Federal Class Action Lawsuit Filed Against North Idaho Data Broker, Kochava; Company Was Sued by FTC Last Year


COEUR D’ALENE, ID – A federal class action lawsuit has been filed against a north Idaho data broker for allegedly tracking tens of millions of peoples’ electronic sensitive data. Cindy Murphy is a resident of King County, Washington who claims Kochava sold her data, including her geolocation data, which the company reportedly acquired through the use of a third-party application on her mobile device.

Kochava, Inc. is also embroiled in similar legal action with the Federal Trade Commission for allegedly selling data that is believed to have tracked people at sensitive locations such as reproductive health clinics, places of worship, domestic violence shelters, homeless shelters, and more.

Murphy, on behalf of herself and all others similarly situated, brought this action against Kochava in the U.S. District Court of Idaho-Northern Division for alleged violations of Idaho and Washington laws in connection with Kochava’s acquiring of consumers’ precise geolocation data and reportedly selling the data in a format that allows entities to track the consumers’ movements to and from various places. She believes the putative class size is greater than 100 people and could be in the millions; and the amount in controversy exceeds $5 million, exclusive of interest and costs.

In August 2022, the Federal Trade Commission filed a similar lawsuit against the company. While Kochava is a Delaware corporation, its principal place of business is in Sandpoint, Idaho. It transacts or has transacted business throughout the United States. The company moved to Idaho after building a 32,000-square-foot office complex in 2016.

“Kochava then sells customized data feeds to its clients to, among other purposes, assist in advertising and analyzing foot traffic at stores or other locations. Among other categories, Kochava sells timestamped latitude and longitude coordinates showing the location of mobile devices,” the FTC argued.

Following the FTC’s lawsuit, Kochava’s CEO Charles Manning released a statement claiming the federal government’s legal move was “entirely based on hypothetical scenarios” and the company is “confident that the facts are both straightforward and on our side. Kochava operates consistently and proactively in compliance with all rules and laws, including those specific to privacy.”

A few weeks prior to the federal lawsuit, Kochava’s attorneys filed a declaratory judgment petition (KochavaVFTC) against the FTC, which Manning called “a lawyerly way of saying Kochava asked for the Court’s help first because we know we have done nothing wrong.”

That case continues, with U.S. District Court Judge B. Lynn Winmill ordering on December 19, 2022 (KochavaVFTCLitigationOrderDec2022), that on or before March 13, 2023, “the parties must file with the Court the joint Litigation Plan and Discovery Plan.”

On January 3rd, the FTC filed a Motion to Dismiss (KochavaVFTCMotionJan2023) under Federal Rule of Civil Procedure 12(b)(1) and (b)(6), to dismiss the complaint for lack of subject-matter jurisdiction and failure to state a claim upon which relief can be granted.

“In August 2022, the Federal Trade Commission (“FTC”) informed Kochava Inc. (“Kochava”), a data analytics and marketing firm, that it was the target of a potential civil enforcement action. Kochava responded by racing to the courthouse and suing the FTC. But in its haste, the company filed a complaint that does not satisfy threshold jurisdictional and pleading requirements. And Kochava’s tactic of filing suit in an attempt to beat the government to the punch is, in any event, disfavored,” the FTC says in its motion.

Kochava responded to that Motion to Dismiss on January 24th (KochavaVFTCMotionResponse) asking the court to deny the FTC’s motion in its entirety, to which the FTC filed a reply with the court on February 6th (KochavaVFTCResponseToResponseFeb62023).

The federal agency says Kochava’s opposition brief “does not disprove the fundamental flaws in this suit. On its face, the Complaint fails to meet the basic pleading standards to show standing or a plausible claim for relief. Kochava’s brief tries to paper over the Case Complaint’s failings by rewriting its allegations and adding facts. This effort is as procedurally improper as it is substantively meritless.”

The FTC again requested that the court dismiss Kochava’s case.

