FTC Kochava Settlement: Your Location Data Privacy Rights

Imagine a domestic violence survivor who escaped to a shelter in 2022. She changed her phone number, deleted social media, told no one her new address. Yet in 2023, her abuser found her anyway. He hired a private investigator who bought her precise location history—down to 10 feet—from a data broker for less than the cost of a pizza. The investigator delivered a map showing every place she'd been for the past six months: the shelter, her new workplace, her daughter's daycare.

That data broker was Kochava. And the Federal Trade Commission just settled with them—four years after the abuse of this woman's location data likely occurred, three years after the FTC first filed suit in August 2022. The May 4, 2026 settlement bans Kochava from selling sensitive location data without express consent and requires a board-level privacy program. But the timeline reveals something chilling: by the time regulators stopped one broker, your location had already been packaged, sold, and resold thousands of times.

The ftc kochava settlement isn't a victory story. It's a warning that enforcement moves at glacial speed while your exposure happens in real time.

The Legal Framework Behind the FTC's Kochava Case

The FTC didn't use a comprehensive federal privacy law to pursue Kochava—because one doesn't exist. Instead, they relied on Section 5 of the FTC Act, which prohibits "unfair or deceptive acts or practices." This statute, written in 1914, has become America's default privacy enforcement mechanism by creative interpretation.

The Commission argued that Kochava's sale of raw, precise location data—accurate to within a few meters—constituted an unfair practice because it caused substantial injury that consumers couldn't reasonably avoid. According to the FTC's case documents, the company collected location data from hundreds of millions of mobile devices through its software development kit (SDK) embedded in thousands of apps.

Here's what made this case different from previous data broker enforcement actions: Kochava didn't just aggregate anonymous statistics. They sold persistent identifiers tied to specific devices, allowing buyers to track individual people's movements over time. The FTC demonstrated that this data could reveal:

• Visits to reproductive health clinics with precision timestamps
• Attendance at religious services at specific mosques, churches, or synagogues
• Patterns of life at domestic violence shelters
• Military personnel movements at sensitive installations
• Children's locations at schools and homes

The legal theory matters because it sets precedent. The FTC didn't need to prove Kochava intended harm. They only needed to show the practice was likely to cause substantial injury. This standard—"likely to cause"—means regulators don't need to wait for documented abuse. But as the four-year timeline shows, "don't need to wait" and "move quickly" are different things.

The settlement order requires Kochava to obtain express, informed consent before selling or licensing sensitive location data. They must delete historical data they can't verify was collected with proper consent. They must implement a comprehensive privacy program overseen at the board level, with annual assessments by an independent auditor for 20 years.

Twenty years of monitoring sounds impressive until you realize it's also twenty years of Kochava remaining in business, just with better paperwork.

Who Is Covered and What Locations Are Protected

The settlement defines "sensitive location data" with unusual specificity. This isn't vague regulatory language—it's a checklist of places where your presence reveals your most private decisions.

Protected locations under the order include:

• Medical facilities: hospitals, clinics, doctor's offices, mental health providers, substance abuse treatment centers, and reproductive health facilities
• Religious institutions: churches, mosques, synagogues, temples, and other places of worship
• Educational institutions: K-12 schools, universities, and daycare facilities
• Domestic violence and homeless shelters: any facility providing services to abuse survivors or housing assistance
• Military installations: bases, recruiting centers, and other defense facilities
• Correctional facilities: prisons, jails, detention centers, and immigration facilities
• Labor union offices and meeting halls

The order protects location data tied to these places when it's precise enough to identify which specific building or facility someone visited. A data point showing you were somewhere in downtown Seattle doesn't trigger protection. One showing you were at the Planned Parenthood on Madison Street does.

But here's the gap: the order only binds Kochava. According to The Record's reporting, there are thousands of data brokers operating in the United States. Our scanning across 1,500+ data brokers reveals that location data providers represent just one category in an ecosystem that includes:

• People search sites aggregating public records
• Marketing data brokers selling consumer profiles
• Risk assessment companies scoring your creditworthiness, insurability, and employability
• Mobile advertising networks tracking your app usage
• Connected car companies logging everywhere you drive

The Kochava settlement doesn't touch any of them. Each operates until the FTC files a separate lawsuit, which takes years to litigate. The math is brutal: if each case takes four years and the FTC files a dozen data broker cases per year, it would take centuries to address the current ecosystem.

State privacy laws fill some gaps. The California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (VCDPA), and similar laws in Colorado, Connecticut, and Utah give residents rights to opt out of data sales. But these laws apply only to residents of specific states and require you to know which brokers have your data—an impossible task when they number in the thousands.

The Four-Year Timeline: How Enforcement Actually Works

Let's trace the actual timeline of ftc data broker action against Kochava to understand what "enforcement" means in practice.

