Two FTC enforcement actions landed within days of each other in May 2026, and together they sketch the boundaries of what the agency is willing to call an unfair practice in the commercial surveillance economy.

The first: the FTC banned a subsidiary of Kochava — a major mobile data broker — from selling precise location data tied to sensitive locations including reproductive health clinics, addiction treatment facilities, and houses of worship. Kochava collects location data from hundreds of millions of mobile devices globally through app SDKs and resells it to marketers, insurers, hedge funds, and government clients.

The second: the FTC fined Cox Media Group approximately $930,000 for marketing an “active listening” AI advertising service that it claimed could eavesdrop on consumers through their smart device microphones to serve hyper-targeted local ads. The product was fraudulent — Cox was reselling conventional data broker email lists and fabricating the listening capability to justify a premium price.

Read together, the two cases illustrate where the FTC is drawing lines and where it is not.

The Kochava Case: What Location Data Reveals

The FTC’s original complaint against Kochava, filed in 2022, was one of the first times the agency argued directly that selling location data linked to sensitive venues is an unfair practice regardless of whether any individual data point is technically sensitive. The theory: location history that places a device at a reproductive health clinic, a mosque, an addiction treatment centre, or an LGBTQ+ community centre reveals sensitive facts about the device owner — their health decisions, religion, and personal circumstances — even if the data is labelled only as coordinates.

Kochava fought the complaint for years. The settlement announced in May 2026 does not include a financial penalty but imposes an operational ban: Kochava’s subsidiary is prohibited from selling location data that can be connected to sensitive venues. The FTC’s definition of sensitive venues is relatively broad and includes religious institutions, healthcare providers of all types, military bases, and correctional facilities.

The practical significance is that the sensitive-venue theory is now an enforcement precedent, not just a complaint position. Other data brokers selling mobile location histories face a clearer regulatory signal: if the data you sell can reveal that someone visited a Planned Parenthood clinic or an addiction recovery programme, selling it is an unfair practice under Section 5 of the FTC Act.

What the settlement does not do is ban Kochava from selling location data generally, or require deletion of data already sold. The tens of millions of location records Kochava has sold to government agencies, law enforcement, and insurance companies over the past several years are not affected.

The Cox Media Case: When AI Surveillance Is a Fabrication

The Cox Media Group case is different in character but shares an underlying theme: the FTC is willing to act against companies that exploit privacy anxiety and surveillance capability as a sales pitch, whether the capability is real or not.

Cox Media pitched a product called “Active Listening” to advertisers. The pitch was cinematic: Cox claimed its technology could activate smartphone microphones, capture ambient conversations, and use overheard keywords to serve relevant ads. A restaurant conversation about wanting Italian food would trigger Italian restaurant ads. A discussion of car trouble would trigger dealership campaigns. Cox charged a substantial premium for access to this “AI-powered” targeting capability.

The FTC found the capability was entirely fabricated. Cox was purchasing conventional email and demographic lists from standard data brokers and delivering them to advertisers as the output of its listening system. No microphone access, no conversation analysis, no AI listening technology. The active listening pitch was marketing fiction used to justify inflated prices and mislead advertisers about the basis of their targeting data.

Cox settled for approximately $930,000 and agreed to truthful advertising standards for its data products. Three other firms involved in the scheme paid portions of a combined total approaching $1 million.

The case is notable for a reason the fine does not capture: Cox was pitching active listening to advertisers as a real product. Advertisers were purchasing it believing they were paying for ambient surveillance. If it had been real, it would have been one of the most invasive commercial surveillance practices ever deployed at scale. The fact that it was fraud is reassuring in one sense and alarming in another — it reveals that the market was willing to buy.

What the FTC Is Building

These two cases, alongside earlier actions against data brokers selling location data to law enforcement and the GM/OnStar settlement in California, represent a patchwork enforcement approach to commercial surveillance. There is no comprehensive federal framework. The FTC is using Section 5 unfairness doctrine — a flexible but administratively constrained tool — to establish case-by-case precedents.

The limitation of this approach is that it is reactive and individual. Each enforcement action addresses one company’s specific practice after the harm has occurred. The broader market for location data continues operating, with brokers adjusting slightly to avoid the specific practice the latest settlement targeted.

The FTC has been attempting to promulgate a general commercial surveillance rule through formal rulemaking since 2022. Progress has been slow and the regulatory environment in 2026 is not favourable to broad new rules. In the meantime, the enforcement actions serve as market signals even if they do not constitute a comprehensive prohibition.

For consumers, the Kochava case offers one concrete update: the FTC has formally articulated that location data linked to sensitive venues is in a different risk category than general mobility data, and that selling it is a legally cognisable harm. That framing is useful in regulatory advocacy, litigation, and in pushing app stores and mobile operating systems to tighten location data access defaults.

The immediate practical protection for individuals remains the same as it has been: limit location permission grants to apps that genuinely require them, prefer “only while using” over “always on,” and treat the default settings on any app requesting location access as a negotiation rather than a given.

FTC v. Kochava and the Cox Media Group settlement are available at ftc.gov. The Kochava settlement was announced in May 2026.