Meanwhile, Murphy claims in her own lawsuit that in describing its product in the online marketplace, “Kochava has asserted that it offers “rich geo data spanning billions of devices globally.” It has further claimed that its location data feed “delivers raw latitude/longitude data with volumes around 94B+ geo transactions per month, 125 million monthly active users, and 35 million daily active users, on average observing more than 90 daily transactions per device.”

Kochava has reportedly sold access to its data feeds on online data marketplaces that are publicly accessible, and typically charges a monthly subscription fee of thousands of dollars to access its data feed, according to the lawsuit, which adds the company also offered the free “Kochava Data Sample” publicly available with only minimal steps and no restrictions on usage.

“For example, the Kochava Data Sample was available on the AWS Marketplace until approximately June 2022. In order to access the Kochava Data Sample on the AWS Marketplace, a purchaser needed a free AWS account. A purchaser would then search the AWS marketplace for “Kochava,” which resulted in two available datasets appearing – a $25,000 location data feed subscription and the Kochava Data Sample,” court documents say. “The Kochava Data Sample consisted of a subset of the paid data feed, covering a rolling seven-day period. It was formatted as a text file, which could be converted into a spreadsheet. Put into a spreadsheet, one day of the Kochava Data Sample contained over 327,480,000 rows and 11 columns of data, corresponding to over 61,803,400 unique mobile devices.”

When an AWS purchaser clicked on the “subscribe” button for the Kochava Data Sample feed, the purchaser was directed to a screen that included a “Subscription terms” notification that stated that the Kochava Data Sample “has been marked by the provider [i.e., Kochava] as containing sensitive categories of information,” the lawsuit adds. “Below this notice, a form was displayed, requesting the purchaser’s company name, name of the purchaser, email address, and intended use case.”

The court document says a purchaser could use an ordinary personal email address and describe the intended use simply as “business.”

“The request would then be sent to Kochava for approval. Kochava has approved such requests in as little as 24 hours. Once Kochava approved the request, the purchaser was notified by email and then gained access to the data, along with a data dictionary explaining the categories of data provided,” according to the lawsuit. “The Kochava Data Sample included precise location data gathered in the seven days prior to the date Kochava approved the subscription request.”

Murphy says precise geolocation data associated with MAIDs, such as the data sold by Kochava, may be used to track consumers to sensitive locations, including places of religious worship, places that may be used to infer an LGBTQ+ identification, domestic abuse shelters, medical facilities, and welfare and homeless shelters.

“For example, by plotting the latitude and longitude coordinates included in the Kochava data stream using publicly available map programs, it is possible to identify which consumers’ mobile devices visited reproductive health clinics. Further, because each set of coordinates is time-stamped, it is also possible to identify when a mobile device visited the location. Similar methods may be used to trace consumers’ visits to other sensitive locations,” the lawsuit says.

In addition, Murphy says the location data provided by Kochava is not anonymous.

“It is possible to use the geolocation data, combined with the mobile device’s MAID, to identify the mobile device’s user or owner. For example, some data brokers advertise services to match MAIDs with “offline” information, such as consumers’ names and physical addresses,” according to the lawsuit. “Even without such services, however, location data can be used to identify people. The location data sold by Kochava typically includes multiple timestamped signals for each MAID. By plotting each of these signals on a map, much can be inferred about the mobile device owners. For example, the location of a mobile device at night likely corresponds to the consumer’s home address. Public or other records may identify the name of the owner or resident of a particular address. Indeed, Kochava has recognized that its data may be used to track mobile devices to home addresses. In its marketing on the AWS Marketplace, it has suggested “Household Mapping” as a potential use case of the data.”

Murphy says Kochava employs no technical controls to prohibit its customers from identifying consumers or tracking them to sensitive locations.

“For example, it does not employ a blacklist that removes from or obfuscates in its data set location signals around sensitive locations including, among others, locations associated with medical care, reproductive health, religious worship, mental health, temporary shelters, such as shelters for the homeless, domestic violence survivors, or other at-risk populations, and addiction recovery,” Murphy’s lawsuit says.

