On May 4, 2026, the Federal Trade Commission announced it will permanently ban data broker Kochava — and its subsidiary Collective Data Solutions — from selling sensitive location data without consumers’ explicit consent. The settlement resolves a lawsuit the FTC first filed in August 2022. It took nearly four years to get here.
The wait was worth understanding. Because what Kochava was doing wasn’t fringe behavior — it was business as usual in the location data industry, and it was happening at a scale that should alarm anyone who carries a smartphone.
What Kochava Was Actually Selling
Kochava’s product was straightforward: it collected precise GPS-level location data from hundreds of millions of mobile devices, then sold that data to clients who wanted to understand where people went.
The problem wasn’t just that this happened — it’s what the data revealed. Kochava’s data could trace individuals’ movements to and from:
- Mental health and addiction recovery clinics
- Reproductive health facilities, including abortion providers
- Places of worship
- Domestic violence and homeless shelters
In the wrong hands, this data doesn’t just reveal shopping habits. It can expose the fact that someone sought mental health treatment, visited a particular church, or was living in a shelter. That kind of information can be used for stalking, discrimination, blackmail, or targeted law enforcement action — depending on who buys it.
The FTC’s original complaint alleged that Kochava’s data marketplace allowed buyers to infer sensitive facts about individuals based on where their phones appeared at specific times. None of the people tracked had any idea their location history was for sale.
How the Data Pipeline Worked
Kochava operated as what the industry calls a “mobile measurement partner.” Apps integrated Kochava’s software development kit to track user engagement and advertising attribution — essentially, to measure whether their ads were working.
In the process, the SDK collected far more than ad attribution data. It harvested precise GPS coordinates, timestamps, device identifiers, and behavioral patterns. Kochava aggregated this data across thousands of apps and sold access to clients ranging from advertisers to analytics firms to, potentially, government contractors.
The data was technically “anonymized” in that it didn’t include names — but GPS trails are notoriously easy to re-identify. Research has repeatedly shown that just a handful of location points are enough to uniquely identify an individual, even without a name attached.
The Settlement Terms
Under the proposed settlement order, Kochava and Collective Data Solutions face a comprehensive set of restrictions:
The core ban: They cannot sell, license, transfer, share, or disclose sensitive location data unless they first obtain a consumer’s affirmative express consent and the data is used for a service the consumer directly requested. Passive collection and bulk sale without consent is over — at least for Kochava.
A sensitive location catalogue: Kochava must create and maintain a program that identifies sensitive locations and ensures data tied to those places is not sold or shared.
Supplier assessment: Before collecting or using location data from third parties, Kochava must verify that consumers actually consented to that collection upstream. It can’t simply accept data from apps and assume someone, somewhere, agreed to something.
Consumer notification rights: Kochava must tell consumers which businesses have purchased their precise location data and give them a clear way to withdraw consent for future sales.
Data deletion schedule: The company must establish retention limits — data can’t be kept indefinitely. It must be deleted on a defined schedule.
FTC breach notification: If Kochava discovers that a third party has improperly disclosed consumers’ location data, it must notify the FTC.
The Commission approved the order 2-0.
Why This Took Nearly Four Years
The FTC sued Kochava in August 2022. Kochava immediately fought back, arguing the lawsuit was unconstitutional and that its data practices were lawful because the data was “anonymized.” The litigation dragged through federal court in Idaho while Kochava continued operating.
This is a pattern in FTC data broker enforcement: the agency has limited resources, companies fight hard, and years pass while the practices continue. The FTC first took action against the data broker industry’s location data practices in 2022 and 2023, reaching settlements with companies including X-Mode Social and InMarket.
Kochava was one of the biggest fights. The company processed data from hundreds of millions of devices and marketed its location data capabilities aggressively. That it took until 2026 to resolve — with no financial penalty disclosed in the initial announcement — illustrates the limits of FTC enforcement against a well-resourced industry.
What Changes — and What Doesn’t
The Kochava settlement matters because it establishes that the FTC will fight location data brokers through the courts, not just send warning letters. The sensitive location catalogue requirement is particularly notable — it creates an affirmative obligation to protect data related to health, religion, and domestic safety rather than simply prohibiting the worst outcomes.
But Kochava is one company. The location data industry includes dozens of brokers operating under similar business models — many of them have never faced an FTC action. Your phone’s GPS data continues to flow through SDK integrations in apps you use daily, often without your meaningful knowledge or consent.
The FTC has made data broker enforcement a stated priority, but the commission’s resources are finite and the industry is large. Congress has not passed a federal privacy law that would give consumers rights over their location data by default.
Until that changes, the practical reality is that your phone’s movement history is a commodity — one that most data brokers are still free to sell.
What You Can Do Now
You can’t opt out of every data broker, but you can reduce your exposure:
- Revoke location permissions for apps that don’t genuinely need them. Go to your phone’s privacy settings and audit which apps have “always on” location access.
- Use a VPN to obscure your IP-based location from advertisers and trackers.
- Opt out of ad tracking on both iOS (Settings → Privacy → Tracking) and Android (Settings → Privacy → Ads).
- Request deletion from data brokers directly. Services like DeleteMe automate this process, though it’s ongoing work since brokers re-acquire data.
- Avoid apps with aggressive SDK integrations — particularly free apps that monetize through advertising. The app is the product, and your location is the inventory.
The Kochava case is a win. But it’s a narrow one. The system that made Kochava’s business possible is still running.
