The Federal Trade Commission today filed a stipulated order in the United States District Court for the District of Idaho, resolving a lawsuit it first brought against Kochava Inc. in August 2022. The order, signed by FTC attorneys on May 4, 2026, places sweeping restrictions on how Kochava and its subsidiary, Collective Data Solutions, LLC (CDS), may collect, use, and sell precise location data gathered from consumers' mobile devices. The Commission vote approving the stipulated final order was 2-0.

The case took nearly four years to close. It moved through complaint, an amended complaint filed on June 5, 2023, and a second amended complaint filed on July 15, 2024, before the parties reached the agreement now submitted to the court. Kochava's general counsel Dave Matt and outside counsel Jennifer Reinhardt-Tessmer of Kirton McConkie signed on behalf of the defendants on March 2, 2026 - two months before the FTC signed. The order will terminate ten years from the date it is entered by the court.

The original allegations

According to the FTC's complaint, Kochava collected, used, and disclosed precise location data from consumers' mobile devices without their knowledge or consent. That data, according to the FTC, revealed individuals' movements - including visits to health facilities, places of worship, locations providing shelter or social services to homeless people, domestic violence survivors, and military or federal law enforcement installations. Because consumers were unaware of and did not consent to this data sharing, the FTC alleged they had no way to avoid the resulting harms.

Section 5 of the FTC Act, 15 U.S.C. ยง 45, prohibits unfair acts or practices in commerce. That is the statutory foundation the Commission cited. The defendants neither admit nor deny the allegations, except for the facts necessary to establish jurisdiction.

What the order requires

The order is detailed and technically specific. Its central prohibition bars both Kochava and CDS from selling, licensing, transferring, sharing, or disclosing sensitive location data in any product or service. The only exception applies when defendants have a direct relationship with the consumer related to that specific location, the consumer has provided affirmative express consent, and the data is used to provide a service directly requested by the consumer.

The order's definition of affirmative express consent is precise. It requires a freely given, specific, informed, and unambiguous indication of agreement following a clear and conspicuous disclosure of: the categories of information being collected; the purposes for which it will be used or disclosed; a hyperlink to a document describing the types of entities to whom the information is disclosed; and a hyperlink to a simple means by which the consumer can withdraw consent. That disclosure must be separate from any privacy policy, terms of service, or similar document.

Critically, the order specifies what does not constitute consent. Hovering over, muting, pausing, or closing a piece of content does not count. Nor does consent obtained through a user interface that has the effect of subverting or impairing user autonomy, decision-making, or choice - a standard that directly targets dark patterns.

Sensitive locations defined

The order lists five categories that qualify as sensitive locations: medical facilities; religious organizations; locations held out to the public as predominantly providing education or childcare to minors; locations providing temporary shelter or social services to homeless individuals or survivors of domestic violence; and military or federal law enforcement installations, offices, or buildings.

Precise location data in the order covers GPS coordinates, cell tower information, location inferred from WiFi SSIDs, BSSIDs, or Bluetooth receiver data, and any unique persistent identifier combined with such data - including mobile advertising identifiers (MAIDs) and identifiers for advertisers (IDFAs). Data revealing only coarse location, defined as a zip code or census block with a radius of at least 1,850 feet, is excluded from the definition.

The Sensitive Location Data Program

Within 90 days of the order's entry, CDS must establish and maintain a Sensitive Location Data Program. Kochava must comply with the same requirements before selling or disclosing precise location data. The program requires a written document describing its components and implementation plan. A senior officer, such as a Chief Privacy Officer or Chief Compliance Officer, must be designated as responsible and must report directly to the board of directors or principal executive officer.

The program's list of sensitive locations must be assessed and updated at least once every three months. Each quarterly assessment must verify the list's completeness, identify and evaluate third-party methods or services for identifying sensitive locations, update the list accordingly, and consider whether new categories of sensitive locations should be added. Every step of the assessment must be documented, including the reasons for selecting the methods and sources used.

