On May 4, 2026, the Federal Trade Commission announced a proposed stipulated order resolving its 2022 litigation against data broker Kochava and its subsidiary Collective Data Solutions. The order bars the companies from selling sensitive geolocation data without first obtaining consumers' affirmative express consent. The settlement marks a significant milestone in the agency's continuing effort to police the data broker industry and signals a heightened federal posture toward the collection and monetization of consumer location information.
In its complaint, the FTC alleged that the defendants collected, used, and sold mobile device location data that tracked consumer movements to sensitive destinations, including healthcare facilities. According to the agency, these practices constituted unfair acts or practices under Section 5 of the FTC Act because the sale and downstream use of such information exposed consumers to substantial privacy harms that they could not reasonably avoid. The proposed order responds to those concerns by conditioning future sales of sensitive geolocation data on a clear and informed consent standard, rather than implied or bundled authorizations buried in lengthy privacy disclosures.
For businesses that participate in the location data ecosystem, whether as collectors, brokers, advertisers, or downstream purchasers, the settlement carries several important implications. The FTC has made clear that it will scrutinize not only the manner in which consent is obtained, but also the contractual and operational safeguards that govern downstream uses of sensitive data. Companies should anticipate continued enforcement focus on the adequacy of disclosures, the granularity of consumer choices, and the categories of locations treated as sensitive, particularly those revealing health, religious, or other protected activities.
In light of this enforcement action, organizations handling geolocation information should reassess their consent flows, vendor contracts, and data governance programs. Reviewing data inventories, mapping data flows to sensitive categories, and ensuring that consent mechanisms are conspicuous, specific, and revocable can help reduce regulatory and litigation exposure. Companies should also evaluate how downstream partners use and protect any location data they receive, as the FTC has signaled that responsibility extends beyond the point of sale.
This article is provided for general informational purposes only and does not constitute legal advice. Clients should consult qualified counsel for guidance tailored to their specific circumstances.