Federal Trade Commission v. Kochava, Inc.
Filing
71
MEMORANDUM DECISION AND ORDER - IT IS ORDERED that Defendant's Motion to Dismiss First Amended Complaint (Dkts. 33 & 34) is DENIED. Signed by Senior Judge B. Lynn Winmill. (caused to be mailed to non Registered Participants at the addresses listed on the Notice of Electronic Filing (NEF) by (mhw))
<![CDATA[
UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF IDAHO
FEDERAL TRADE COMMISSION,
Plaintiff,
Case No. 2:22-cv-00377-BLW
MEMORANDUM DECISION AND
ORDER
v.
KOCHAVA, INC.,
Defendant.
INTRODUCTION
Before the Court is Defendant Kochava, Inc.’s Motion to Dismiss First
Amended Complaint Pursuant to Fed. R. Civ. P. 12(b)(6) (Dkts. 33 & 34). The
motion is fully briefed, and the Court has determined that oral argument would not
aid in the decisional process. For the reasons explained below, the Court will deny
the motion.
BACKGROUND 1
1.
This Lawsuit
The Federal Trade Commission (FTC) claims that Kochava, Inc. is violating
Section 5(a) of the Federal Trade Commission Act (the “FTC Act”) by aggregating
1
At this stage, the Court must assume the truth of the FTC’s factual allegations.
MEMORANDUM DECISION AND ORDER - 1
and selling vast amounts of data collected from mobile devices. See Am. Compl.,
Dkt. 26. The FTC argues that Kochava’s data sales invade consumers’ privacy and
expose them to risks of secondary harms by third parties. Thus, according to the
FTC, Kochava is engaging in an “unfair . . . act or practice” prohibited by Section
5(a) of the FTC Act, 15 U.S.C. § 45(a)(1). To prevent Kochava from continuing to
do so, the FTC seeks a permanent injunction under Section 13(b), 15 U.S.C.
§ 53(b).
In its original Complaint (Dkt. 1), the FTC focused on one subset of
Kochava’s data: geolocation coordinates. The FTC alleged that, by linking mobile
device location coordinates to Mobile Advertising IDs (MAIDs), Kochava enables
its customers to identify specific device users who have visited certain sensitive
locations. According to the FTC, Kochava’s geolocation data invades consumers’
personal privacy and creates a risk that third parties will target consumers based
upon their visits to certain sensitive locations, such as abortion clinics.
2.
Dismissal of the Original Complaint
On October 28, 2022, Kochava moved to dismiss the FTC’s original
Complaint and the Court held oral argument on February 21, 2023. Dkt. 20.
Ultimately, the Court dismissed the Complaint because it lacked adequate
allegations that Kochava’s data sales “cause[] or [are] likely to cause” a
“substantial injury” to consumers, as required by Section 5(n) of the FTC Act. See
MEMORANDUM DECISION AND ORDER - 2
Mem. Decision & Order at 24–25, Dkt. 24. Although the Court held that both of
the FTC’s theories of consumer injury were legally plausible, it concluded that the
alleged injury did not rise to the requisite level of substantiality.
Under the FTC’s first theory, Kochava’s data sales create a risk of secondary
harm to consumers. That is, Kochava’s customers could use the geolocation data to
identify mobile device users who have visited sensitive locations and, based on
inferences arising from that information, inflict secondary harms including stigma,
discrimination, physical violence, and emotional distress. Compl. ¶ 29, Dkt. 1. The
Court agreed that a company could substantially injure consumers within the
meaning of Section 5(n) by selling their sensitive location information and thereby
subjecting them to a significant risk of suffering concrete harms at the hands of
third parties. Mem. Decision & Order at 14, Dkt. 24. However, the Court found
insufficient allegations as to the significance of such risks in this case. The Court
explained that to adequately plead this theory of consumer injury, the FTC must
“go one step further and allege that Kochava’s practices create a ‘significant risk’
that third parties will identify and harm consumers.” Id. at 17.
