Every time you carry your phone into a doctor’s office, a place of worship, or a domestic violence shelter, apps on that device may be quietly logging your exact coordinates. For years, a data broker called Kochava turned those coordinates into a product, selling precise location records tied to hundreds of millions of mobile devices to buyers who could trace where people went and when. On May 4, 2026, the Federal Trade Commission announced a proposed settlement that would ban Kochava and its subsidiary, Collective Data Solutions, from selling sensitive location data unless consumers give clear, affirmative consent. The proposed order, which still requires federal court approval before it becomes enforceable, caps a legal battle that stretched nearly four years and marks one of the strongest enforcement actions the FTC has taken against the commercial location-data industry.
What the proposed settlement requires
The proposed order’s central rule is blunt: Kochava and Collective Data Solutions (CDS) could no longer sell, share, license, or disclose precise geolocation data linked to a particular device without first obtaining explicit permission from the person carrying that device. That permission must be specific to the sale or sharing of sensitive location information. It cannot be buried inside a sprawling privacy policy, bundled with unrelated app permissions, or inferred from a user’s silence or continued use of a service. Pre-checked boxes do not count.
Beyond the consent requirement, the order compels Kochava to delete sensitive location data it previously collected without valid consent, unless the company needs to retain it for legal compliance or security. The company must also build and maintain a privacy program with internal controls designed to identify sensitive locations, screen out data that could reveal visits to those sites, and monitor any third parties receiving location feeds.
If a federal court approves the order, violations could trigger contempt proceedings and substantial financial penalties. Because the order is a proposed stipulation between the FTC and Kochava, it does not carry the force of law until a judge signs off on it. In practical terms, once approved, Kochava would be forced to rebuild its business around a principle the location-data industry has largely avoided: that people should decide whether their movements to intimate or vulnerable places become a commodity.
How Kochava’s data pipeline worked
Understanding why this case matters requires a basic picture of how location data moves from your pocket to a broker’s servers. Companies like Kochava typically obtain geolocation information through software development kits (SDKs) embedded in popular mobile apps or through real-time advertising exchanges. When an app requests location access and a user grants it, the resulting coordinates can flow through multiple intermediaries before landing in a broker’s database, often without the user realizing their data has left the original app’s ecosystem.
Kochava’s dataset was granular enough to trace a device’s movements to specific buildings, not just neighborhoods or zip codes. According to the FTC’s complaints, that precision made it possible for buyers to infer whether a device’s owner visited a particular reproductive health clinic, a house of worship, a homeless shelter, or an addiction treatment center. The agency warned in a 2022 consumer alert that this kind of tracking could expose deeply personal decisions and beliefs.
The FTC’s filings describe how device identifiers could be cross-referenced with patterns of home and work locations to connect supposedly anonymous data points to real people. A phone that spends every night at one address and every weekday at another effectively announces its owner’s identity to anyone with access to public records or commercial databases.
Nearly four years of litigation
The FTC first sued Kochava on August 29, 2022, alleging the company sold massive amounts of precise location data that could track individuals to sensitive sites. Kochava fought back, challenging the sufficiency of the agency’s claims. The FTC filed an amended complaint that was unsealed in November 2023, and a federal judge issued a ruling in February 2024 that allowed key parts of the case to proceed while requiring the agency to sharpen some of its allegations. A second amended complaint followed in July 2024.
The prolonged fight highlights a structural challenge for privacy regulators. While the case was pending, the FTC had limited ability to halt ongoing data sales without seeking emergency relief, a step it did not take. Kochava’s willingness to litigate through multiple rounds of pleadings suggests the company believed its practices were defensible, or at least that the FTC’s authority in this space was unsettled enough to contest.
Only after the second amended complaint did the parties move toward a negotiated resolution, producing the proposed order filed in May 2026. The settlement shifts the burden going forward: instead of the agency proving harm after data has already been widely distributed, Kochava now carries the legal risk if it fails to secure explicit permission before monetizing sensitive location information.
Part of a broader crackdown on location brokers
Kochava is not the only target. The FTC has pursued similar enforcement actions against location-data brokers Gravy Analytics and Venntel, alleging they also sold information that tracked people to sensitive places without proper safeguards. Taken together, these cases signal that the agency views the commercial trade in precise geolocation data as a systemic problem requiring repeated intervention, not a one-off violation by a single bad actor.
The pattern matters because no comprehensive federal privacy law currently governs how data brokers handle location information. Several states, including California, Texas, and Washington, have enacted their own privacy statutes with varying protections, but the patchwork leaves significant gaps. The FTC has been using its existing authority under Section 5 of the FTC Act, which prohibits unfair or deceptive practices, to fill some of that space. The Kochava settlement is among the clearest examples of the agency wielding that authority to set behavioral standards for an entire segment of the data economy.
What we still don’t know
Several important questions remain unanswered. The FTC has not publicly quantified how many individual consumers were directly affected by Kochava’s data sales. “Hundreds of millions of devices” describes the potential scope of the data pool, but it does not reveal how many unique people’s movements were actually sold or how frequently particular devices appeared in datasets marketed to clients.
The identities of Kochava’s customers are also largely absent from public filings. The complaints describe the types of inferences buyers could draw, but they do not name specific companies or government agencies that purchased location feeds, nor do they detail how those buyers used the information. Without that visibility, it is difficult to assess the real-world impact on individuals.
Kochava itself has not issued a public statement included in the FTC’s materials, and there is no indication in the record of whether the company admits wrongdoing or disputes the agency’s characterization of its conduct. It is also unclear whether Kochava plans to pivot toward less sensitive analytics, attempt to secure consent at scale, or significantly shrink its location-data operations.
Notably, the FTC has not tied specific documented harms, such as stalking incidents, employment discrimination, or targeted harassment, directly to Kochava’s data sales in its public filings. The agency’s case rests on the substantial risk of injury created by exposing granular location trails, an approach consistent with preventive consumer-protection law but one that leaves open questions about how often theoretical risks have already become real damage.
What you can do to protect your location data
The settlement reinforces a practical reality: meaningful control over your location data depends on explicit choices you make, not fine print written by someone else. While regulators work to hold brokers accountable, there are steps you can take right now to limit how much of your movement history enters the commercial data pipeline.
Start by auditing location permissions on your phone. Both iOS and Android allow you to see which apps have access to your precise location and to downgrade that access to approximate location or revoke it entirely. Many apps that request precise GPS coordinates, such as weather or news apps, function perfectly well without them. Disabling location access for apps that do not genuinely need it reduces the volume of data available to brokers in the first place.
You can also reset your mobile advertising identifier periodically or opt out of personalized ad tracking altogether. On iPhones, Apple’s App Tracking Transparency framework requires apps to ask before tracking you across other companies’ apps and websites. On Android, you can delete your advertising ID in the device’s privacy settings. Neither step is a complete shield, but both make it harder for brokers to build a persistent profile of your movements.
If you believe your location data has been misused, whether by Kochava or another company, you can file a report through the FTC’s online complaint portal. Those reports feed directly into the evidence regulators use to identify patterns and build future enforcement cases. In a system where federal privacy law still has significant gaps, consumer complaints remain one of the most concrete tools available to push the boundaries of accountability.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
