The Federal Trade Commission (FTC) sued Kochava, Inc., a major data broker, in August 2022, alleging the company purchased and sold highly accurate geolocation data from hundreds of millions of mobile devices without proper safeguards or user consent. In February 2026, the case reached a settlement that requires Kochava to implement significant privacy controls, including a two-year ban on selling location data tied to sensitive venues like reproductive health clinics, places of worship, and domestic violence shelters. This case represents one of the FTC’s most aggressive enforcement actions against a location data broker and signals a major shift in how the government is tackling privacy violations in the data brokerage industry.
This article explains what Kochava did, how the legal case unfolded, what the settlement requires, and what it means for your privacy. The settlement is significant because it directly addresses a practice that many consumers don’t realize is happening: companies tracking their precise movements throughout the day and then selling that data to third parties. Kochava’s practices exposed millions of people’s visits to sensitive locations, creating serious risks for anyone seeking reproductive health care, addiction recovery, or religious services.
Table of Contents
- What Is Kochava and How Did It Collect Location Data?
- What Sensitive Locations Was Kochava Tracking?
- The Legal Case and Court Actions
- What the Settlement Requires
- Important Limitations of the Settlement
- What This Settlement Means for Data Privacy
- The Future of Location Data Regulation
What Is Kochava and How Did It Collect Location Data?
Kochava is a data aggregation company that purchases location data from multiple sources—primarily mobile applications and data brokers—and then repackages and resells that information to advertisers, hedge funds, and other commercial entities. The company didn’t install tracking software directly on phones; instead, it bought location signals from hundreds of apps that requested location permissions from users, whether explicitly or buried in terms of service. According to the FTC’s allegations, Kochava purchased location data from over 125 million monthly active users, with approximately 35 million users on average accessing the Kochava platform daily. The location data Kochava collected and sold was remarkably precise—accurate to within approximately ten feet (three meters).
This level of accuracy means someone could determine not just that a person visited a particular address, but where exactly they stood inside a building, how long they stayed, and what time they arrived and left. For comparison, approximate location (within a few miles) is less invasive; precise foot-level tracking creates a detailed map of someone’s daily movements and sensitive activities. Kochava did not create the location data itself; it acted as an intermediary, purchasing data from app developers, location data brokers, and other sources, then aggregating and selling it on. This business model is legal in the abstract, but the FTC’s case centered on Kochava’s failure to implement safeguards, verify the data’s origin, or ensure that people had meaningfully consented to their location being tracked and sold this way.
What Sensitive Locations Was Kochava Tracking?
The ftc‘s case specifically alleged that Kochava sold location data tied to people’s visits to reproductive health clinics, religious places of worship, homeless shelters, domestic violence shelters, and addiction recovery facilities. These venues represent some of the most sensitive and private aspects of people’s lives—places where you’d expect strong privacy protections. A woman seeking an abortion, someone attending weekly religious services, a person in recovery from addiction, or a domestic violence survivor would reasonably assume their location data in these places would not be sold to commercial data brokers. The real-world harm is concrete. Suppose an advertiser or hedge fund fund manager wants to identify people visiting abortion clinics for targeted advertising or financial profiling.
With Kochava’s data, they could do exactly that. A person could be identified, targeted for ads, or flagged in datasets without any knowledge. Similarly, someone visiting an addiction recovery center might be targeted with alcohol or substance ads, or their recovery status could be inferred and sold to employers, insurers, or other parties. The FTC also alleged that Kochava’s data collection extended far beyond these sensitive categories. The company tracked retail visits, gas stations, restaurants, and countless other locations, creating a comprehensive movement history of hundreds of millions of people. However, if you want your day-to-day shopping habits tracked by an advertiser, you still have limited ability to opt out—a different issue from tracking visits to reproductive health clinics.
The Legal Case and Court Actions
The FTC filed its lawsuit against Kochava in U.S. District Court for the District of Idaho in August 2022. The case was assigned to Judge B. Lynn Winmill. The FTC’s core allegation was that Kochava violated Section 5 of the FTC Act by engaging in unfair or deceptive practices—specifically, purchasing and selling location data without adequate safeguards and without ensuring meaningful consumer consent.
