Governance & Risk Management , Privacy

FTC Wants Data Broker's Lawsuit Dismissed in Privacy Dispute

Agency Fires Latest Legal Volley in Case Involving Privacy of Sensitive Health Data
FTC Wants Data Broker's Lawsuit Dismissed in Privacy Dispute

The Federal Trade Commission has asked a federal court to dismiss a "preemptive" lawsuit that a data broker filed against the FTC last summer, just weeks before the regulatory agency filed an enforcement action against the company for unlawfully selling sensitive location data collected from hundreds of millions of mobile devices.

See Also: Live Webinar | Navigating the Difficulties of Patching OT

On Monday, the FTC in a court filing slammed Idaho-based Kochava Inc.'s "preemptive" lawsuit filed against the FTC in August and the data analytics firm's subsequent request in October to have the court dismiss the FTC's civil enforcement action.

The FTC in its August enforcement action against Kochava alleges that the company is unlawfully collecting and selling location data collected from consumers' mobile devices, including data that could be used to identify individuals who have visited abortion clinics, mental health providers and other sensitive locations, such as places of worship and shelters for homelessness and domestic violence (see: FTC Sues Firm That Collects, Sells Sensitive Location Data).

The FTC's enforcement action against Kochava seeks to stop the firm's sale of sensitive geolocation data and require the company to delete the location data it has collected.

Kochava in its lawsuit filed weeks earlier against the FTC - in anticipation of that agency's enforcement action - alleges that the FTC is overstepping its authority and that it wrongly claimed that Kochava offers no technical controls to prohibit customers from identifying consumers or tracking them to sensitive locations (see: Lawsuit Against FTC Intensifies Location Data Privacy Battle).

In fact, Kochava argues in court documents, the company on Aug. 10, 2022, announced a new capability, Privacy Block, that allows the firm's clients, such as mobile app developers, to shut off the collection of sensitive health services location data from the so-called Kochava Collective marketplace.

Kochava in its lawsuit against the FTC is asking the court to rule, among other things, that the FTC is not authorized to seek injunctive relief for "past conduct that has ceased absent evidence that it is likely to recur."

'Race to the Courthouse'

The FTC in its latest legal filing this week alleges that Kochava "raced to the courthouse" to sue the FTC in August 2022 soon after the agency informed the data analytics and marketing firm that it was the target of a potential civil enforcement action.

"In its haste, the company filed a complaint that does not satisfy threshold jurisdictional and pleading requirements," the FTC says in its motion, asking the court to dismiss Kochava's lawsuit against the FTC.

The dispute between Kochava and the FTC also came in the wake of an executive order by President Biden last July, following the Supreme Court's ruling in Roe v. Wade ruling. Among other actions, the executive order directed the FTC to consider options "to address deceptive or fraudulent practices, including online, and protect access to accurate information" (see: Biden Order Seeks to Protect Reproductive Data Privacy).

Growing Concerns

The litigation between Kochava and the FTC also is among a series of other privacy disputes involving the collection of sensitive health data that have emerged in the months following the U.S. Supreme Court's decision to overturn Roe v. Wade (see: The Mounting Threats to Sensitive Data After Roe v. Wade).

That includes a consolidated class action lawsuit filed in a California federal court against Facebook parent company Meta, alleging the company through its Pixel tracking tools is collecting millions of individuals' sensitive health data from healthcare provider websites and patient portals without the patients' knowledge or consent (see: Judge Denies Motion to Stop Health Data Scraping by Meta).

The FTC declined Information Security Media Group's request for comment on the litigation. An attorney representing Kochava did not immediately respond to ISMG's request for comment.

More to Come

Daniel Kaufman, former acting director of the FTC's Consumer Protection Bureau, who is currently a regulatory attorney at law firm BakerHostetler, says Kochava's move to file a preemptive lawsuit against the FTC is a legal maneuver that a handful of other firms have tried when getting wind of an FTC enforcement action for allegations involving unfair or deceptive business practices.

"I have not seen this [legal strategy] be successful," he says. Courts have generally ruled against those companies' preemptive lawsuits in favor of allowing the government's regulatory enforcement pursuits to play out, he says.

"What makes the Kochava case - and a lot of these issues - very interesting is that the FTC is using its 'unfairness authority' [for enforcement], which is decades old … and pretty broad … but not designed to address cutting-edge technology privacy issues," he says. "That might all change if Congress eventually passes broad privacy legislation."

In the meantime, the FTC this year will likely continue step up its enforcement in other similar, controversial cases involving data privacy and security concerns, Kaufman predicts.

"I think we are going to see more cases that are premised on unfairness where the FTC is seeking to address privacy issues by expanding the boundaries of unfairness."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.