FTC Bars Data Broker Kochava From Selling Sensitive Location Data Without Consent

FTC Bars Data Broker Kochava From Selling Sensitive Location Data Without Consent
The Federal Trade Commission announced a proposed stipulated order on May 4, 2026, and the U.S. District Court for the District of Idaho entered it as final on June 26, 2026, barring data broker Kochava, Inc. and its subsidiary Collective Data Solutions, for a 10-year term, from selling sensitive location data, such as visits to health clinics and houses of worship, without consumers' affirmative express consent.
Information last verified on July 5, 2026. This is a developing story; we update it as the record changes.
Jurisdiction scope: This is a federal enforcement action by the FTC under Section 5 of the FTC Act, resolved through a stipulated order filed in the U.S. District Court for the District of Idaho. It applies specifically to Kochava, Inc. and Collective Data Solutions, LLC; it does not rewrite data broker law nationwide. Separate state data-broker registration and privacy statutes set different, additional rules. See our guides on US data broker registration laws and how to opt out of data brokers.
What Happened
The Federal Trade Commission announced on May 4, 2026 that it had reached a proposed stipulated order resolving its long-running case against Kochava, Inc., an Idaho-based data broker, and its subsidiary Collective Data Solutions, LLC (CDS), which the FTC says has taken over Kochava's data-broker business. The U.S. District Court for the District of Idaho entered the order as final on June 26, 2026.
The case traces back to August 2022, when the FTC sued Kochava, alleging that the company's collection, use, and disclosure of precise location data invaded consumers' privacy by revealing their movements, including visits to sensitive places such as health facilities and places of worship. The case was docketed as FTC v. Kochava, Inc., No. 2:22-cv-00377-BLW, in the U.S. District Court for the District of Idaho. A federal judge dismissed that first complaint in 2023, ruling that the FTC had not adequately alleged the kind of substantial consumer injury that Section 5 of the FTC Act requires. The FTC then filed an amended complaint later in 2023 with additional allegations of real-world harm, and the case survived further motions to dismiss in 2024 before reaching this settlement.
Under the final order, entered by the district court, Kochava and CDS are prohibited, for a 10-year term, from selling, licensing, transferring, sharing, or disclosing sensitive location data in any product or service unless they obtain a consumer's affirmative express consent and the data is used to provide a service the consumer specifically requested. The order defines sensitive locations to include medical facilities, religious organizations, schools and childcare providers, domestic violence shelters, and military or law enforcement installations.
The order also requires Kochava and CDS to build and maintain a sensitive-location-data program and a supplier-consent assessment program. Under the latter, CDS must vet third-party data suppliers to confirm that consumer consent underlies the location data it receives from them, and it must stop using any supplier data for which that consent cannot be verified. The Commission voted 2-0 to approve the proposed order before it was filed with the court.

What the Law Actually Says
The FTC did not bring this case under a dedicated data privacy statute; no federal law specifically regulates the sale of location data by data brokers. Instead, the agency relied on Section 5 of the FTC Act, which prohibits "unfair or deceptive acts or practices in or affecting commerce." Its theory was that selling precise, identifiable location data tied to sensitive places causes the kind of consumer injury that Section 5's unfairness prong is meant to reach, even without a statute naming location data specifically. A 2024 ruling on Kochava's motion to dismiss agreed that the FTC had plausibly alleged an unfair practice under that theory, allowing the case to proceed toward this settlement.
Because this is an enforcement order against two specific companies, it is not a new federal statute and does not directly regulate other data brokers. Consumers dealing with other companies still depend on the existing patchwork of state laws covering data brokers, including registration and disclosure requirements. Several states require data brokers to register and disclose their practices; our guide to US data broker registration laws and the Delete Act explains which states require this and how the process works.
Consumers who want to limit how brokers use their location data, beyond what this one order covers, can use the mechanisms described in how to opt out of data brokers. In states with comprehensive privacy statutes, such as California, consumers already have opt-out and deletion rights that predate and extend beyond this settlement; see our guides to California data privacy laws and CCPA opt-out rights. Because location data increasingly feeds AI-driven ad-targeting and analytics tools, the order's consent requirements sit alongside broader questions tracked in our AI and data privacy coverage.

