Kochava Sold 94 Billion Location Pings a Month From 35 Million Americans Through an Amazon Subscription—the FTC Just Banned It After 4 Years

On May 4, the Federal Trade Commission filed the proposed final order that ends one of the longest running data broker fights in American privacy enforcement. Kochava Inc. and its subsidiary Collective Data Solutions are now permanently banned from selling, licensing, sharing, or disclosing precise location data tied to "sensitive locations" without affirmative express consent from the consumer whose phone produced the ping.

The numbers in the original complaint are still the most striking part of the case. Kochava's data feed handled 94 billion geo transactions per month, drawing from 125 million monthly active devices and roughly 35 million daily active devices. The feed was offered as a subscription on Amazon Web Services Marketplace for $25,000 a year. The product description called it "rich geo data spanning billions of devices worldwide." The FTC says nobody whose phone fed that feed had any idea their movements were being sold.

The settlement is more than a fine — it is a permanent injunction with a documented sensitive locations list, a supplier audit program, and an ongoing right for consumers to demand a list of every recipient that ever received their data. For an industry that has spent twenty years insisting "anonymized" location data was unregulated, the order is the first time a federal regulator has named the conduct, banned it, and built the reporting infrastructure to make sure it stays banned.

What Was Actually In the Feed

The FTC's amended complaint, refiled in mid 2023 after a first version was dismissed, walked through what the data actually looked like. Each row in Kochava's feed contained a mobile advertising identifier, a precise latitude and longitude, a timestamp accurate to the second, and the device's broader behavioral profile drawn from app usage. The complaint included sample data the agency purchased on the open market — Kochava made it available without verifying who the buyer was or what they planned to do with it.

The categories of place the FTC singled out are the part of the case people remember:

• Reproductive health clinics, including post Dobbs.
• Mental health and addiction recovery facilities.
• Houses of worship.
• Domestic violence survivor shelters.
• Homeless service providers.
• Military and federal law enforcement installations.

Because the feed timestamped every visit and the device identifier was persistent, anyone with the subscription could reconstruct a person's full pattern of life — the apartment they slept in, the clinic they visited at 9 a.m., the support group they attended at 7 p.m. The FTC's complaint described that capability as creating "substantial injury" exposure to stalkers, ex partners, abusive employers, and discriminatory actors. The agency framed it not as a hypothetical privacy harm but as a foreseeable physical safety harm.

The Ban, In Detail

The proposed order, signed on May 4, 2026, runs about thirty pages and contains five operational requirements that go beyond the standard "obtain consent" language privacy regulators usually default to.

First, Kochava and CDS must build and maintain a written list of "sensitive location" categories and the specific addresses or geofences that match each category. The list must be reviewed at least annually. Any data tied to those geofences cannot be sold, shared, or disclosed without affirmative express consent from the consumer, and the consent must be tied to a specific service the consumer requested.

Second, a supplier assessment program. Every upstream partner Kochava buys data from has to be audited to confirm the upstream consent flow actually exists — that is, the SDK in the app the consumer downloaded actually surfaced a meaningful consent prompt. If Kochava cannot verify the upstream consent, it cannot ingest the data. This effectively pushes the burden up the data broker supply chain.

Third, a consumer right to disclosure. Any individual can ask Kochava for the full list of third parties that ever received their location data and demand that those third parties delete it. This mirrors a right that exists under California's CCPA but is now federally enforceable through the FTC consent decree.

Fourth, incident reporting. Kochava must notify the FTC any time it learns a third party recipient misused location data — a clause that almost guarantees future enforcement actions will travel downstream from this one.

Fifth, data retention and deletion schedules with documented destruction certifications. The agency wants a paper trail.

Why This Took Four Years

The Kochava case has the longest procedural history of any FTC privacy case in recent memory. The agency filed in August 2022, citing Section 5 of the FTC Act and the unfair practices doctrine. An Idaho federal judge dismissed the original complaint in May 2023, ruling the FTC had not adequately alleged that the location data feed itself created a "substantial injury" — it was, in the court's view, too speculative. We covered the tentative agreement in February; this May 4 order is the formal sign off, and the operational requirements go well beyond what the announcement covered.

The agency refiled with a much more detailed amended complaint in mid 2023, this time including specific examples of what an attacker could do with the feed and concrete Kochava marketing language pitching the data for behavioral targeting. That version survived a second motion to dismiss in early 2024. Discovery dragged through 2024 and 2025. Kochava sued the FTC right back in 2022, arguing the agency's enforcement was an unconstitutional rulemaking. That counter case was finally dismissed in late 2025, removing the last procedural obstacle to settlement.

The four year arc is a useful reference for how long this kind of enforcement actually takes. The conduct the FTC sued over was happening in 2022. The order banning the conduct landed in 2026. Anyone counting on regulators to keep pace with the data broker industry should treat that as the realistic clock.