Murphy says the sale of such data poses an “unwarranted intrusion” into the most private areas of consumers’ lives and causes or is likely to cause “substantial injury to consumers.”

“For example, the data may be used to identify consumers who have visited an abortion clinic and, as a result, may have had or contemplated having an abortion. In fact, in just the data Kochava made available in the Kochava Data Sample, it is possible to identify a mobile device that visited a women’s reproductive health clinic and trace that mobile device to a single-family residence. The data set also reveals that the same mobile device was at a particular location at least three evenings in the same week, suggesting the mobile device user’s routine. The data may also be used to identify medical professionals who perform, or assist in the performance, of abortion services,” the lawsuit says.

Murphy’s lawsuit also says the data could be used to track consumers to places of worship, and thus reveal the religious beliefs and practices of consumers.

“In fact, the Kochava Data Sample identifies mobile devices that were located at Jewish, Christian, Islamic, and other religious denominations’ places of worship,” court documents say.

In addition, Murphy says the data could be used to track consumers who visited a homeless shelter, domestic violence shelter, or other facilities directed to at-risk populations.

“This information could reveal the location of consumers who are escaping domestic violence or other crimes. In addition, because Kochava’s data allows its customers to track consumers over time, the data could be used to identify consumers’ past conditions, such as homelessness. In fact, the Kochava Data Sample identifies a mobile device that appears to have spent the night at a temporary shelter whose mission is to provide residence for at-risk, pregnant young women or new mothers,” the lawsuit says, adding the data could also be used to “track consumers who have visited addiction recovery centers. The data could show how long consumers stayed at the center and whether a consumer relapses and returns to a recovery center.”

“Identification of sensitive and private characteristics of consumers from the location data sold and offered by Kochava injures or is likely to injure consumers through exposure to stigma, discrimination, physical violence, emotional distress, and other harms,” according to the lawsuit.

Murphy argues that these injuries are exacerbated by the fact that Kochava “lacks any meaningful controls over who accesses its location data feed, including the Kochava Data Sample.”

The collection and use of Kochava’s location data are “opaque to consumers” who typically do not know who has collected their location data and how it is being used, the lawsuit says.

“Indeed, once information is collected about consumers from their mobile devices, the information can be sold multiple times to companies that consumers have never heard of and never interacted with,” Murphy claims. “Consumers have no insight into how this data is used – they do not, for example, typically know or understand that the information collected about them can be used to track and map their past movements and that inferences about them and their behaviors will be drawn from this information. Consumers are therefore unable to take reasonable steps to avoid the above-described injuries.”

Murphy’s lawsuit seeks to represent a class of potentially millions of people defined as all persons in the United States whose data, including but not limited to their geolocation data, was sold by Kochava without their consent as well as a subclass defined as people who reside in the State of Washington whose data, including but not limited to their geolocation data, was sold without their consent.

“Members of the Class and Washington Subclass are so numerous that their individual joinder herein is impracticable. On information and belief, members of the Class and Washington Subclass number in the millions. The precise number of Class members and their identities are unknown to Plaintiff at this time but may be determined through discovery. Class members may be notified of the pendency of this action by mail and/or publication through the distribution records of Defendant and third-party retailers and vendors,” the lawsuit says. “The class mechanism is superior to other available means for the fair and efficient adjudication of the claims of Class members. Each individual Class member may lack the resources to undergo the burden and expense of individual prosecution of the complex and extensive litigation necessary to establish Defendant’s liability.”

Murphy seeks a jury trial; an award of actual damages, treble damages, attorney’s fees, and costs; and injunctive relief as permitted.

Here is an article about electronic privacy by of the Inlander: https://www.inlander.com/spokane/the-apps-and-devices-you-use-are-conducting-surveillance-with-your-every-move/Content?oid=19497328