The Federal Trade Commission has announced it will ban Kochava and its subsidiary Collective Data Solutions (CDS) from selling precise geolocation data without consumers' explicit consent, settling long-running charges that the data broker sold sensitive location information collected from hundreds of millions of mobile devices without meaningful user knowledge or authorization.
The settlement marks one of the most significant FTC enforcement actions against the location data industry and signals a continued regulatory push to rein in the data broker ecosystem that feeds on mobile device tracking.
What Kochava Did
Kochava is a mobile data analytics and attribution company that aggregates location signals from mobile apps to help advertisers track ad performance and user behavior. The FTC's complaint alleged that Kochava:
- Collected precise geolocation data from hundreds of millions of mobile devices through its SDK embedded in third-party apps
- Sold or licensed that data to buyers without ensuring consumers had meaningfully consented to their location being tracked and sold
- Enabled buyers to use the data to infer sensitive attributes about individuals — including visits to reproductive health clinics, addiction treatment centers, religious sites, and domestic violence shelters
- Failed to adequately anonymize the data, making it possible to re-identify specific individuals from the location streams
The FTC argued this constituted an unfair practice under Section 5 of the FTC Act, as consumers had no reasonable way to anticipate or prevent the sale of their precise movements to unknown third parties.
Terms of the Settlement
Under the settlement with the FTC, Kochava and CDS must:
| Requirement | Detail |
|---|---|
| Ban on non-consensual sales | Prohibited from selling geolocation data without explicit, informed consumer consent |
| Sensitive location restrictions | Prohibited from using or selling data tied to visits to healthcare facilities, places of worship, shelters, or other sensitive locations |
| Data deletion | Required to delete historical location data collected without adequate consent |
| Compliance program | Must implement a comprehensive privacy and data governance program subject to FTC oversight |
| Prohibition on misrepresentation | Barred from misrepresenting its data collection, use, or sharing practices |
The FTC did not disclose a monetary fine in connection with the settlement, focusing instead on structural and behavioral remedies.
Why This Case Matters
The Data Broker Industry's Invisible Reach
Kochava is one of hundreds of companies in the mobile data broker ecosystem that most consumers have never heard of but whose SDKs are embedded in thousands of popular apps. A user who installs a weather app, a flashlight app, or a free game may unwittingly be contributing location data to a broker network that aggregates and sells that data without the user's knowledge.
The FTC's complaint against Kochava highlighted that this system operates largely below consumer awareness — the app's privacy policy may technically disclose data sharing, but the disclosure is buried and incomprehensible to most users.
Sensitive Locations as a Special Risk Category
The FTC specifically called out the use of location data to infer visits to reproductive health clinics as a core concern. In a post-Dobbs legal environment, location data showing a person's visits to abortion providers carries real-world risk of legal harm in states with restrictive abortion laws. The same applies to addiction treatment centers, LGBTQ+ venues, and domestic violence shelters.
The settlement establishes that proximity to sensitive locations is a special category of data requiring heightened protection — a principle that other data brokers will now face pressure to adopt.
Broader FTC Enforcement Trend
This action against Kochava is part of a broader FTC enforcement campaign targeting the location data industry:
| FTC Action | Company | Year |
|---|---|---|
| Settlement | Gravy Analytics / Venntel | 2025 |
| Settlement | X-Mode / Outlogic | 2024 |
| Settlement | InMarket | 2024 |
| Settlement | Kochava / CDS | 2026 |
Each successive settlement has expanded the FTC's articulation of what constitutes an unfair data practice, building toward what privacy advocates hope will be comprehensive data broker regulation.
What This Means for the Industry
The Kochava settlement sends a clear message to the mobile advertising and analytics industry: collecting and selling precise location data without explicit consent is an FTC enforcement priority. Data brokers and the apps that embed their SDKs face increasing legal and regulatory risk for practices that were commonplace just a few years ago.
For developers, the key implication is that embedding a third-party SDK does not transfer liability — the apps that fed location data to Kochava's network without meaningful user consent may face their own scrutiny. SDK-level data collection should be treated as a first-party data practice for privacy compliance purposes.
What Consumers Can Do
Until federal privacy legislation passes, consumers have limited but meaningful options to reduce location data exposure:
- Review app permissions — Revoke location access for apps that don't need it for core functionality
- Use "Only While Using" — Never grant background location access to apps that don't require it
- Opt out of ad tracking — Enable "Limit Ad Tracking" (iOS) or "Opt out of Ads Personalization" (Android)
- Review privacy settings — Both iOS and Android have per-app location histories and privacy dashboards
- Audit installed apps — Remove apps you no longer use; unused apps may still collect data in the background