Under the FTC’s second theory, Kochava’s geolocation data deprives
consumers of their privacy. That is, the loss of privacy—rather than some
secondary harm that could flow from the disclosure of the information—is itself an
injury to consumers. The Court also agreed that this theory is legally plausible but
MEMORANDUM DECISION AND ORDER - 3
concluded that the privacy intrusion alleged in the Complaint was not severe
enough to constitute a “substantial injury” under Section 5(n).
The Court dismissed the Complaint but gave the FTC an opportunity to file
an amended complaint containing additional factual allegations. The FTC did so,
filing its Amended Complaint (Dkt. 26) on June 26, 2024. Kochava promptly
moved to dismiss the Amended Complaint under Rule 12(b)(6), arguing that the
FTC has not cured the deficiencies identified in the Court’s prior Memorandum
Decision and Order, Dkt. 24. As explained below, the Court disagrees.
LEGAL STANDARD
To survive a motion to dismiss, a complaint must contain sufficient factual
matter, accepted as true, to “state a claim to relief that is plausible on its face.” Bell
Atlantic Corp. v. Twombly, 550 U.S. 544, 570 (2007). “[D]ismissal may be based
on either a lack of a cognizable legal theory or the absence of sufficient facts
alleged under a cognizable legal theory.” Johnson v. Riverside Healthcare Sys.,
534 F.3d 1116, 1121 (9th Cir. 2008) (cleaned up). However, Rule 12(b)(6) “does
not impose a probability requirement at the pleading stage; it simply calls for
enough facts to raise a reasonable expectation that discovery will reveal evidence”
of the truth of the allegations. Twombly, 550 U.S. at 556.
Section 5(a) of the FTC Act prohibits “unfair” and “deceptive” acts or
practices that harm consumers or competitors. 15 U.S.C. § 45(a). And Section
MEMORANDUM DECISION AND ORDER - 4
13(b) of the same statute authorizes the FTC to seek injunctive relief if it “has
reason to believe” that a business “is violating, or is about to violate, any provision
of law enforced by the [FTC],” including Section 5(a). 15 U.S.C. § 53(b). To
demonstrate that an act or practice is “unfair” under Section 5(a), the FTC must
prove that it “[1] causes or is likely to cause substantial injury to consumers which
is [2] not reasonably avoidable by consumers themselves and [3] not outweighed
by countervailing benefits to consumers or to competition.” 15 U.S.C. 45(n); see
also Mem. Decision & Order, Dkt. 24.
DISCUSSION
According to the FTC, Kochava sells a substantial amount of data obtained
from millions of mobile devices across the world. This includes precise
geolocation data and a “staggering amount of sensitive and identifying
information,” including device users’ “names, MAIDs, addresses, phone numbers,
email addresses, gender, age, ethnicity, yearly income, ‘economic stability,’
marital status, education level, political affiliation, ‘app affinity’ (i.e. what apps
consumers have installed on their phones), app usage,” and “interests and
behaviors.” Am. Compl. ¶¶ 11, 16 & 20, Dkt. 26. By selling this data, the FTC
claims, Kochava substantially harms consumers in violation of Section 5(a) of the
FTC Act. See 15 U.S.C. § 45(a) & (n).
MEMORANDUM DECISION AND ORDER - 5
The FTC’s claim is legally and factually plausible. In other words,
Kochava’s practice of selling vast amounts of data about mobile device users may
violate Section 5(a) by depriving consumers of their privacy and exposing them to
significant risks of secondary harms. The FTC’s Amended Complaint significantly
expands the factual allegations in its original Complaint, and it easily satisfies the
liberal plausibility standard.
1.
The FTC’s Allegations
The Amended Complaint focuses on four of Kochava’s data products:
geolocation data, the Database Graph, the App Graph, and audience segments. A
summary of each product may be helpful.