Policies, procedures, and technical measures to prevent the sale or disclosure of sensitive location data must be tested for effectiveness at least once every three months.

For any sensitive location data for which consent has not been confirmed, the deletion process must begin within 2 days of that determination and must be completed within 30 days. That window may be extended in additional 30-day increments, not to exceed 90 days total, provided the extension and progress are documented at each interval. During deletion, the data may not be used, accessed, or disclosed for any other purpose.

Historical location data

The order addresses data collected before its entry separately. Within 90 days, defendants must deidentify or render non-sensitive all historical location data - defined as precise location data collected without affirmative express consent prior to the order's entry. A written confirmation must be submitted to the Commission. Defendants must also notify, within that same 90-day window, all customers who received historical location data within the two years prior to the order's entry, informing them of the deidentification requirement. Notifications must be submitted to the Commission within 10 days of being sent to customers.

There is one narrow exception: defendants may retain historical location data if they can produce records showing consumers consented to its collection, use, and disclosure.

The Supplier Assessment Program

CDS must also implement a Supplier Assessment Program within 90 days, designed to confirm that consumers have provided consent for the collection and use of all supplier-provided location data - meaning location data obtained from third-party data suppliers, not generated internally.

For each data supplier, CDS must conduct an initial assessment either within 30 days of entering a new data-sharing agreement or within 30 days of the order's entry for existing agreements. Annual reassessments are required thereafter. The assessment must confirm either that consumers provided affirmative express consent or, at minimum, that they specifically consented to collection and use of the location data.

If consent cannot be confirmed, CDS must cease using, selling, or disclosing all supplier-provided location data from that source. Records of suppliers' responses must be created and maintained.

Consumer rights provisions

The order creates several direct rights for consumers. CDS must provide a clear and conspicuous means for consumers to request the identity of any recipient to whom their precise location data was sold or disclosed. Alternatively, CDS may satisfy this requirement by giving consumers a clear method to request deletion of their data from all recipients' commercial databases, expressly instructing those recipients to honor such requests, and providing written confirmation of deletion no later than 90 days after the consumer's request.

Consumers may also withdraw consent at any time. The order requires a simple, easily located means to do so, which may include a link to an applicable operating system or device setting. Within 30 days of receiving a withdrawal of consent, defendants must cease using and disclosing the precise location data associated with that device.

Deletion requests submitted to CDS must be processed within 30 days unless a shorter period is required by law. CDS must treat a deletion request as notice to its parent company.

Data retention limits

Within 60 days of the order's entry, CDS must publish a data retention schedule on its website, clearly and conspicuously accessible from the home page. The schedule must specify, for each type of covered information: the purpose for which it is collected; the specific business need for retaining it; and an established timeframe for deletion. Indefinite retention is prohibited. Before collecting any new type of information not already covered by the published schedule, the schedule must be updated.

Mandated privacy program

Within 90 days, defendants must establish a comprehensive privacy program covering all covered information - a category that includes names, precise location data, email addresses, phone numbers, Social Security numbers, government-issued identification numbers, financial account numbers, credit and debit card information, and persistent identifiers such as mobile device IDs, static IP addresses, or processor serial numbers.

The program must be reviewed and presented to the board or governing body at least once every 12 months. Annual privacy training is required for all employees and contractors with access to covered information. The program must be tested and monitored at least annually, and modified based on results. Risk assessments must be documented at least once every 12 months.

Compliance and recordkeeping

Defendants must retain records for five years after the order's entry. Those records include accounting records showing revenues, costs, and net profit or loss; personnel records; copies of all consumer complaints related to covered information; copies of all widely disseminated representations about defendants' data practices; and records demonstrating compliance with the Supplier Assessment Program, Sensitive Location Data Program, consumer deletion requests, and consent requirements for historical location data.

