Consumer data is a mainstay of the modern economy. And despite the numerous benefits that such data offer, the consequences of a data breach or privacy intrusion are immense. Negative PR, consumer-driven lawsuits, and self-imposed remedial measures are just the start. In a worse-case scenario, U.S. companies that have failed to adequately secure their consumer data can be investigated and sued by the U.S. Federal Trade Commission (the “FTC” or “Commission”).
That is exactly what happened to the data brokering company Kochava, Inc. The FTC filed suit against Kochava, alleging that its data security and privacy practices were “unfair” under Section 5(a) of the FTC Act. Rather than settling the case—as the vast majority of companies do—Kochava challenged the adequacy of the FTC’s complaint in U.S. federal court.
On May 4, 2023, a judge in U.S. District Court of Idaho agreed with Kochava and granted its motion to dismiss (although he did give the FTC an opportunity to amend its complaint). Below, this article explains the rationale behind this important decision and offers takeaways within the data security and privacy enforcement landscapes.
In the FTC’s complaint, the Commission alleged that Kochava unlawfully sells geolocation data that could enable third parties to track mobile device users to and from sensitive locations. Under Section 5(a) of the FTC Act, the Commission is authorized to enforce “unfair or deceptive acts or practices.” Since the early 2000’s, the FTC has used this grant of authority to regulate the unlawful use or protection of consumer data. Yet, to prove a claim under Section 5(a), the FTC must establish that a business’s practices cause or will likely cause “substantial injury to consumers.” Which makes sense. The FTC is America’s consumer protection agency. Without an injury to consumers, the FTC does not have the authority to regulate U.S. businesses.
In its complaint against Kochava, the FTC advanced two theories of consumer injury. First, it claimed that Kochava’s geolocation data sales could enable third parties to track consumers’ past movements to and from “sensitive locations,” and based on inferences arising from that information, inflict “secondary harms” such as “stigma, discrimination, physical violence [and] emotional distress.” Second, the FTC claimed that the disclosure of consumers’ sensitive location information itself constitutes a substantial injury to consumers’ right to privacy.
In its motion to dismiss, Kochava argued that the FTC had failed to state a plausible right to relief because it had not alleged anything more than a mere possibility of consumer injury. The court agreed. Scrutinizing the FTC’s complaint, the court held that the Commission “asks the Court to simply infer that consumer injury is probable from its assertion that Kochava is disclosing ‘sensitive information’ about device users.” Because its Complaint only suggested that “ill-intentioned third parties could theoretically use Kochava’s geolocation data to . . . harm mobile device users,” it failed to allege any likelihood that such a scenario would play out.
As to the FTC’s second theory of consumer harm, the court noted that an invasion of privacy, alone, could constitute a substantial injury under Section 5(a) of the FTC Act. But, in this case, the FTC had not alleged a privacy intrusion sufficiently severe to constitute a substantial injury to consumers. In reaching this decision, the court noted that three factors lessened the severity of the alleged privacy injury. First, it found that the data Kochava sells is not, on its face, sensitive or private because geolocation data must be linked to a specific consumer through inference. Second, the information that can be inferred from Kochava’s data is generally available through other lawful means, such as physical observation of a person’s movements. And third, the FTC’s complaint failed to allege how many device users may suffer privacy intrusions. Taken together, although a privacy intrusion could theoretically present a substantial injury to consumers, the FTC had failed to allege one here.
The decision in favor of Kochava offers several important takeaways. First, it serves as an important reminder that consumer injury is critical to the Commission’s enforcement authority. FTC enforcement actions are often settled even before a federal lawsuit is filed. As a result, federal case law on FTC data security and privacy actions is scant. Decisions such as this one provide important principles for both the FTC and regulated community.
Second, it is not enough for the FTC to allege a mere possibility of consumer harm. This holding is especially important in the data privacy context. U.S. law has faced exceptional difficulties in characterizing data harms. Often, a data breach raises the specter of an increased risk of harm to consumers. But the realization of that risk is not readily apparent. For example, if a consumer’s social security number is implicated in a hack, there is no doubt that the consumer faces a risk of identity fraud. But until that occurs, the consumer has not suffered a concrete harm (at least in the eyes of the law). Therefore, before the FTC files a data security lawsuit, it must have good-faith allegations that consumers face a likelihood of substantial harm (and not a theoretical possibility). This means that the FTC’s pre-suit investigations must focus their efforts on uncovering how data intrusions will likely harm consumers.
Third, regulated entities must take seriously the Court’s recognition that privacy harms can constitute an injury. Although the alleged privacy harms in Kochava’s case were insufficient at the pleading stage, companies that handle particularly sensitive data (such as healthcare data, medical records, or financial information) must take additional measures to ensure their privacy.
The FTC will undoubtedly continue to police America’s unlawful data privacy offenders. The case in Kochava is not quite a rebuke of the FTC, but rather a roadmap of what it must uncover prior to bringing an enforcement action. To keep the FTC off their heels, U.S. businesses of all shapes and sizes must take their data privacy obligations seriously. Doing so is both good business and effective risk management.