FTC settles with data broker Kochava over sale of sensitive location data: Key takeaways for businesses

On May 4, 2026, the Federal Trade Commission (“FTC”) announced a proposed settlement resolving its long-running litigation against Idaho-based data broker Kochava Inc. (“Kochava”) and its subsidiary, Collective Data Solutions, LLC (“CDS”), over the companies’ collection and sale of precise location data from hundreds of millions of mobile devices. The proposed order, filed in the U.S. District Court for the District of Idaho, imposes sweeping restrictions on how the companies may collect, use, sell, and disclose sensitive location data. 

The settlement is notable both for the breadth of its operational requirements and for the FTC’s characterization of sensitive location data as an area of heightened consumer protection concern. Businesses that collect, broker, or rely on mobile location data should review this order carefully and assess their own practices in light of the obligations it imposes.

Background

The FTC filed its complaint pursuant to Section 13(b) of the FTC Act. The FTC sued Kochava alleging that its collection, use, and disclosure of precise location data invaded consumers’ privacy by revealing their movements, including visits to sensitive locations such as health facilities and places of worship, without their knowledge or consent. The complaint charged that the defendants participated in unfair acts or practices in violation of Section 5 of the FTC Act, 15 U.S.C. § 45, in the use and disclosure of data gathered from consumers’ mobile devices and other sources without consumers’ knowledge or consent. After the FTC filed its complaint in August 2022, Kochava moved to dismiss the action. In May 2023, U.S. District Court Judge Lynn Winmill granted Kochava’s motion, ruling in a 35-page opinion that the FTC’s complaint lacked sufficient allegations to state a claim, finding in particular that the FTC had failed to allege that Kochava’s data sales created a “significant risk” of concrete harm to consumers. The court afforded the FTC to amend its complaint. The Commission subsequently revised and tightened its claims, ultimately forming the basis for the proposed settlement. During the pendency of the litigation, CDS has taken over Kochava’s data broker business. 

Key Provisions of the Proposed Order

Prohibition on Selling Sensitive Location Data

Kochava and CDS are prohibited from selling, licensing, transferring, or disclosing sensitive location data that covers medical facilities, religious organizations, schools and childcare providers, domestic violence shelters, and military or federal law enforcement installations unless the consumer provides affirmative express consent. Critically, consent must be obtained through a standalone, plain-language disclosure that is entirely separate from any privacy policy or terms of service, and the data must be used solely to provide a service directly requested by the consumer.

Sensitive Location Data Program

Within 90 days of the order’s entry, CDS must establish a board-supervised program to develop and maintain a comprehensive list of sensitive locations, conduct quarterly reviews of its accuracy and completeness, and implement technical measures to prevent the sale or disclosure of sensitive location data. Non-consented sensitive location data must be flagged for deletion within two days of identification, with the deletion process completed within 30 days.

Supplier Assessment Program

CDS must assess all third-party data suppliers to verify that consumer consent underlies all location data received. Data for which consent cannot be confirmed must be ceased from use. Assessments must be conducted within 30 days of any new supplier agreement and annually thereafter.

Consumer Rights

The order establishes meaningful consumer controls: (i) the right to request the identities of any recipient to whom their precise location data was sold or disclosed; (ii) the right to withdraw consent, with defendants required to cease all use and disclosure of the relevant data within 30 days; and (iii) the right to request deletion of their precise location data, which must be processed within 30 days of receipt.

Historical Data Obligations

Within 90 days of the order’s entry, defendants must de-identify or render non-sensitive all historical location data collected without verified consumer consent and provide written confirmation of compliance to the FTC. Data for which auditable consent records exist may be retained.

Data Retention Schedule and Incident Reporting

CDS must publish a data retention schedule on its website within 60 days. Any discovery that a third-party shared defendants’ precise location data in violation of contractual requirements must be reported to the FTC within 30 days, with details on the scope, causes, and remediation steps taken.

Comprehensive Privacy Program

Within 90 days, defendants must establish a privacy program that includes board-level reporting, designated oversight, annual employee training, and regular risk assessments and testing.

Implications and Takeaways

The Kochava settlement represents one of the FTC’s most detailed and operationally demanding orders in the location data space. Several themes from the order have broad implications for any business that collects, processes, or relies on mobile location data:

1. Heightened consent standards for sensitive location data. The order makes clear that passive or implied consent is insufficient. Businesses operating in the location data ecosystem should audit their consent collection mechanisms to ensure they meet the “affirmative express consent” standard, including standalone disclosures that are separate from standard terms of service or privacy policies.
2. Supply chain accountability is a regulatory priority. The Supplier Assessment Program requirements reflect the FTC’s view that data brokers are responsible for ensuring that the data they receive from third parties was collected with proper consumer consent. Businesses that purchase or license location data from third parties should examine their vendor diligence programs and contractual protections.
3. Sensitive location categories are expanding. The order’s definition of “sensitive locations” covers medical facilities, religious organizations, schools and childcare providers, domestic violence shelters and homeless services, and military and law enforcement installations and signals where the FTC believes consumer privacy interests are most acute. Businesses should evaluate whether their data products or services touch any of these categories.
4. Consumer rights to transparency and deletion are becoming baseline expectations. The requirements to disclose data recipients, honor withdrawal of consent, and process deletion requests within defined timeframes reflect regulatory norms that are now effectively standard across the FTC’s enforcement agenda in this space.
5. Historical data poses ongoing risk. The order’s requirement to deidentify or render non-sensitive historical location data collected without proper consent, unless verified consent records exist. Businesses should assess whether they can demonstrate consent for data already in their possession.
6. Proactive governance structures are required. The mandated privacy program, sensitive location data program, and supplier assessment program all require senior executive accountability, board-level reporting, and quarterly or annual reviews. 

Next Steps

Businesses that collect, sell, or rely on mobile location data should promptly review their current data practices, supply chain arrangements, and consent frameworks in light of this order. Our Data Privacy & Cybersecurity team is available to assist with gap assessments, consent framework design, data broker due diligence, and broader compliance program development.
 

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2026 White & Case LLP}