This Data Broker Tracked You to Health Clinics and Churches—The FTC Just Made Them Stop

What Kochava Was Selling

Kochava is a mobile analytics company based in Idaho. Through software development kits embedded in popular smartphone apps, it collected precise geolocation data from hundreds of millions of mobile devices, accurate to within 10 feet. It then sold that data to advertisers and other third parties.

That data revealed far more than shopping habits. According to court documents, Kochava's datasets exposed visits to reproductive health clinics, doctors' offices, places of worship, homeless shelters, domestic violence shelters, and addiction recovery facilities. The data included mobile advertising IDs that could be linked back to individual users, along with their age, ethnicity, gender, religious and political affiliations, marital status, parental status, and economic status.

In practical terms, anyone who purchased Kochava's data could see that a specific device visited a Planned Parenthood clinic on Tuesday morning, an addiction recovery center on Thursday evening, and a mosque on Friday afternoon. The data did not just track where phones went. It mapped the most private dimensions of people's lives.

How the Data Got There

Most people never knowingly agreed to share their location with Kochava. The data flowed through a chain of intermediaries. App developers embedded Kochava's SDK in their applications, often as part of advertising or analytics integrations. When users granted location permissions to a weather app or a game, that permission cascaded through to Kochava's data collection infrastructure.

The FTC argued that this data pipeline violated the agency's rules against unfair and deceptive business practices. Users who consented to share their location with a specific app had no meaningful way to know that a data broker in Idaho was aggregating their movements and selling them to anyone willing to pay.

The Settlement Terms

On February 27, 2026, the FTC and Kochava told an Idaho federal judge they had reached a settlement. The case had been in litigation since August 2022, surviving Kochava's attempts to have it dismissed. The settlement imposes six requirements on the company:

• Implement a "privacy block" to prevent sharing location data tied to sensitive locations like health facilities, schools, jails, and places of worship, effective for at least two years
• Stop selling raw location data collected from client app SDKs to third parties
• Provide consumers with a deletion mechanism and a blacklist preventing future data collection
• Require transparency about its data collection and processing practices
• Request proof of user consent from its data sources
• Comply with data use restrictions for machine learning applications

The financial terms are modest. Attorneys received $1.5 million, and individual plaintiffs received up to $2,500 each. For a company that built its business on selling the intimate location patterns of hundreds of millions of people, the penalties are unlikely to change industry behavior on their own.

Why Two Years Is Not Enough

The most critical restriction, the privacy block preventing distribution of sensitive location data, lasts only two years. After that, there is no guarantee the protections continue. This means Kochava could potentially resume selling data tied to health clinics and religious institutions once the clock runs out.

The settlement also does not address the broader data broker ecosystem. Kochava is one company in an industry that generates billions in revenue by buying and selling personal data. Other data brokers continue to sell the same types of location data without any restrictions. The FTC's action sends a signal, but it does not change the underlying economics that incentivize this kind of surveillance.

The Real World Consequences

Location data from companies like Kochava has already been used in ways that directly harm individuals. After the Supreme Court overturned Roe v. Wade in 2022, privacy advocates warned that location data from visits to reproductive health clinics could be used to identify and target patients in states where abortion is restricted. Those warnings were not hypothetical. The FTC filed its suit against Kochava specifically because the company's data could trace people to reproductive health facilities.

Beyond reproductive health, the same data reveals who seeks help for addiction, who visits a domestic violence shelter, who attends a specific house of worship, and who goes to a mental health provider. This information can be used for targeted advertising, employment discrimination, insurance decisions, or government surveillance. The FTC's settlement addresses one company, but the data economy that enables this surveillance remains largely intact.

What You Can Do

Until Congress passes comprehensive privacy legislation that restricts the sale of sensitive location data, individuals are left to protect themselves:

• Review app permissions on your phone and revoke location access from apps that do not need it
• Switch location permissions from "Always" to "While Using" for apps that do need location
• Disable your mobile advertising ID (on iPhone: Settings > Privacy & Security > Tracking; on Android: Settings > Privacy > Ads)
• Use California's Delete Act platform at deleteMyData.com if you are a California resident to request data broker deletions

The Kochava settlement is a step forward. But the distance between where we are and where privacy protections need to be remains vast. Your phone is still broadcasting your location to a network of companies you have never heard of, and most of them face no restrictions at all on what they do with that data.