Summer 2021: Privacy researchers and journalists begin investigating location data brokers. Multiple investigations demonstrate that "anonymized" location data can be re-identified to specific individuals. One study tracked a Pentagon official from his home to his office using commercially available data.

August 2022: The FTC files a lawsuit against Kochava in federal court in Idaho, seeking a temporary restraining order and preliminary injunction to immediately halt data sales. The complaint alleges violations of Section 5 of the FTC Act.

September 2022: A federal judge denies the FTC's motion for preliminary injunction, finding the agency hadn't adequately demonstrated irreparable harm. Kochava continues operating throughout the litigation.

2023-2025: Discovery, depositions, motion practice. Kochava's data feed continues. Every month of litigation represents another month of location data being collected, packaged, and sold. If you visited a reproductive health clinic in 2023, that visit is in someone's database right now.

May 4, 2026: Settlement announced. Kochava agrees to stop selling sensitive location data without consent and implement a privacy program. No admission of wrongdoing. No financial penalty disclosed in public documents.

Four years from complaint to resolution. And that's relatively fast—the FTC's case against data broker X-Mode Social (now Outlogic) took a similar timeline, settling in January 2024 after being filed in 2022.

During those four years, what happened to your data? Based on our analysis of thousands of removal requests, here's the typical flow:

Step 1: Collection Through Invisible Channels

Your location data gets collected through apps you use daily. Weather apps, coupon apps, games, even flashlight apps—many contain SDKs from data brokers. You granted location permission for the app's stated purpose (showing local weather). The SDK uses that permission to collect your precise coordinates every few minutes.

Step 2: Aggregation and Identifier Assignment

The broker assigns you a persistent identifier—often your device's advertising ID, but sometimes a proprietary ID. They link this to your location history, creating a movement profile. Over months, this profile reveals where you live, work, worship, seek medical care, and spend your free time.

Step 3: Packaging and Sale

The broker packages location data into feeds sold to various buyers: advertisers, hedge funds analyzing foot traffic, researchers, and increasingly, "verification services" that are thinly disguised surveillance tools. Buyers don't get your name directly—they get your ID and location history. But re-identification is trivial when they know where you live and work.

Step 4: Resale and Integration

Buyers often resell the data or merge it with other datasets. Your location history gets combined with your consumer profile from marketing brokers, your public records from people search sites, and your online behavior from advertising networks. The resulting dossier is far more revealing than any single dataset.

This four-step process happened continuously while the FTC litigated. The settlement stops Kochava's sales going forward (in theory—enforcement depends on audits). It doesn't claw back data already sold. Those datasets exist in perpetuity.

Common Pitfalls and How Location Data Escapes Protection

The Kochava settlement has gaps you could drive a surveillance van through. Understanding these pitfalls helps you grasp why individual action matters more than regulatory relief.

Pitfall 1: The consent loophole. The order bans selling sensitive location data "without express informed consent." But what counts as consent? If you agreed to a 5,000-word privacy policy that mentioned data sharing in paragraph 47, does that qualify? The settlement requires consent to be "clear and conspicuous," but these terms are notoriously flexible. App developers will hire armies of lawyers to craft consent flows that technically comply while maximizing data collection.

Pitfall 2: The aggregation exception. The order allows sale of aggregated, de-identified data that can't be tied to specific devices. But de-identification is more art than science. Multiple academic studies have shown that "anonymous" location data can be re-identified using publicly available information. If a dataset shows one device consistently at your home address overnight and at your workplace during business hours, you're identified—even without a name attached.

Pitfall 3: The first-party carveout. The settlement restricts Kochava's sale of data to third parties. It doesn't prevent apps from collecting and using your location data for their own purposes. If a prayer app tracks your mosque attendance and shares it with its parent company, which happens to run a political consulting firm, the Kochava order is irrelevant.

Pitfall 4: The international blind spot. The FTC has jurisdiction over companies doing business in the United States. It has limited reach over foreign data brokers. Our scans across 1,500+ data brokers reveal that a significant percentage operate from overseas—Eastern Europe, Asia, Latin America. They harvest data from U.S. users and sell it through intermediaries. An FTC order against a Boise-based company does nothing about a broker operating from Bucharest.

Pitfall 5: The data permanence problem. The order requires Kochava to delete sensitive location data collected without proper consent. But what about data they already sold? Those buyers aren't party to the settlement. They can keep using and reselling the data indefinitely. Your 2022 visit to a reproductive health clinic is still in databases at dozens of downstream companies.

How do you avoid these pitfalls? You can't, not entirely. But you can reduce your exposure:

Minimize location permissions: Review every app's location access. Go to Settings > Privacy > Location Services (iOS) or Settings > Location (Android). Most apps don't need "Always" access—switch them to "While Using" or "Never." That weather app works fine with manual location entry.

Use privacy-focused alternatives: Replace apps known to monetize location data. Instead of free weather apps laden with tracking SDKs, use Weather.gov (the National Weather Service's site) or pay for a privacy-respecting app like Carrot Weather.