One year after the order's entry, defendants must submit a sworn compliance report describing all changes made to comply. They must notify the Commission within 14 days of any change in designated points of contact or corporate structure. Third-party incident reports - triggered when a third party shares defendants' precise location data in violation of a contractual requirement - must be submitted within 30 days of a defendant's determination that such an incident has occurred.

Why this matters for the marketing industry

The Kochava order lands in a market where mobile measurement and location data have been central to programmatic advertising infrastructure for years. Kochava operates as a mobile measurement partner across major advertising platforms, holding certifications with Meta, Google Ads, TikTok, and Snapchat. The company launched a formal Partner Certification Program in December 2025 and expanded it in March 2026 to include connected television and mobile in-app advertising partners.

The case is not the first of its kind. In January 2024, the FTC moved to ban InMarket Media from selling or licensing any precise location data over allegations nearly identical to those in the Kochava complaint - failure to obtain informed consent from users of its own apps and use of an SDK to collect location data without adequate consumer disclosure. The InMarket action also required a sensitive location data program and an SDK supplier assessment program, making the structural parallels clear.

The FTC's enforcement posture on location data has been consistent. In July 2024, the Commission issued a warning that hashed data is not anonymous, signaling scrutiny of persistent identifiers including mobile advertising IDs - the same identifiers at the core of the Kochava case. In November 2024, the Commission warned that data clean rooms are not a privacy silver bullet, reinforcing that technical infrastructure alone does not satisfy legal obligations.

The Kochava order's technical specificity carries operational implications beyond the defendant. The quarterly testing requirement for the Sensitive Location Data Program, the 2-day initiation and 30-day completion window for sensitive data deletion, and the prohibition on inferred consent from passive user behaviors all establish benchmarks that practitioners in data brokerageaudience targeting, and mobile attribution will need to understand. Advertisers who purchased audience data derived from precise location signals may find themselves downstream of these requirements, given the order's provision requiring CDS to notify customers who received historical location data.

The supplier assessment structure is particularly significant. It effectively requires that any entity receiving third-party location data verify consent at the source - a compliance burden that runs through data supply chains rather than stopping at the end distributor. That same principle underlies the mobile measurement partner ecosystem, where attribution depends on location and identity signals flowing between publishers, SDKs, data brokers, and platforms.

Timeline

Summary

Who: The Federal Trade Commission, Kochava Inc. (an Idaho-based mobile measurement and data broker company), and Collective Data Solutions, LLC (a Kochava subsidiary that took over its data broker operations), as defendants.

What: A stipulated order for injunction and other relief, resolving the FTC's 2022 lawsuit alleging that Kochava collected, used, and sold precise location data from hundreds of millions of mobile devices without consumer knowledge or consent - including data revealing visits to medical facilities, religious sites, domestic violence shelters, and military installations. The order prohibits selling sensitive location data without affirmative express consent, requires a sensitive location data program and a supplier assessment program, mandates consumer deletion and consent-withdrawal mechanisms, caps data retention to defined timeframes, and requires the deidentification of all historical location data for which consent cannot be confirmed. The order terminates in ten years.

When: The FTC originally filed suit in August 2022. The stipulated order was signed by the defendants on March 2, 2026, and by FTC attorneys on May 4, 2026. It was filed in the U.S. District Court for the District of Idaho on May 4, 2026, and is today before the court for entry.

Where: The U.S. District Court for the District of Idaho, Case No. 2:22-cv-00377-BLW. Kochava is headquartered in Idaho. The FTC's enforcement offices involved are based in Washington, D.C. and Chicago.

Why: The FTC alleged that Kochava's collection and sale of precise location data - without consumer awareness or consent - constituted an unfair act or practice under Section 5 of the FTC Act. Consumers had no means to avoid the resulting harms because they were unaware the data was being collected and sold. The case is part of a sustained FTC enforcement effort targeting data brokers that traffic in precise location data, following similar actions against InMarket and others.

Share this article
The link has been copied!