Commissioner Rebecca Slaughter offered some free advice for those paying attention to the Federal Trade Commission’s virtual PrivacyCon event on Wednesday.
“Be very careful with Kochava.”
The lawsuit against mobile attribution company Kochava is a case in point. This makes the Commission’s stance on data collection completely clear and highlights a major concern for the ad tech industry.
In the FTC’s view, selling or sharing information that can be used to identify an individual with third parties may sufficiently violate Section 5 of the FTC Act, which protects against unfair and deceptive business practices.
And the judge agrees.
FTC vs. Kochava
In early February, the U.S. District Court for the District of Idaho rejected Kochava’s second attempt to dismiss the FTC lawsuit, which was originally filed in 2022 after Kochava refused to settle.
The FTC alleged that Kochava collected sensitive geolocation data and made it available for sale to other companies through marketplaces.
According to the original complaint, the data was sold in a format that allowed companies to track consumers as they moved between sensitive locations such as reproductive health clinics and places of worship.
Mr. Kochava filed a motion last year to dismiss the FTC’s case, citing a lack of specific examples of harm. The motion was granted, albeit provisionally. The FTC has 30 days to refile an amended case with more evidence of harm, and the commission can do so and proceed with the case.
The FTC now finds that Mr. Kochava’s business practices violate Section 5 and expose consumers to a significant risk of privacy-related collateral damage, including stigma, discrimination, physical violence, and emotional distress. must be proven in court.
subscribe
AdExchanger Daily
Get our editor’s roundup delivered to your inbox every weekday.
“The court’s recognition that we can act to prevent harm allows us to intervene to protect consumers before they suffer irreparable harm,” Slaughter said. Ta. “We look forward to watching this case closely.”
Browsing data is confidential, ‘full stop,’ says FTC
On the other hand, the FTC’s broad definition of confidential information should be a wake-up call for all ad tech companies. There’s also the fact that courts agree with the FTC’s premise that disclosure of confidential information is unfair and potentially illegal. Practice by itself.
Last week, FTC staff released guidance in a blog post summarizing the rationale behind recent enforcement actions against “bulk data collectors.” (Three companies: X-Mode, InMarket, and Avast)
In its post, the FTC specifically states that it “absolutely” considers all browsing and location data to be confidential.
As the FTC notes, not one of the companies recently accused of data mishandling was accused of collecting or selling personally identifiable information. Their data set had no name, no social security number, and no typical PII of his.
there is nothing all personal
But PII isn’t the problem.
Almost all data becomes sensitive if it can be re-identified and associated with an individual. This includes data that people view online.
So don’t be surprised if the FTC files more lawsuits against data brokers and companies whose business is monetizing consumer data. X-Mode, InMarket, and Avast all recently reached settlement agreements with the FTC.
For example, X-Mode was able to make location data very personal very quickly by associating it with traditional identifiers. If a person’s cell phone was observed to remain in the cardiologist’s office, then to the pharmacy, and then to a specialized infusion center, it is not a leap to think that the person has heart disease.
InMarket, on the other hand, targets people for advertising purposes as “Christian churchgoers,” “parents of preschoolers,” “low-income millennials,” “wealthy suburban moms,” etc., based solely on visits to specific locations. ” and other audience segments.
Avast then re-creates your browsing data, including specific searches for directions on Google Maps, cosplay erotica, public servant jobs in Fort Meade, Maryland, salaries over $100,000, and links to French dating sites. Collected and sold in an identifiable format. unique member ID).
So if a company has access to one user’s browsing or location history, but not anyone else, that information can be “highly revealing and frighteningly easy to use to re-identify that user.” ” said FTC Commissioner Alvaro Bedoya. Privacy con.
“It’s easy to see how this data could potentially harm people,” Bedoya said. I’m going to work on it,” he said.
