FTC sues data broker Kochava for selling precise location information
September 5, 2022
Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.
FTC Sues Data Broker Kochava for Selling Precise Location Information
The Federal Trade Commission (FTC) filed a complaint against Kochava alleging that the data broker engages in unfair practices in violation of the FTC Act by selling customized data feeds with precise geolocation data collected from consumers’ mobile devices. The FTC alleges that, because the data, in some cases, reveals consumer visits to sensitive locations, such as locations associated with medical care, reproductive health, religious worship, mental health, or shelters for the homeless or domestic violence survivors, Kochava’s actions are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition.
WHY IT MATTERS
The FTC’s press release announcing the lawsuit mentions that “protecting sensitive consumer data, including geolocation and health data, is a top priority for the FTC”. This is consistent with a statement issued by the FTC in July, warning companies that the FTC was committed to fully enforce the law against illegal use and sharing of highly sensitive data and specifically naming “data aggregators and brokers” and noting that they would “vigorously enforce the law if we uncover illegal conduct that exploits Americans’ location, health or other sensitive data.
California Passes Children’s Privacy Bill
California lawmakers passed and enrolled AB 2273 — The California Age-Appropriate Design Code Act, which will go into effect July 1, 2024 unless rejected by the governor. The Act will require online services likely to be accessed by children under age 18 to implement certain privacy measures, including configuring all default privacy settings provided to children to settings that offer a “high level of privacy” unless a different setting is in the best interests of children. The Act would also prohibit such services from using personal information from a child for any reason other than a reason for which the information was collected, unless otherwise in the best interest of the child. Services likely to be accessed by children will be required to either apply required protections to all consumers who access the service or implement a mechanism to estimate the age of child users with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business.
WHY IT MATTERS
The current standard under the federal Children’s Online Privacy Protection Act (COPPA) applies to services “directed to children” under age 13, which is a significantly narrower standard than that of the California Age-Appropriate Design Code Act. There will therefore likely be a significant number of businesses subject to the new California law that have not previously had to implement children’s privacy protections under COPPA.
Revised Swiss Data Protection Law and Ordinances to Take Effect September 2023
Per a decision of the Swiss Federal Council, revised data protection ordinances, along with a revised data protection law passed by Parliament in 2020, will take effect September 1, 2023.
WHY IT MATTERS
The revised law and ordinances will make changes to certain data security and documentation obligations and introduce a new right of data portability, among other changes. According to the Federal Council’s press release, the revised law will “ensure compatibility with European law and allow Switzerland to ratify the revised version of the Council of Europe’s Convention 108 on data protection”.
New Zealand Considers Closing Notification Gap for Indirect Data Collection
The New Zealand government issued a request for comment in response to a proposal to change the notification rules under the country’s Privacy Act 2020. The current Act contains certain transparency obligations with respect to the direct collection of personal information, but the obligations do not currently apply to the indirect collection of personal information through third parties. The request asks for feedback as to whether the law should be amended to expand the existing notification requirement to apply to indirect data collection, narrow the circumstances under which indirect collection is permitted, and/or introduce new notification requirements for indirect collection.
WHY IT MATTERS
As noted in the request for comment, a distinction between the notification requirements for direct and indirect collection of personal information is not common in privacy legislation in other countries. The changes being considered would therefore bring New Zealand more in line with the rest of the world, including the EU’s GDPR.
Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.
A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.
Latest Blog Posts
A memorandum from the California Privacy Protection Agency (CPPA) staff proposes...
The ICO previously made an announcement on its website warning that...
Publisher Collective recognised the importance of collecting consent in...
Latest White Papers
The current state of publisher compliance with CCPA, and...
How to review your vendor list to mitigate compliance...
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.