Disable advertising IDs: On iOS 14.5+, go to Settings > Privacy > Tracking and disable "Allow Apps to Request to Track." On Android, go to Settings > Privacy > Ads and select "Delete advertising ID." This breaks the persistent identifier that ties your location history together across time.

Opt out of data broker databases: This is where the real work lives. The Kochava settlement addresses one company. Your data sits in hundreds of broker databases. Our free exposure check scans the major people search sites and data brokers to show what's already public.

Templates and Resources for Taking Action

Regulatory enforcement happens on geologic timescales. Your exposure happens now. Here are specific, actionable steps with the exact resources you need.

Step 1: Audit Your Current Exposure

Start with the free exposure check to see what data brokers have already published about you. This scans major people search sites and provides a baseline. You'll likely find:

• Your current and previous addresses
• Phone numbers (including unlisted numbers you thought were private)
• Email addresses
• Relatives and associates
• Property ownership records
• Court records and liens

This is just the surface layer—the data anyone can Google. Deeper databases include your location history, shopping patterns, financial indicators, and health inferences.

Step 2: Request Data Deletion Under State Privacy Laws

If you're a California resident, you have rights under the CCPA (California Civil Code § 1798.100 et seq.). Similar rights exist for residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Utah (UCPA).

You can send deletion requests to data brokers, but here's the reality: the major brokers receive thousands of requests daily. They're not trying to make it easy. Our analysis of thousands of removal requests shows:

• Average response time: 30-45 days (the legal maximum)
• Verification requirements: government ID, utility bills, sometimes notarized forms
• Reappearance rate: 40-60% of removed profiles reappear within 6 months as brokers refresh from public records

You can find opt-out links for major brokers, but with 1,500+ brokers in our database, manual removal is a full-time job. Each broker has different procedures. Some require mailed forms. Others demand video verification. A few make you create an account (giving them more data) before they'll process a deletion.

Step 3: Lock Down Your Mobile Location Sharing

Beyond disabling individual app permissions, take these device-level steps:

For iOS users:

• Settings > Privacy & Security > Location Services > System Services > Disable "Location-Based Suggestions," "Location-Based Apple Ads," and "iPhone Analytics"
• Settings > Privacy & Security > Analytics & Improvements > Disable "Share iPhone Analytics" and "Share iCloud Analytics"
• Settings > Privacy & Security > Apple Advertising > Disable "Personalized Ads"

For Android users:

• Settings > Google > Manage your Google Account > Data & privacy > Location History > Turn off
• Settings > Google > Manage your Google Account > Data & privacy > Web & App Activity > Turn off
• Settings > Security & privacy > Privacy controls > Disable "Ads"

These settings don't prevent all location collection—they reduce it. Apps can still collect location when you grant them permission, and your mobile carrier logs your location constantly for network operations.

Step 4: Use the FTC's Complaint Process

If you discover a data broker selling your sensitive location data, file a complaint with the FTC at reportfraud.ftc.gov. Choose "Privacy, Identity Theft, or Online Security" as the category.

Will this result in immediate action? No. But complaints inform FTC enforcement priorities. The Kochava case began because privacy advocates and researchers documented harm. Your complaint adds to that record.

You can also file complaints with your state attorney general. State AGs have been more aggressive than federal regulators on data broker enforcement. California, Vermont, and Texas have all brought actions against location data companies.

Step 5: Monitor for Reappearance

Data brokers refresh their databases constantly from public records, data partnerships, and web scraping. A removal today doesn't mean you're gone tomorrow. Our monitoring data shows:

• People search sites: Refresh every 30-90 days from public records databases
• Marketing brokers: Update quarterly from credit headers, warranty registrations, and purchase history
• Location data brokers: Continuous collection from apps with active SDKs

Manual monitoring is impractical. You'd need to check hundreds of sites monthly. This is why automated monitoring exists—but even then, you're playing whack-a-mole against an industry designed to resurface your data.

When to Seek Professional Help

You can handle some data removal yourself. But the scope of the problem makes DIY impractical for most people. Consider professional help when:

You're in a high-risk situation: Domestic violence survivors, stalking victims, law enforcement officers, judges, and activists face elevated threats from data exposure. For these situations, speed matters. Waiting 45 days for a broker to respond to your deletion request could mean the difference between safety and harm. If your physical safety depends on location privacy, professional removal services can expedite the process and cover more brokers faster.

You've found exposure on dozens of sites: If the free exposure check shows your data on multiple brokers, you're likely on hundreds more that don't appear in free scans. Our full service covers 1,500+ brokers versus the 35-500 covered by competitors. The difference matters—your data doesn't sit on just the big-name sites. Mid-tier and long-tail brokers often have less security and more willingness to sell to sketchy buyers.

Your data keeps reappearing: You've spent hours submitting opt-out requests, only to find the same information back online within months. This is the norm, not the exception. Data brokers refresh