FTC settlement would bar Kochava from selling precise location data without express consent

The U.S. Federal Trade Commission said it has reached a proposed settlement with data broker Kochava and its subsidiary Collective Data Solutions that would prohibit the companies from selling or licensing Americans' precise location data unless consumers have given explicit consent. The settlement, announced as a resolution of charges first filed in 2022, still requires court approval before it takes effect. If approved, it would convert one of the FTC's most closely watched privacy cases into a lasting restriction on how a major location-data broker can operate.

Why the case mattered from the start

When the FTC sued Kochava in 2022, the agency argued that the company had built a marketplace for geolocation data drawn from hundreds of millions of mobile devices. In the FTC's telling, the problem was not merely that location information existed in commercial systems. It was that the data was granular enough to let buyers infer visits to places that reveal deeply personal facts about a person's life, including reproductive health clinics, addiction recovery centers, places of worship, and domestic violence shelters. Even when names were not attached directly, precise movement trails can often be linked back to individuals with only a small amount of additional information.

That made the case a test of whether U.S. privacy enforcement could address the real-world harms of data brokerage without waiting for a comprehensive federal privacy law. The FTC's position has been that precise location data is uniquely sensitive because it can expose intimate choices, vulnerabilities, and protected activities. In practice, that means the agency views this market less as routine advertising infrastructure and more as a potential channel for surveillance, discrimination, coercion, or physical risk.

What the proposed order would do

The proposed order goes beyond a narrow ban. It would stop Kochava and Collective Data Solutions from selling precise location data unless they can show that the consumer provided express consent. It also requires the companies to create a sensitive location data program, assess whether upstream suppliers obtained valid consent, and maintain mechanisms that let consumers access data-related information and withdraw consent. Those obligations are significant because they push responsibility deeper into the supply chain instead of allowing a broker to rely on vague assurances from data providers.

The order would also require reporting to the FTC when the companies learn that third parties have misused the data, along with retention and deletion schedules designed to limit how long sensitive location records remain available. That combination matters. In privacy enforcement, a ban on one type of sale can be undermined if a company still keeps large historical datasets, lacks meaningful auditing, or has no practical way to stop downstream abuse. By pairing consent requirements with governance, incident reporting, and deletion rules, the FTC is signaling that sensitive-data compliance is an operational discipline, not just a contract clause.

Broader implications for the data-broker market

If the court approves the settlement, the message will reach far beyond Kochava. Many brokers and ad-tech intermediaries have historically treated mobile location data as a tradable asset so long as it moved through SDKs, APIs, and partner contracts with some form of notice buried in app disclosures. The FTC is effectively challenging that model for precise location data. Express consent is a much higher bar than passive acceptance, and supplier assessments raise the cost of claiming ignorance about how the data was originally collected.

This matters especially in the U.S., where privacy regulation is fragmented and companies often navigate a mix of sector rules, state laws, and enforcement theories against unfair or deceptive practices. The Kochava settlement does not create a GDPR-style federal statute. But it does show how regulators can use existing authority to impose controls that look increasingly like modern privacy governance: purpose limitation, consent validation, access rights, withdrawal mechanisms, incident handling, and data minimization through retention limits.

Why this is a significant precedent

The case is significant because it focuses on inference risk, not just obvious identifiers. A precise latitude-longitude trail can reveal medical decisions, religious practice, political activity, or crisis circumstances even if a dataset is marketed as pseudonymous. Regulators, courts, and security researchers have all become more skeptical of claims that location data is safely de-identified when it remains highly detailed. The FTC's approach reflects that shift. It treats sensitivity as a function of what data can expose, not merely whether a name field is present.

According to the FTC's allegations and the reporting cited by BleepingComputer, the agency believed Kochava's commercial feeds created exactly that kind of exposure. By settling now, the FTC appears to have secured practical restrictions it can point to in future enforcement. For the rest of the industry, the warning is straightforward: precise location data tied to sensitive places is no longer something regulators will treat as ordinary ad-tech exhaust. It is becoming a frontline privacy issue with direct compliance, legal, and reputational consequences.