Federal Court Dismisses FTC Location Privacy Lawsuit

Geolocation data is among the most sensitive personal data. Marketers can use this data to determine what you are likely to buy, how much you are likely to spend and where you are likely to shop. The Federal Trade Commission (FTC) sued an online geolocation data broker for unfairly selling data about the physical location of billions of people who used location-grabbing apps on their phones, but an Iowa federal court threw out the complaint. The court decided that the geolocation data was not, on its face, sensitive or private and that location data is “generally accessible through lawful means.” Since the FTC couldn’t show specific “harm” from the collection and sale of the location data, the Iowa federal court dismissed the lawsuit.

Location Data Brokers

Kochava, Inc. is a data analytics company that offers various digital marketing and analytics services. One of its services involves aggregating and selling data collected from billions of mobile devices across the world. Among other things, Kochava’s data includes timestamped location coordinates and unique device identifiers which, when viewed together, reveal the past movements of mobile devices. While the Kochava data points to devices and not specific individuals, a bit of legwork (or database analysis) can easily reveal that the cell phone that sat overnight at 702 East Front Street in Coeur d’Alene, Idaho, probably belonged to the owner of that address (don’t worry, it’s the public library). This technology was deployed by law enforcement to track BLM protesters and to track the January 6 participants, as well. It also can track people as they go in for drug treatment, mental health care or abortion services. Geolocation is a very powerful tool.

While Kochava does not collect the data itself, it obtains geolocation data from third-party data brokers, such as app developers, who collect the data with consent directly from mobile device users. Kochava then aggregates the data in its proprietary data bank from “billions of devices globally” and includes around 94 billion coordinates per month from 35 million daily active users. It collects the location of each device approximately every 15 minutes.

The FTC Lawsuit Against Geolocation Data Broker

In August of 2022, the FTC filed a lawsuit against Kochava in federal court in Idaho, alleging that their data collection practices were “deceptive” and “unfair.” The FTC alleged that by selling data that tracked people, Kochava was enabling others to identify individuals and exposing them to threats of stigma, stalking, discrimination, job loss and even physical violence.

On May 4, 2023, Senior U.S. District Judge B. Lynn Winmill dismissed the FTC’s complaint. The court rejected Kochava’s arguments that the FTC, created in 1914 to prevent unfair methods of competition in commerce (“trust-busting”), was not a lawful entity because its rulemaking power violated the doctrine of separation of powers and that its proscription against unfair or deceptive trade practices (Section 5(a) of the FTC Act), did not give rise to the authority to regulate Kochava’s data analysis and collection practices.

Not Too Personal

The court rejected the FTC’s lawsuit under 15 U.S.C. 45(n), which provides:

“The Commission shall have no authority under this section or section 57a of this title to declare unlawful an act or practice on the grounds that such act or practice is unfair unless the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition. In determining whether an act or practice is unfair, the Commission may consider established public policies as evidence to be considered with all other evidence. Such public policy considerations may not serve as a primary basis for such determination.”

The FTC had claimed that the collection, analysis and sale of geolocation data “could enable third parties to track consumers’ past movements to and from sensitive locations and, based on inferences arising from that information, inflict secondary harms including “stigma, discrimination, physical violence, [and] emotional distress.” They also alleged that the disclosure of consumers’ sensitive location information itself constitutes a substantial injury to consumers’ right to privacy.

The court recognized that such secondary harms could occur but noted that the FTC had not demonstrated that they, in fact, had occurred with respect to individuals whose data had been collected, processed and sold by Kochava. While the FTC alleged that such data could reveal things like a person’s HIV status, religious beliefs or medical conditions, it offered no evidence that the geolocation data was, in fact, used in a way that “harmed” the data subject. The court also relied on the fact that the Kochava data was not tied to specific individuals because purchasers had to take “additional steps to link Kochava’s geolocation data to particular individuals.” Thus, the court opined, “Kochava’s disclosure of location data, alone, does not give rise to an inference of consumer injury.”

Is Invasion of Privacy a Harm?

The court then found that, while an assertion of an invasion of privacy alone could constitute “substantial injury” under Section 5(n), “[t]he privacy concerns raised by the FTC are certainly legitimate. Disclosing where a person has been every fifteen minutes over a seven-day period could undoubtedly reveal information that the person would consider private, such as their travel habits, medical conditions, and social or religious affiliations.” However, the court found that revealing that data does not cause “substantial injury” to the data subjects. The court first noted that the data collected was not, in and of itself, personal data. It was data about devices, not people. The court concluded that “any private information that is revealed in Kochava’s data bank can be ascertained only by inference” and further that these inferences were not perfect. As a result, the geolocation data is not itself “private information” but data from which private data can be inferred.

