FTC Bans Kochava from Selling Sensitive Location Data

The Federal Trade Commission (FTC) has banned data broker Kochava from selling granular geolocation data, citing the company’s alleged practice of collecting and monetizing sensitive consumer location information without consent. According to The Record by Recorded Future, the FTC’s complaint specifically highlighted Kochava’s sale of precise location data revealing visits to houses of worship and healthcare clinics. This activity is a direct violation of laws against unfair and deceptive business practices.

This isn’t just about privacy; it’s a strategic security issue. Attackers, or even state-sponsored actors, could leverage such granular movement data for reconnaissance, social engineering, or even physical targeting. Imagine the implications for high-value targets if their patterns of life, including visits to specific medical facilities or religious sites, become commodity data. This kind of information can be used to build detailed profiles, identify vulnerabilities, and execute tailored attacks far beyond the digital realm.

For defenders, this action underscores the critical need to understand how third-party data brokers handle information related to their employees and executives. Even if your organization’s internal systems are locked down, the exposure of sensitive personal data through such channels creates an external attack surface that is difficult to mitigate. CISOs need to consider these broader privacy implications as part of their overall risk management strategy.