As we had previously blogged, the FTC in guidance following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health indicated that it would aggressively wield its enforcement authority in relation to deceptive statements about location privacy, particularly in the context of what the FTC called “the often shadowy ad tech and data broker ecosystem.” The FTC voiced particular concern about unbeknownst tracking or selling of sensitive location data, such as data that relates to the receipt of medical care (or even just proximity to medical facilities). While it is difficult to know the full extent to which the FTC is putting its words into practice because investigations and settlement negotiations tend to be confidential, a recently filed lawsuit in Idaho suggests that the FTC’s announced focus on location privacy is very real.
Idaho-based Kochava, which offers digital marketing and analytics services, has asked a federal court to grant an injunction against a proposed complaint that was apparently revealed to Kochava by the FTC in settlement talks. The lawsuit characterizes the FTC’s concerns as relating to geolocation data that can be associated with sensitive locations such as therapists, addiction recovery centers, reproductive health centers, and other medical facilities. Kochava argues that data it collects and then sells as part of its business would not permit the buyer of the data to correlate specific location data with a specific individual or, in the alternative, that individuals agreed to the sharing of such data.
The limited window provided by Kochava’s complaint shows both that the FTC is serious about claims made about location data, and also that critical terms like “anonymous” and “anonymized” carry multiple meanings out in the commercial world, meaning they are susceptible to claims of deception brought by the FTC and similar enforcers (such as state attorneys general). This underscores that, while anonymization can be a useful tool for commercializing consumer data, it is important to take into account whether the data is truly anonymized. While anonymization has a clear meaning in the US-based health information context (because HIPAA affirmatively provides one), the concept is more malleable outside of that context and also in other jurisdictions. Indeed, the GDPR treats many categories of information that might informally be referred to as “anonymized” in the US as merely “pseudonymized,” and thus still within the ambit of European regulators. All of which is to say, whether in the US or in Europe, it is important to scrutinize anonymization claims before making them public, as they are likely to remain a regulatory focus.