Geolocation Data. Kochava’s geolocation data feeds contain timestamped
latitude and longitude coordinates and associated MAIDs from “125 million
monthly active users, and 35 million daily active users, on average observing more
than 90 daily transactions per device.” Am. Compl. ¶¶ 27 & 30, Dkt. 26. The
coordinates can pinpoint a device’s location within less than 10 meters “for at least
the past year” and reflect “movements as recent as the prior day.” Id. ¶ 26.
Database Graph. Kochava’s Database Graph contains “comprehensive
profiles of individual consumers,” with up to “300 data points” for “over 300M
unique individuals.” Id. ¶ 46. A given profile may contain a device user’s name,
address, phone number, MAID, ethnicity, gender identity, date of birth, status as a
MEMORANDUM DECISION AND ORDER - 6
minor, status as a parent and number of children, political association, marital
status, education, economic status, employment, languages spoken, device settings,
and social media presence. Id. ¶¶ 47–49, 53.
App Graph. Kochava’s App Graph shows device users’ activities in
particular mobile device applications. The graph contains usage information and
the associated MAIDs from over 275,000 mobile apps, including app names, the
dates and lengths of app usage, the type of actions taken in the apps, and the
amount of money spent in the apps. Am. Compl. ¶¶ 60 & 61, Dkt. 26. For
example, the App Graph would show whether a device user has downloaded an
LGBTQ+ dating app, a Muslim prayer app, or an app for monitoring specific
health concerns, like cancer or sexually transmitted infections. Id. ¶ 62.
Audience Segments. Kochava also sells “audience segments,” which are
“subsets of its database of consumer information that identify consumers based on
interests or characteristics.” Id. ¶ 64. For example, device users can be sorted by
geography, demography, points of interest, web usage, political associations,
parental status, or religious affiliations. Id. ¶¶ 64–76. Thus, one of Kochava’s
customers could generate a list of devices—with each device linked to a MAID—
that are used by expecting parents, or pregnant people, or those with particular
gender identities, or those associated with other specified interests or
characteristics. Id. ¶ 67–76.
MEMORANDUM DECISION AND ORDER - 7
The FTC claims that Kochava’s customers “can and do purchase any and all
of this data.” 2 Am. Compl. ¶ 23, Dkt. 26. Consequently, although the data is
contained in separate collections, it “is not anonymized and is linked or easily
linkable to individual consumers.” Id. ¶ 77. For example, drawing upon data
contained in Kochava’s various collections, a customer could identify “a woman
who visits a particular building, the woman’s name, email address, and home
address, and whether the woman is African-American, a parent (and if so, how
many children), or has an app identifying symptoms of cancer on her phone.” Id.
¶ 23. And the customer could do this without “min[ing] other sources of data,”
because “[t]his ability is a featured product of Kochava.” Id. ¶¶ 80 & 81, Dkt. 26
(“For example, Kochava advertises that customers are able to search through its
‘500M+ MAIDs’ to identify, among other things, the consumer’s name, address,
phone number, email address, gender, age, yearly income, ‘economic stability,’
marital status, education level, app affinity, and interests and behaviors.”).
According to the FTC, Kochava’s data sales harm consumers in two distinct
ways. First, by putting them at an increased risk of suffering secondary harms,
such as stigma, discrimination, physical violence, and emotional distress. And
2
To be clear, Kochava adamantly disputes the truth of this allegation. Def.’s Memo. in
Supp. Of Motion for Sanctions Under Rule 11 at 9, Dkt. 40-1 (“Kochava’s customers neither do
nor can they purchase all of this data, which are all separate, non-overlapping feeds and products
without linkages to one another.”). But, of course, this is not the time for resolving factual
disputes.
MEMORANDUM DECISION AND ORDER - 8
second, by invading their privacy. The FTC has alleged facts sufficient to proceed
under both theories.
2.
