The Federal Trade Commission filed suit against Idaho-based data broker Kochava on Monday, alleging it sold location data from hundreds of millions of mobile devices that could be used to track individuals’ movements from places including reproductive health clinics, domestic violence shelters and places of worship.
The agency claims Kochava violated a section of the FTC Act that prohibits unfair deceptive practices in commerce.
Using data Kochava collected on mobile devices and combining it with public map programs, the FTC found it was possible to infer the identity of the device owner by linking those devices to sensitive locations and tracing them back to single-family homes. The agency claimed that until at least June of this year, Kochava would grant users access to a sample data set of time-stamped location information from 61 million unique mobile devices, with relatively little effort required by the user seeking access to the data.
The FTC claims Kochava was aware of this potential use, marketing its services on the Amazon Web Services Marketplace with the suggestion of using its information “to map individual devices to households.”
The agency argues in its complaint filed in federal court in Idaho that identification via Kochava’s location data “is likely to injure consumers through exposure to stigma, discrimination, physical violence, emotional distress, and other harms.” It added that Kochava could have installed reasonable safeguards to protect consumer information, like by blacklisting information associated with sensitive locations so that it would not appear in data sets, such as addiction recovery centers, shelters or medical facilities.
The FTC voted 4-1 to bring the lawsuit, with Republican Commissioner Noah Joshua Phillips voting against filing the complaint. The commission’s other Republican, Christine Wilson, voted with the Democratic majority.
The lawsuit builds on the agency’s focus on privacy, after announcing earlier this month it is exploring new rules to crack down on commercial surveillance and lax data security.
Kochava did not immediately respond to CNBC’s request for comment.