Communications Litigation Today was a Warren News publication.
30 Days to Amend

Kochava Is Granted Dismissal of FTC's Privacy Case for Failure to State a Claim

May 8, 2023 by Rebecca Day|Top News

U.S. District Judge Lynn Winmill for Idaho in Coeur D’Alene granted Kochava’s motion to dismiss the FTC's privacy complaint (see 2304070006), with leave to amend, said his Thursday memorandum decision and order (docket 2:22-cv-00377). The FTC can file an amended complaint within 30 days of the order, it said.

The FTC’s August lawsuit sought a permanent injunction enjoining Kochava from acquiring consumers’ geolocation data “associated with unique persistent identifiers that reveal consumers’ visits to sensitive locations” and selling it in a format that allows entities to track their movements. Kochava contends there’s no way to determine whether a particular individual is at a particular place using the device identifier and geolocation data that the company sells to third parties.

The court agreed with Kochava that the FTC failed to make sufficient factual allegations to state a claim under Section 5(a) and 13(b) of the FTC Act but said it is “not clear … the deficiencies cannot be cured.” The FTC Act only prohibits acts and practices that cause “substantial injury” to consumers, it noted. In this case, where a privacy intrusion is the alleged injury, the court must determine whether the privacy intrusion is sufficiently severe to constitute “substantial” injury, said Winmill, saying three factors lessen the severity of the alleged privacy injury.

First, the data Kochava sells is not, “on its face, sensitive or private” because information revealed in its data bank can be ascertained “only by inference,” Winmill said. Geolocation data showing a device was at an oncology clinic twice in a week could reveal the device user has cancer, or it could reveal that the user has a friend or family member with cancer, said the memorandum. The FTC doesn’t claim Kochava is disclosing private information, only that it's selling data from which private information might be inferred, it said.

Second, information that can be inferred from Kochava’s geolocation data is generally accessible through other lawful means, said the memorandum. For example, a third party can observe a person’s movements walking home or to a medical facility, or it can access public records for property records, it said.

Third, the FTC hasn’t generally indicated how many device users may suffer privacy intrusions, the memorandum said, noting the “substantiality” of a consumer injury depends partly on the number of consumers injured. Kochava’s geolocation data can only be linked to particular device users if third parties take additional steps requiring access to external information, it said. A consumer whose geolocation data is used only for analytics but not tied to him “cannot be said to have suffered any privacy injury,” Winmill said. The FTC claims third parties could tie data back to device users, but not that they have done so or are likely to do so, he said.

The FTC didn't adequately allege Kochava’s data sales “cause or are likely to cause” the purported secondary harms, said the memorandum: The FTC "has not alleged that Kochava’s practices create a ‘significant risk’ of concrete harm.”