FTC sues data broker Kochava for selling precise location information

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

FTC Sues Data Broker Kochava for Selling Precise Location Information

The Federal Trade Commission (FTC) filed a complaint against Kochava alleging that the data broker engages in unfair practices in violation of the FTC Act by selling customized data feeds with precise geolocation data collected from consumers’ mobile devices. The FTC alleges that, because the data, in some cases, reveals consumer visits to sensitive locations, such as locations associated with medical care, reproductive health, religious worship, mental health, or shelters for the homeless or domestic violence survivors, Kochava’s actions are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition.

WHY IT MATTERS

The FTC’s press release announcing the lawsuit mentions that “protecting sensitive consumer data, including geolocation and health data, is a top priority for the FTC”. This is consistent with a statement issued by the FTC in July, warning companies that the FTC was committed to fully enforce the law against illegal use and sharing of highly sensitive data and specifically naming “data aggregators and brokers” and noting that they would “vigorously enforce the law if we uncover illegal conduct that exploits Americans’ location, health or other sensitive data. 

California Passes Children’s Privacy Bill

California lawmakers passed and enrolled AB 2273 — The California Age-Appropriate Design Code Act, which will go into effect July 1, 2024 unless rejected by the governor. The Act will require online services likely to be accessed by children under age 18 to implement certain privacy measures, including configuring all default privacy settings provided to children to settings that offer a “high level of privacy” unless a different setting is in the best interests of children. The Act would also prohibit such services from using personal information from a child for any reason other than a reason for which the information was collected, unless otherwise in the best interest of the child. Services likely to be accessed by children will be required to either apply required protections to all consumers who access the service or implement a mechanism to estimate the age of child users with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business.

WHY IT MATTERS

The current standard under the federal Children’s Online Privacy Protection Act (COPPA) applies to services “directed to children” under age 13, which is a significantly narrower standard than that of the California Age-Appropriate Design Code Act. There will therefore likely be a significant number of businesses subject to the new California law that have not previously had to implement children’s privacy protections under COPPA. 

EUROPE

Revised Swiss Data Protection Law and Ordinances to Take Effect September 2023

Per a decision of the Swiss Federal Council, revised data protection ordinances, along with a revised data protection law passed by Parliament in 2020, will take effect September 1, 2023.

WHY IT MATTERS

The revised law and ordinances will make changes to certain data security and documentation obligations and introduce a new right of data portability, among other changes. According to the Federal Council’s press release, the revised law will “ensure compatibility with European law and allow Switzerland to ratify the revised version of the Council of Europe’s Convention 108 on data protection”.

GLOBAL

New Zealand Considers Closing Notification Gap for Indirect Data Collection

The New Zealand government issued a request for comment in response to a proposal to change the notification rules under the country’s Privacy Act 2020. The current Act contains certain transparency obligations with respect to the direct collection of personal information, but the obligations do not currently apply to the indirect collection of personal information through third parties. The request asks for feedback as to whether the law should be amended to expand the existing notification requirement to apply to indirect data collection, narrow the circumstances under which indirect collection is permitted, and/or introduce new notification requirements for indirect collection.

WHY IT MATTERS

As noted in the request for comment, a distinction between the notification requirements for direct and indirect collection of personal information is not common in privacy legislation in other countries. The changes being considered would therefore bring New Zealand more in line with the rest of the world, including the EU’s GDPR.

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.