Where Kochava Fits in the Bigger Crackdown

The Kochava settlement is the fifth major data broker case the FTC has closed since 2024 and the most operationally specific of them. The earlier orders against InMarket Media, Outlogic (formerly X Mode Social), Gravy Analytics, and Mobilewalla all banned the sale of sensitive location data without consent. Kochava adds the supplier audit program and the consumer disclosure right that the earlier orders left out.

The same trend is showing up at the state level. Virginia banned the sale of geolocation data outright in April, with six more states drafting similar legislation. California regulators have been issuing enforcement letters to ad tech vendors that fire retargeting pixels after a Global Privacy Control opt out signal. The pattern is consistent: the federal enforcement, the state laws, and the private CIPA wiretap class actions are all converging on the same conclusion — that the consent flows the data broker industry has been relying on for the last decade are not actually consent flows.

For compliance officers, the Kochava order is the new template. The five operational requirements — sensitive location list, supplier audit, consumer disclosure right, incident reporting, retention schedules — are the ones the FTC will now ask any data broker to demonstrate before closing an investigation. Anyone running a location data product without those controls is now operating below the federal floor.

The Email Connection Compliance Officers Are About to Notice

The Kochava order is about location data. But the legal theory it rests on — that data identifying a specific person's behavior cannot be sold without explicit, service tied consent — does not stop at GPS coordinates. The FTC has been building toward a broader application of the unfair practices doctrine for two years now. The same framework that says a 35 million phone location feed is unfair without consent is the framework that will eventually be applied to email behavioral data.

Email open tracking, click tracking, and read receipt pixels generate exactly the same kind of behavioral signal Kochava was selling: a unique device or person identifier, a timestamp accurate to the second, a precise location derived from IP geolocation, and a behavioral pattern reconstructed from repeated firings. The marketing email industry has spent twenty years insisting that pixel tracking is just "engagement measurement." The CIPA cases against Forbes and the $100 million in hospital tracking pixel settlements already crossed that line in private litigation. The Kochava order moves the same theory to federal enforcement.

The clearest signal is in the supplier assessment requirement. Under the order, Kochava cannot ingest data unless the upstream SDK presented a meaningful consent prompt to the actual consumer. Apply that test to email tracking and almost every marketing automation platform fails it. A consumer who hands over an email address at checkout has not affirmatively consented to a tracking pixel that fires on every future open and reports their device, IP, and read time back to the merchant. The Kochava framework treats that as the same kind of unauthorized behavioral collection that location SDKs got away with for a decade.

What to Watch Next

Three things to monitor over the next six to twelve months.

The supplier audit reports. Kochava has to submit them annually. The first round will land in mid 2027 and will, for the first time, give the public a documented map of which mobile SDKs in which apps were feeding the data broker industry without proper consent. Expect a second wave of FTC actions to follow against the suppliers named in those reports.

Consumer disclosure requests. The order gives any individual the right to ask Kochava for the full list of recipients of their data. Privacy advocacy groups are already drafting template request letters. The first batch of those requests will surface, in writing, the names of every advertiser, ad tech firm, and political campaign that purchased Kochava data over the last several years.

Email tracking enforcement. The closest analog is what France did to email pixels in the CNIL's July 14 deadline, requiring affirmative consent for tracking pixels in marketing emails. The FTC has not yet brought a Section 5 case against an email pixel vendor, but the Kochava order is the closest thing to a roadmap for one. The first US email tracking enforcement action of this scale is now a question of timing, not whether.

What Individuals Can Do Right Now

Three concrete steps that close the surfaces Kochava and similar brokers exploit.

• Reset and limit your mobile advertising ID. On iPhone, go to Settings > Privacy & Security > Tracking and turn off "Allow Apps to Request to Track." On Android, open Settings > Google > Ads and choose "Delete advertising ID." This single setting starves brokers like Kochava at the source.
• Audit which apps have location permission. On iOS, go to Settings > Privacy & Security > Location Services and remove "Always" access from any app that does not require it for its core function. Most apps requesting location are doing it for the SDK, not for you.
• Treat email addresses as tracking identifiers. The same brokers that bought location data from Kochava also buy email behavioral data from marketing automation vendors. Block the open tracking pixel and you cut off one of the inputs to the same data broker pipeline.

The Bottom Line

For four years the data broker industry argued in court that selling 94 billion location pings a month was lawful because nobody asked the people whose phones produced them. The FTC just put that argument to bed, with a permanent ban, a documented audit program, and a consumer right to know who bought their data. The harder question is which behavioral data the same framework is going to be applied to next, and how long it will take. The answers, based on the four year Kochava clock, are: probably email, and probably less time.