Morning Overview

The FTC moved to ban a data broker from selling people’s precise location

The Federal Trade Commission will permanently bar data broker Kochava and its subsidiary Collective Data Solutions from selling, licensing, transferring, sharing, or disclosing sensitive location data unless consumers give affirmative express consent. The proposed settlement resolves allegations that Kochava sold location data linked to millions of mobile devices, data precise enough to track visits to reproductive health clinics, places of worship, and addiction treatment centers. According to the FTC’s announcement of the Kochava settlement, the company must also delete or destroy certain existing datasets and implement a comprehensive privacy program. The action is the latest in a string of consent-only restrictions the agency has imposed on data brokers since 2024, and it raises a practical question for the industry: can smaller firms absorb the compliance costs, or will these orders push them out of business?

Why the Kochava ban matters beyond one company

The FTC’s order against Kochava did not arrive in isolation. It caps a multi-year enforcement campaign that has now touched at least four data brokers with similar restrictions. In January 2024, the agency barred InMarket Media from selling or licensing precise location data, describing that move as a first-of-its-kind prohibition on a major ad-tech intermediary. The FTC’s press release on InMarket’s practices emphasized that location traces can reveal sensitive inferences about health, religion, and other intimate details.

Around the same time, the FTC reached a settlement with X-Mode Social and its successor Outlogic. Regulators alleged that X-Mode collected precise GPS coordinates from a network of mobile apps and then sold that information to commercial clients and government contractors. In its description of the case against X-Mode and Outlogic, the agency said the company’s data could be used to trace visits to clinics, houses of worship, and other sensitive locations, and it imposed an outright ban on selling or sharing sensitive location data without consumer consent.

A final consent order involving Gravy Analytics and its subsidiary Venntel followed in early 2025, according to the FTC’s case docket. Taken together, these matters sketch a clear trajectory: the commission is moving from case-by-case allegations toward a de facto rule that the sale of precise, sensitive location data is presumptively unfair unless consumers have clearly agreed to it.

Each of these orders shares a common mechanism: the targeted firm can continue to exist, but it loses the ability to monetize raw location signals without explicit consumer permission. That restriction cuts directly into the revenue model that most location-data brokers depend on. Many brokers aggregate device-level pings from mobile apps, strip obvious identifiers, and then resell the resulting feeds or audiences to advertisers, analytics firms, or financial traders. If that pipeline requires obtaining and documenting affirmative consent for every device, the economics change dramatically.

Smaller operators that lack diversified product lines or large engineering teams face a choice between building consent infrastructure from scratch and exiting the market. Implementing robust consent flows means negotiating with app publishers, rewriting software development kits, and standing up compliance systems to track which users agreed to what. Larger firms with existing consumer-facing apps or first-party data relationships are better positioned to collect consent at scale, which could let them absorb competitors or simply outlast them. The cumulative effect of these consent-only restrictions points toward consolidation, with surviving firms either large enough to amortize compliance costs or nimble enough to pivot toward non-location behavioral signals such as purchase intent or app-usage patterns.

How the FTC built its case against Kochava

The agency’s litigation against Kochava stretched across multiple rounds of amended complaints and a contested motion to dismiss. The original complaint was filed on August 29, 2022. An amended complaint followed on November 6, 2023, and a second amended complaint landed on July 15, 2024, according to the FTC’s case docket for Kochava’s proceedings. A court memorandum decision and order on the motion to dismiss was issued on February 5, 2024, allowing the case to proceed and signaling that the FTC’s theory of harm was plausible enough to be tested at trial.

Throughout those filings, the agency argued that Kochava’s data feeds made it possible to trace individual devices to sensitive locations over time. Regulators pointed to patterns such as repeated overnight pings at a single address, followed by visits to medical facilities or religious institutions, as evidence that the data could be linked to specific people and used to draw intimate inferences. The complaint emphasized that consumers had not been given a meaningful chance to consent to, or even understand, this downstream use of their movements.

The settlement that emerged from this process requires Kochava and Collective Data Solutions to obtain affirmative express consent before selling sensitive location data, and it limits permissible sales to situations where the data is used to provide a service directly requested by the consumer. That second condition is significant because it narrows the universe of acceptable buyers. A retailer using location data to power a store-finder feature a customer asked for could qualify. A hedge fund purchasing foot-traffic patterns to model competitor revenue almost certainly could not. The order also obligates Kochava to implement safeguards such as regular third-party assessments of its privacy program and restrictions on how long it may retain certain categories of location information.

The X-Mode Social case added another dimension. There, the FTC alleged that X-Mode sold raw, non-anonymized data, a practice that made it possible for buyers to identify individual people and their movements without substantial technical effort. The commission’s order prohibited sharing or selling sensitive location data outright and required the company to delete previously collected information that did not meet the new standards. Together, these cases establish a clear pattern: the FTC treats the sale of precise, identifiable location data as an unfair practice unless consumers have explicitly agreed to it, and it is willing to require deletion of legacy datasets to curb ongoing risk.

What the Kochava settlement leaves unanswered

Several gaps in the public record limit how far these enforcement actions can reach. The FTC’s filings reference location data linked to millions of mobile devices, but the agency has not disclosed a precise count of affected consumers or the number of downstream buyers who purchased Kochava’s data. Without those figures, it is difficult to measure the real-world exposure that the settlement aims to contain or to evaluate whether the remedies are proportionate to the scale of the problem.

There is also no public accounting of what happened to data already sold before the order takes effect. Consent orders typically require deletion of improperly collected data going forward, and the Kochava settlement includes obligations to destroy certain existing datasets under defined conditions. Still, the mechanics of clawing back information that has already been integrated into third-party analytics platforms or advertising models remain unclear. The InMarket and Gravy Analytics dockets reference consumer notice attachments and deletion requirements, yet no follow-up metrics on actual redress or behavioral change have surfaced in the public filings.

Direct statements from affected individuals or from companies that purchased location data are absent from all of the listed FTC dockets. That silence makes it hard to assess whether the consent-only framework will change buyer behavior or simply shift demand toward data brokers that have not yet drawn enforcement attention. If compliant firms face higher costs and stricter limits while unsanctioned competitors continue to operate in the shadows, the market could bifurcate into a regulated tier and an underground ecosystem of data resellers.

The practical question for consumers is straightforward but unresolved: will these orders meaningfully reduce the chance that a person’s visits to a clinic, a place of worship, or a recovery center are quietly packaged and sold? The Kochava settlement, like the earlier InMarket and X-Mode actions, signals that U.S. regulators now view sensitive location data as a category that demands explicit, informed consent. Whether that standard becomes a durable industry norm, or merely a compliance obligation for companies that happen to get caught, will determine how much protection the public ultimately receives.

More from Morning Overview

*This article was researched with the help of AI, with human editors creating the final content.