In 2024, Kochava filed a motion to dismiss the case, arguing that the FTC lacked standing or that the allegations didn’t state a valid legal claim. Judge Winmill denied the motion to dismiss, allowing the case to proceed. This was a significant ruling because it meant the court agreed with the FTC’s basic framing: that Kochava’s conduct could plausibly violate FTC authority. The involvement of state attorneys general provided additional pressure. While the title sometimes references “17 states,” the verified information indicates that specific states including Idaho, California, and Massachusetts were involved, though the primary enforcement action came from the FTC at the federal level. State involvement often strengthens enforcement because states can pursue their own consumer protection laws and bring additional legal resources to bear.
What the Settlement Requires
On February 27, 2026, Kochava and the FTC reached a settlement that requires the company to implement significant new privacy protections. The settlement’s centerpiece is a two-year ban on Kochava selling location data tied to sensitive venues—specifically healthcare facilities, schools, government buildings (including jails and law enforcement), and other sensitive locations. This represents a direct response to the FTC’s allegation that Kochava profited from tracking people in these spaces. The settlement also requires Kochava to establish a consumer opt-out mechanism, allowing people to request that their location data not be sold or collected.
However, there is an important limitation: the opt-out mechanism cannot fully stop Kochava from purchasing data that has already been collected and linked to sensitive locations. It primarily prevents future collection and sale. Additionally, the settlement requires Kochava to establish a comprehensive information security program, to provide clear disclosures about its data practices, and to implement measures to prevent future violations. The company must also verify that data sources it purchases from are legally obtained and that people have provided valid consent. These requirements represent a significant operational change for Kochava compared to its pre-settlement practices.
Important Limitations of the Settlement
While the settlement is a win for privacy advocates, it has important limitations. The two-year ban on selling sensitive location data is temporary—it expires after two years, after which the ban must be re-evaluated. This is actually longer than many FTC settlements, but it’s not a permanent prohibition. Additionally, the ban only applies to future data sales; it does not require Kochava to delete location data it has already collected and sold. The consumer opt-out mechanism, while valuable, comes with a practical problem: it only helps if you know Kochava exists and actively request to opt out.
Many people do not know their location data is being sold by data brokers, so they won’t opt out unless informed. The FTC is pushing companies to make opt-out disclosures more prominent, but enforcement is ongoing. If you’re concerned about Kochava specifically, you would need to proactively request to opt out—the company won’t remove you automatically. Another limitation is that the settlement does not provide compensation to past victims of Kochava’s data sales. Unlike class action settlements in consumer fraud cases, where consumers often receive cash payouts, FTC settlements typically focus on prospective remedies—changing future conduct—rather than compensating past harm. This means individuals who were tracked in abortion clinics, recovery centers, or other sensitive locations have no direct monetary recovery available through this settlement.
What This Settlement Means for Data Privacy
The Kochava settlement represents an escalation in FTC enforcement against data brokers and location data vendors. For years, the data brokerage industry operated with minimal regulation, buying and selling personal information with little transparency. This settlement signals that the FTC is willing to use its full enforcement authority to challenge these practices, especially when sensitive locations are involved. The settlement also reflects growing recognition that location data, more so than other data types, can expose deeply private information about people’s beliefs, health status, and personal struggles.
A person’s browsing history can be misleading or deleted; a person’s location data at specific physical addresses creates an indelible record. The FTC’s focus on sensitive venues implicitly acknowledges that some locations are so sensitive that they deserve heightened protection by law. This case will likely influence how other data brokers and location data vendors operate going forward. Companies will see that the FTC is willing to litigate these cases, that judges are willing to allow them to proceed, and that settlements can require significant operational changes. However, the Kochava case is not a legislative solution—it’s one company, one settlement—so the broader data brokerage industry remains largely unregulated.
The Future of Location Data Regulation
The Kochava settlement is part of a broader trend toward stricter privacy regulation in the United States. Several states have passed comprehensive privacy laws (like California’s CCPA and CPRA, Virginia’s VCDPA, and others) that give consumers rights over their personal data, including location data. However, these laws vary in scope and enforcement, and federal privacy legislation has not yet passed Congress.
What comes next is still uncertain. The FTC could bring similar cases against other data brokers, pursuing a case-by-case enforcement strategy. Alternatively, Congress could pass comprehensive privacy legislation that explicitly regulates data brokers and location data vendors at the federal level. The Kochava settlement, while important, should not be seen as a complete solution to location data privacy; it’s one enforcement action against one company, not a systematic overhaul of the data brokerage industry.