The era in which a precise location feed tracking tens of millions of mobile devices could be sold to almost any buyer with a credit card is closing. On June 26, 2026, the regulatory picture around the data broker Kochava, Inc. crystallized: a nearly four-year Federal Trade Commission enforcement effort has resolved into a binding prohibition on the sale of sensitive geolocation data, landing at the same moment that California’s Delete Act and its new DROP portal impose hard operational deadlines on the entire data-broker industry. For the first time, a federal unfair-practices theory and a state deletion-rights regime are converging on the same target: the trade in data that reveals where people go and, by extension, who they are.

This article examines what the Kochava matter establishes under Section 5 of the FTC Act, how the “sensitive location” data theory works, how the California Delete Act and DROP change the operating model for brokers, and what brokers and the companies that buy or share location data must do now.

How Kochava Got Here

Kochava is an Idaho-based mobile analytics and data broker firm. In August 2022, the FTC sued the company, alleging that its collection, use, and sale of precise geolocation data from hundreds of millions of mobile devices constituted an unfair practice. The core factual allegation was simple and damaging: Kochava’s data could be used to trace an individual device’s movements to and from sensitive locations — reproductive health clinics, places of worship, domestic violence shelters, addiction treatment centers, and more — and the data was sold with minimal restriction on who could buy it or how it could be used.

The litigation did not run smoothly for the agency. In May 2023, U.S. District Court Judge B. Lynn Winmill granted Kochava’s motion to dismiss, ruling that the FTC’s initial complaint failed to adequately allege a substantial consumer injury. The FTC amended its complaint with more detailed allegations about the nature of the harm — including the risk of secondary harms such as stigma, discrimination, physical violence, and emotional distress — and that amended complaint survived a second motion to dismiss in 2024. That survival was the inflection point. It signaled that a properly pleaded “sale of sensitive location data” theory could clear the unfairness bar, and it set the stage for settlement.

In May 2026, the FTC announced a proposed stipulated order resolving the case against Kochava and its subsidiary, Collective Data Solutions, LLC. The Commission approved the order on a 2-0 vote. By late June 2026, the settlement framework was the operative reality for the industry, and its terms function as a template for how the FTC views the entire sector.

The Regulatory Framework: Section 5 Unfairness

The legal engine of the Kochava case is Section 5 of the FTC Act, 15 U.S.C. 45, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” Most consumer-facing privacy enforcement leans on the deception prong — a company says one thing in its privacy policy and does another. Kochava is significant because it rests primarily on the unfairness prong, which does not require any broken promise at all.

Under 15 U.S.C. 45(n), a practice is unfair when it (1) causes or is likely to cause substantial injury to consumers, (2) that is not reasonably avoidable by consumers themselves, and (3) is not outweighed by countervailing benefits to consumers or competition. The FTC’s theory maps each element onto the location-data trade:

  • Substantial injury. The exposure of a person’s visits to a cancer clinic, an abortion provider, a mosque, or a shelter is itself an invasion of privacy that creates risks of stigma, discrimination, harassment, and physical harm. The FTC argued that this intangible-but-serious injury, aggregated across millions of devices, is substantial.
  • Not reasonably avoidable. Consumers generally have no idea that an app’s embedded location SDK is feeding a broker, no practical way to identify the downstream buyers, and no meaningful ability to opt out of a market they cannot see.
  • No offsetting benefit. The FTC found that whatever commercial value the raw, sensitive feed provided did not outweigh the privacy harm, particularly when consent-based or aggregated alternatives exist.

The remedy reflects the theory. The proposed order bans Kochava and CDS from selling, licensing, transferring, sharing, or disclosing sensitive location data unless the consumer has given affirmative express consent and the data is used to deliver a service the consumer actually requested. The order specifically enumerates categories of sensitive locations — medical and reproductive health facilities, religious organizations, schools and childcare providers, domestic violence shelters, and military and federal law enforcement installations — that cannot be sold absent that opt-in consent. Beyond the prohibition, Kochava must, within 90 days, stand up a comprehensive privacy program featuring board-level reporting, a designated privacy officer, annual employee training, and recurring risk assessments. It must also report to the FTC within 30 days any discovery that a downstream customer violated contractual restrictions on the broker’s location data.

What “Sensitive Location” Theories Actually Mean

The phrase sensitive location data is now a term of art, and understanding it is essential because it defines the scope of liability.

The theory treats precise geolocation tied to a sensitive place as inherently revealing of protected attributes — health status, religion, sexual or reproductive activity, immigration status, or status as a domestic violence survivor. A latitude/longitude point at a methadone clinic at 8 a.m. on consecutive weekdays is not just a coordinate; it is a near-certain inference about a person’s medical condition. The FTC’s position, echoed in the Kochava order and in its earlier settlements with X-Mode/Outlogic and InMarket, is that this category of data warrants heightened treatment regardless of whether a name is attached. De-identification claims do not defeat the theory, because device identifiers and location patterns are notoriously re-identifiable.

Two practical consequences follow. First, the burden shifts to anyone handling location data to identify and geofence sensitive locations and to suppress or block data points that fall within them, unless they hold valid opt-in consent. Second, affirmative express consent becomes the central compliance artifact — and the FTC’s standard is genuine opt-in for the specific use, not a pre-checked box buried in a privacy policy.