Theory #1: Increased Risk of Secondary Harms
First, the FTC claims that Kochava’s practices expose consumers to
significant risks of secondary harms, including “stigma, discrimination, physical
violence, [and] emotional distress.” Am. Compl. ¶ 97, Dkt. 26. By using
Kochava’s precise geolocation data, the FTC explains, Kochava’s customers can
target consumers who have visited certain sensitive locations. Id. ¶ 98. The FTC
identifies two factors that “exacerbate[]” those risks. First, the “lack of controls
surrounding who accesses this data, and how those entities use it.” Id. ¶ 99. And
second, Kochava’s practice of linking geolocation data to MAIDs and thereby
making it “easy” to “identify[] consumers by name or other identifying
information[.]” Id. ¶ 100.
Unlike the original Complaint, the Amended Complaint contains allegations
that the targeting of consumers based on geolocation data “has and does occur.” Id.
¶ 101. To illustrate, the FTC provides several real-world examples of harms
inflicted on device users due to the disclosure of their geolocation and app-use
data. Id. ¶¶ 101 & 104–05. Kochava responds that none of the FTC’s “anecdotes”
involve its own data. Def.’s Reply at 7, Dkt. 51. But that misses the point. Under
Section 5(n), the FTC must allege that Kochava’s acts or practices cause or are
MEMORANDUM DECISION AND ORDER - 9
likely to cause substantial injury to consumers. 15 U.S.C. § 45(n). By
demonstrating that harms have resulted from the sale of similar mobile device data,
the FTC supports its claim that Kochava’s practices are likely to cause consumer
injury.3
In sum, the FTC plausibly alleges that Kochava causes or is likely to cause
substantial injury to consumers by selling “massive amounts of private and
encyclopedic information” that puts consumers at a significant risk of suffering
secondary harms. Pl.’s Resp. at 1, Dkt. 45.
3.
Theory #2: Invasion of Privacy
The FTC’s second theory of consumer injury is also plausible. Kochava’s
practices arguably inflict a substantial injury on consumers by invading their
privacy. As this Court previously explained, privacy has long been a legally
protected interest at the state, local, and federal levels. See Mem. Decision and
Order at 19, Dkt. 24. Accordingly, an invasion of privacy may constitute an injury
that gives rise to liability under Section 5(a). Id. The remaining question is simply
3
Kochava also argues that the alleged consumer injury “is not caused by Kochava but
instead by some unknown third parties.” Def.’s Memo. in Supp. at 10, Dkt. 33-1. However, as the
Court already explained, Section 5(a) does not require that the defendant be the one actually
inflicting the ultimate harm. See Mem. Decision & Order at 15–16, Dkt. 24 (“[A] defendant can
‘cause’ substantial injury under Section 5(n) merely by creating ‘a significant risk of concrete
harm.’”) (quoting Neovi, Inc., 604 F.3d at 1157).
MEMORANDUM DECISION AND ORDER - 10
whether the alleged privacy intrusion rises to the requisite level of “substantial”
injury. See id. at 22. It does.
Both the United States Supreme Court and the Ninth Circuit Court of
Appeals have recognized the unique threat that modern technology can pose to
privacy rights. See Patel v. Facebook, Inc., 932 F.3d 1264, 1272 (9th Cir. 2019)
(“[A]dvances in technology can increase the potential for unreasonable intrusions
into personal privacy.”). In Carpenter v. United States, for example, the Supreme
Court addressed the expectation of privacy in cell phone location records. 138
S.Ct. 2206, 2217 (2018).4 The Court explained that cell phones have become
“almost a feature of human anatomy,” and consequently, historic cell phone
location data—unlike the real-time GPS monitoring at issue in United States v.
Jones, 565 U.S. 400 (2012)—“provides an intimate window into a person's life,
revealing not only his particular movements, but through them his ‘familial,
political, professional, religious, and sexual associations.’” Id. at 2217–18 (internal
quotations omitted).