The court went further, finding that “the information that can be inferred from Kochava’s geolocation data is generally accessible through other, lawful means. A third party may, for example, observe a person’s movements on public streets and sidewalks as they go to and from home or a medical facility. A third party may also discover a person’s home address by reviewing publicly accessible property records.” Since someone’s movements in “public” can be followed, the court suggests, there is no reasonable expectation of privacy in one’s public movements, and therefore, no privacy interest that can be adjudicated.

Finally, the court noted that the FTC cannot show how many consumers’ privacy was, in fact, impacted. The court observed that “The FTC concedes that Kochava’s geolocation data can only be linked to particular device users if third parties take additional steps—steps requiring access to external, or ‘offline,’ information. But a consumer whose geolocation data is used only for analytics but never tied back to him cannot be said to have suffered any privacy injury. Ultimately, the FTC claims only that third parties could tie the data back to device users; not that they have done so or are likely to do so.” In other words, there was a potential for an invasion of privacy, not actual invasion of privacy.

Analysis

The Iowa District Court opinion failed to take into account the impact the collection, sale and use of geolocation data has on society in general; even the risk that the data will be personalized (or, in HIPAA terms, “re-identified”). In fact, the FTC’s lawsuit was partially motivated by the fact that, in the era after Dobbs, governments or activists could purchase data about women’s travel to abortion clinics—both in-state and out-of-state. Law enforcement officials in states like Texas, which have made it a felony to assist someone in procuring abortion services from out of state, could use the geolocation data to prosecute women, their parents or relatives or even their Uber drivers. In the 2012 Supreme Court case of US v. Jones, the court skirted the issue of whether individuals enjoyed an expectation of privacy in their location outdoors but found that the warrantless installation of a GPS device violated the rights of an accused.

The “inevitable discovery” argument—that the information is not personal or private because it could be lawfully collected—is similarly disingenuous. The point of these geolocation data brokers is that the data is collected autonomously and continuously. Sure, we could follow around a few hundred million people and hope to gather the same information, but this is a classic case where the quantity of data collected impacts qualitatively what the data is and means. Theres a difference between knowing where you are right now, and knowing where everyone has been for the last 10 years.

Finally, the case represents a disturbing trend of courts not taking privacy seriously. In general, an invasion of privacy is not considered to be “harmful” or “damaging” in and of itself. It is not recognizable as a “damage” itself. If I lose a job, suffer a physical or emotional harm, or can trace some cognizable impact to the privacy breach, then I have damages. But simply having my name, address, social security number and other personal information (including medical information) exposed is not a “harm.” Nor is fear of future fraud or identity theft. Clapper v. Amnesty International USA, 568 U.S. 398 (2013): The U.S. Supreme Court ruled that plaintiffs lacked standing to sue the government for alleged unlawful surveillance because they could not demonstrate that they had suffered an actual injury or that the injury was “certainly impending.” The plaintiffs were unable to show that the exposure of their communications had led to concrete harm.

For example, in Reilly v. Ceridian Corp., the Third Circuit Court of Appeals found that the plaintiffs did not have standing to bring a lawsuit against a payroll processing company that suffered a data breach. The court held that the risk of future identity theft was too speculative to establish standing, as the plaintiffs could not demonstrate that they had suffered any actual harm or that there was a high risk of harm. Similarly, in Beck v. McDonald, the Fourth Circuit Court of Appeals ruled that plaintiffs did not have standing to sue the U.S. Department of Veterans Affairs for a data breach involving their personal information. The court held that the risk of future identity theft was not sufficient to establish standing, as the plaintiffs were unable to show any concrete harm or a substantial risk of harm. A similar result obtained in re: SuperValu, Inc., where the Eighth Circuit Court of Appeals found that plaintiffs did not have standing to sue a supermarket chain after a data breach exposed their payment card information. The court held that the plaintiffs could not demonstrate a concrete injury or a substantial risk of harm, as they had not experienced any fraudulent charges on their cards. Finally, in Tsao v. Captiva MVP Restaurant Partners, the Eleventh Circuit Court of Appeals held that plaintiffs did not have standing to sue a restaurant chain after a data breach exposed their payment card information. The court found that the risk of future identity theft was not concrete or imminent enough to establish standing, as the plaintiffs were unable to show any actual harm or a substantial risk of harm.

In short, we don’t take data privacy—in and of itself—seriously in many cases. Where there is a peeping Tom, we don’t typically have to show special “harm” from the exposure of personal information (literally, exposure). The exposure is the harm. The same is often (but not invariably) true for privacy torts like intrusion into seclusion or exposure of intimate personal facts. But when it comes to data privacy, we require customers to demonstrate individually how the exposure of their travel records, their hotel records or their financial information has specifically impacted them.

As a result, companies don’t build privacy protection into their systems. If you can make a lucrative business from buying and selling personal information—or even violating your own privacy promises—and there is no consequence to sharing that data improperly, then there is no incentive to protect that data—or to spend the money necessary to protect that data. And that’s what it means when a society does not put a price on privacy. Invasions of privacy become cost-effective.

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 208 posts and counting.See all posts by mark