The State Front: California’s Delete Act and DROP

Even as the FTC settled, the regulatory center of gravity was already shifting toward the states, and California’s Delete Act (Cal. Civ. Code §§ 1798.99.80 et seq.) is the most consequential development. Administered by the California Privacy Protection Agency (CPPA / CalPrivacy), the Delete Act overhauls the state’s data-broker registry and creates a single mechanism for consumers to demand deletion across the entire industry at once.

That mechanism is the Delete Request and Opt-out Platform (DROP). The key dates and obligations for 2026:

  • January 1, 2026 — California residents can begin submitting deletion requests through DROP, and the Delete Act’s updated registration and disclosure requirements take effect. Brokers must register independently with CalPrivacy and pay applicable fees; failure to register itself carries penalties.
  • August 1, 2026 — Registered data brokers must begin honoring DROP. From this date, a broker must access DROP at least once every 45 days, retrieve the list of consumers who have requested deletion, process those deletions within 45 days, direct its service providers and contractors to delete the same information, and report status back through the platform.

The penalty structure is what gives DROP teeth. Under the Delete Act, a broker faces a fine of $200 for each deletion request for each day it fails to delete the information. Critically, failing to check DROP within the 45-day interval is an independent violation — penalties accrue not only for failing to act on requests, but for failing to look for them in the first place. Because DROP applies to all registered brokers simultaneously, a single consumer’s deletion request propagates across the industry, and noncompliance is centrally visible to the regulator.

Layered on top of the FTC’s federal action and California’s framework is sustained pressure from state attorneys general and renewed attention from the Consumer Financial Protection Bureau (CFPB), which has explored treating certain data brokers as consumer reporting agencies under the Fair Credit Reporting Act when their products are used for eligibility decisions. The combined effect is that a broker can no longer treat any single regulator as the whole of its exposure.

What Brokers and Their Customers Must Do Now

The Kochava order is, in practice, a published enforcement standard. Companies that sell, buy, or merely embed location-collection capabilities should assume the FTC and state regulators will measure them against it.

Compliance Checklist: Data Brokers

  • Register and re-register. Confirm California Delete Act registration with CalPrivacy and verify status in any other state broker registries (e.g., Texas, Oregon, Vermont).
  • Wire up DROP now. Build and test the technical integration to pull DROP requests every 45 days, execute deletions within the window, and post status — well ahead of the August 1, 2026 deadline. Treat the 45-day check itself as a hard, logged control.
  • Map and geofence sensitive locations. Maintain a current list of medical, reproductive health, religious, educational, shelter, and government/military sites, and suppress data points that fall within them absent valid consent.
  • Make affirmative express consent provable. Do not sell sensitive location data without documented opt-in tied to a service the consumer requested. Retain the consent record.
  • Police downstream use by contract and audit. Impose use restrictions on every buyer, monitor for violations, and build the capability to report breaches of those restrictions to the FTC within 30 days.
  • Stand up a privacy program. Designate accountable ownership, report to the board, train staff annually, and run recurring risk assessments and testing — the exact structure the Kochava order mandates.
  • Cascade deletions to processors. Ensure service providers and contractors delete on instruction and can attest to it.

Compliance Checklist: Companies That Buy or Share Location Data

  • Inventory your SDKs. Audit every mobile location SDK and analytics tool in your apps. Know who receives the data, in what precision, and under what contract. Many companies are unknowing data sources, not just buyers.
  • Minimize precision. Collect the coarsest location that serves the purpose. Avoid precise lat/long where a region, city, or aggregate suffices.
  • Honor consumer signals. Implement opt-in for sensitive uses and respect opt-out preference signals (e.g., Global Privacy Control), which California’s framework treats as binding.
  • Diligence your data sources. If you buy location data, demand proof of consent provenance and sensitive-location suppression. A vendor’s representations do not insulate you from your own Section 5 exposure.
  • Contract for compliance. Require sellers and SDK partners to warrant lawful collection, geofencing of sensitive sites, and deletion support, with audit rights and indemnification.
  • Disclose plainly. Tell users in clear, conspicuous terms — not buried policy language — that location is collected and shared, and for what.
  • Prepare a deletion pathway. Be able to delete consumer location data on request and propagate that deletion to anyone you shared it with.

Conclusion

The Kochava matter took nearly four years, an early dismissal, an amended complaint, and a second survived motion before it produced a binding result. That arc matters because it converted a contested legal theory into settled practice: selling precise location data that reveals visits to sensitive places is an unfair practice under Section 5 unless the consumer has affirmatively opted in. The settlement’s privacy-program and downstream-reporting requirements give the agency a durable template it can apply to the next broker.

What makes 2026 a genuine reckoning rather than a single case is the convergence. The FTC’s federal unfairness theory now sits alongside California’s Delete Act and DROP, which turn deletion into an industry-wide, deadline-driven, per-violation-penalized obligation, and alongside AG and CFPB pressure that closes off the remaining gaps. For data brokers, the permissionless sale of sensitive geolocation is over. For the advertisers, app publishers, and analytics firms that feed and consume that market, the lesson is that embedding a location SDK is now a regulated activity — and ignorance of where the data goes is no longer a defense.

This article is provided for informational purposes only and does not constitute legal advice.