Kochava Settlement Imposes New Location Data Safeguards as Dutch DPA Escalates Cookie Banner Enforcement

Want to receive these privacy recaps in your inbox each week? Subscribe here.

Courts and regulators are tightening oversight of data collection practices on multiple fronts. An Idaho judge approved a settlement that imposes nationwide injunctive measures on data analytics provider Kochava over allegations that it sold sensitive location data without user consent, while the company’s parallel FTC case continues. 

Meanwhile, the Dutch Data Protection Authority announced enforcement actions against approximately 50 organizations with non-compliant cookie banners after unsuccessful attempts to secure voluntary compliance.

United States

Kochava Agrees to Injunctive Privacy Measures in Idaho Class Action Settlement

An Idaho judge approved a final injunctive settlement with Kochava over allegations that the data analytics provider sold sensitive location data to third parties without user consent, violating state privacy and consumer protection laws (case 2:23-cv-00058-BLW). 

The injunctive terms of the settlement require Kochava to take the following measures throughout the United States: 

1. Implement a filtering process to prevent the distribution or use of raw location data associated with sensitive locations;
2. Ensure location data collected through a client’s use of Kochava’s SDKs is used exclusively for the benefit of that client (and not Kochava or other Kochava clients);
3. Provide a mechanism for consumers to request the deletion of their information from Kochava’s database and prevent further ingestion, use or sale of their information; 
4. Refrain from misrepresenting its data collection and processing practices; 
5. Request examples of consent prompts utilized by its and its suppliers’ data sources that have a first-party relationship with consumers; and
6. Comply with laws regarding the use of data for machine-learning purposes. 

TAKEAWAY

This settlement approval is part of a larger settlement that resolves class actions in California, Massachusetts and Idaho. 

In parallel, the Federal Trade Commission’s case against Kochava (case 2:22-cv-00377-BLW) over similar factual allegations is still ongoing. 

Most recently, in February 2025, an Idaho district court judge denied Kochava’s motion to dismiss the FTC’s second amended complaint, finding that the FTC had sufficiently pleaded facts to state a plausible claim for relief under the FTC Act. The case was stayed during the government shutdown, but will presumably proceed now that the government has reopened. 

Despite agreeing to settle the class action claims, a Kochava spokesperson reportedly stated in February 2025 that the company would continue to vigorously defend itself against the FTC’s claims.  

Europe

Dutch DPA Announces Plans to Take Action Against Organizations With Non-Compliant Cookie Banners

After warning over 200 websites about non-compliant cookie banners, the Dutch Data Protection Authority (AP) announced that it will now be taking enforcement action against approximately 50 of those websites that failed to make the required changes. 

Specifically, the AP is looking for organizations to properly request consent for tracking cookies and to place such cookies only if someone has voluntarily given consent based on clear, accurate information. According to the announcement, the AP continues to monitor websites and take action against organizations that “do not have their affairs in order”.

TAKEAWAY

The AP had previously reported that it had been investigating frequently visited websites in various sectors (including finance, media, and hospitality) since 2024. It announced plans to structurally check the status and transparency of cookie banners in the coming years by constantly and automatically scanning the cookie banners of 10,000 websites to determine if they correctly and transparently request consent for placing tracking cookies or other tracking software. 

Subsequently, in July 2025, the AP published five final letters from an investigation into cookie banners that was conducted in March 2025. The letters revealed that the organizations under investigation had violated the GDPR by processing personal data without an adequate legal basis, due to improperly designed cookie banners. The recipients of those letters corrected the violations. The subjects of this most recent announcement were presumably part of the same investigation, but unlike the recipients of the July 2025 letters, they failed to comply with the AP’s requests. 

A LITTLE MORE PRIVACY, IF YOU PLEASE

• Omnibus project: Chronicle of a European imaginary invalid
• India’s DPDPA Takes Force
• CIPA Class Action Against CVS Overcomes Motion to Dismiss
• Everything you need to know about the Chilean Personal Data Protection Act (LPPD)
• CalPrivacy Announces Official OAL Approval of Delete Act Regulations, Effective January 1
• My Health My Data Class Action Filed Against Marijuana Dispensary

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.