Analysis: Why This Matters
The following is analysis from the Recording Law Editorial Team.
This settlement closes one of the FTC's highest-profile location-data cases, but its practical reach is narrower than the headlines suggest. The order binds Kochava and CDS specifically. Other companies that sell location data tied to sensitive places are not automatically covered by it and are not required to build the same consent programs unless the FTC brings a separate case against them or another law applies to their conduct.
What the case does show is that the FTC's Section 5 unfairness theory can survive an initial dismissal and still produce enforceable relief years later. A court found the agency's first complaint insufficient in 2023, yet an amended complaint with more specific harm allegations kept the case alive and ultimately led to this order. That history matters for how the agency and other companies read the boundaries of unfairness claims involving data that may not be labeled "sensitive" under some state statutes, but becomes sensitive once tied to a specific location, such as a clinic or a shelter.
The case also shows how much ground state law covered while this federal litigation worked its way through the courts. Multiple states adopted data broker registration laws and comprehensive privacy statutes with opt-out and deletion rights during the roughly four years this case was pending, so consumers in many states already had some tools to limit location data sales before this particular order existed.
How This Affects You
If you live in a state with data broker registration or comprehensive privacy laws, you likely already have rights to request deletion of your data or opt out of its sale, independent of this FTC order. If your concern is specifically about location data tied to visits to clinics, shelters, or other sensitive places, check whether the company involved is Kochava or Collective Data Solutions. If it is a different data broker, this order does not apply to it, and you would need to rely on state law tools or that company's own privacy policy and opt-out process.
This is general legal information, not legal advice. It covers a federal FTC enforcement action and reflects sources verified on July 5, 2026. Laws change and this story is developing; consult a lawyer licensed in your jurisdiction about your specific situation.
Sources
- FTC to Ban Kochava and Subsidiary from Selling Sensitive Location Data to Settle Charges They Sold Location Data Linked to Millions of Mobile Devices (Federal Trade Commission press release)
- FTC v. Kochava, Inc., case page (Federal Trade Commission)
- Proposed stipulated order, Case No. 2:22-cv-00377-BLW, Document 137-1 (Federal Trade Commission)
- FTC Sues Kochava for Selling Data that Tracks People at Reproductive Health Clinics, Places of Worship, and Other Sensitive Locations, Federal Trade Commission press release, August 2022
Related articles
- US Data Broker Registration Laws & the Delete Act
- How to Opt Out of Data Brokers
- AI and Data Privacy
- California Data Privacy Laws
- CCPA Opt-Out Rights
Last updated: 2026-07-05. This is a developing story; details verified as of 2026-07-05.
Frequently Asked Questions
Is it legal for companies to sell my location data?
It depends on the company and your state. No federal law broadly bans selling location data, but the FTC's 2026 order, finalized by the court in June 2026, specifically bars Kochava and Collective Data Solutions from selling 'sensitive' location data, tied to places like clinics or houses of worship, without your affirmative express consent. Other data brokers are governed by whatever state laws apply to them and their own privacy policies, not automatically by this order.
What counts as 'sensitive location data' under the FTC's Kochava order?
Under this order, sensitive location data means precise location information tied to places including medical facilities, religious organizations, schools and childcare providers, domestic violence shelters, and military or law enforcement installations.
Does this FTC order apply to every data broker?
No. The order applies only to Kochava, Inc. and its subsidiary, Collective Data Solutions, LLC. It does not create a nationwide rule binding other data brokers, though it may signal how the FTC could evaluate similar practices by other companies.
How can I stop data brokers from selling my location data?
You can submit opt-out requests to individual data brokers, check whether your state has a data broker registry or opt-out law, and review the location permissions you have granted to apps on your phone. Our guide on how to opt out of data brokers walks through the steps in more detail.
What is the legal basis for the FTC's action against Kochava?
The FTC relied on Section 5 of the FTC Act, which prohibits unfair or deceptive practices. It argued that selling identifiable, precise location data tied to sensitive places was an unfair practice, rather than arguing that Kochava violated a specific privacy statute.
When did the FTC finalize the Kochava order?
The FTC announced a proposed stipulated order on May 4, 2026, and the U.S. District Court for the District of Idaho entered it as final on June 26, 2026, resolving a case the FTC first filed against Kochava in August 2022.
Did the FTC find that Kochava broke the law, or is this a settlement?
This is a stipulated order resolving the litigation, not a finding of liability entered by a court after trial. Kochava and Collective Data Solutions agreed to the order's terms to resolve the FTC's claims.
Sources and References
- FTC to Ban Kochava and Subsidiary from Selling Sensitive Location Data to Settle Charges They Sold Location Data Linked to Millions of Mobile Devices (Federal Trade Commission press release, May 4, 2026)(ftc.gov).gov
- FTC v. Kochava, Inc., case page (Federal Trade Commission)(ftc.gov).gov
- Proposed stipulated order, Case No. 2:22-cv-00377-BLW, Document 137-1 (Federal Trade Commission)(ftc.gov).gov
- FTC Sues Kochava for Selling Data that Tracks People at Reproductive Health Clinics, Places of Worship, and Other Sensitive Locations (Federal Trade Commission press release, August 2022)(ftc.gov).gov