materialized; 14.3 million impressions of coercive medical misinformation targeted at abortion patients is not a future risk. It already happened.