The Ninth Circuit recently applied the principle from Carpenter in a case
more factually similar to this one. See In re Facebook, Inc. Internet Tracking
4
Although Carpenter arose in the Fourth Amendment context, the Ninth Circuit has
“found analogies to Fourth Amendment cases applicable when deciding issues of privacy related
to technology.” In re Facebook Internet Tracking Litig., 956 F.3d 589 (9th Cir. 2020). This
Court does, too.
MEMORANDUM DECISION AND ORDER - 11
Litigation, 956 F.3d 589 (9th Cir. 2020). There, social media users sued Facebook
for using plug-ins to track their internet browsing histories across third-party
websites, and for compiling that data into “personal profiles which [were] sold to
advertisers to generate revenue.” Id. at 596. The court denied Facebook’s motion to
dismiss and held that compiling “highly personalized profiles from sensitive
browsing histories and habits” plausibly constituted a “highly offensive” invasion
of privacy. Id. at 606. Indeed, the court explained, modern technology has enabled
the collection of “otherwise unknowable” information that “‘implicates privacy
concerns’ in a manner different from traditional intrusions as a ‘ride on horseback’
is different from ‘a flight to the moon.’” Id. at 603 (quoting Patel, 932 F.3d at
1273).
Kochava allegedly provides its customers with vast amounts of essentially
non-anonymized information about millions of mobile device users’ past physical
locations, personal characteristics (including age, ethnicity, and gender), religious
and political affiliations, marital and parental statuses, economic statuses, and
more. In doing so, Kochava does not merely sell “bits and pieces” of data that are
available through other lawful means. See In re Google Location History Litig.,
428 F.Supp.3d 185, 198 (N.D. Cal. 2019). Rather, it sells comprehensive,
aggregated collections of raw and synthesized data designed to give its customers a
“360-degree perspective” on the unique traits of millions of individual device
MEMORANDUM DECISION AND ORDER - 12
users. Am. Compl. ¶ 80, Dkt. 26. This alleged invasion of privacy—which is
substantial both in quantity and quality—plausibly constitutes a “substantial
injury” to consumers. See Neovi, Inc., 604 F.3d at 1157 (“An act or practice can
cause substantial injury by doing a small harm to a large number of people.”)
(internal quotation omitted).
Kochava emphasizes that its data only inferentially reveals information
about device users. This Court previously noted that inferences based on
geolocation data, alone, can be unreliable. See Mem. Decision & Order at 22–23,
Dkt. 24. But that conclusion is less applicable to the allegations in the FTC’s
Amended Complaint. According to the FTC’s new allegations, Kochava itself
makes inferences about consumers, rather than simply providing raw data from
which its customers could make inferences. See Pl.’s Resp. at 16–18, Dkt. 45.
Moreover, those inferences are generally more reliable than inferences drawn
solely from geolocation data. For example, data revealing a device user’s daily use
of an app specifically designed to track and manage cancer treatments leaves little
to the imagination.
4.
Conclusion
In sum, the FTC claims that Kochava sells vast amounts of “highly granular”
personal information about millions of people in a format that is essentially nonanonymized. Pl.’s Resp. at 3, Dkt. 45. That data can reveal a person’s political and
MEMORANDUM DECISION AND ORDER - 13
religious affiliations, sexual orientation, medical conditions, and much more. By
selling that data, Kochava arguably invades consumers’ privacy and exposes them
to significant risks of secondary harms. Accordingly, the FTC has stated a
plausible claim under Section 5(a) of the FTC Act, and the Court will deny
Kochava’s request to dismiss this case.
ORDER
IT IS ORDERED that Kochava’s Motion to Dismiss First Amended
Complaint Pursuant to Fed. R. Civ. P. 12(b)(6) (Dkts. 33 & 34) is DENIED.
DATED: February 3, 2024
_________________________
B. Lynn Winmill
U.S. District Court Judge
MEMORANDUM DECISION AND ORDER - 14
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
