On May 4, 2026, the Federal Trade Commission announced a settlement with Idaho-based data broker Kochava Inc. and its subsidiary Collective Data Solutions, permanently prohibiting both companies from selling, licensing, transferring, or disclosing precise location data unless they first obtain consumers’ affirmative express consent and the data is used to provide a service the consumer directly requested.

The case — initiated in August 2022 and resolved nearly four years later — is the most significant U.S. enforcement action against a location data broker in the history of FTC privacy regulation. The settlement creates a detailed compliance framework that extends well beyond Kochava, establishing the practical standard for what lawful location data brokerage must look like across the industry.

For any business that collects, monetizes, licenses, or shares precise location data — including mobile app publishers, advertising technology platforms, analytics companies, and data aggregators — the Kochava settlement is the most important document in the regulatory landscape right now.

What Kochava Did

Kochava is a mobile measurement and analytics company that collected and sold precise geolocation data from hundreds of millions of mobile devices. The company obtained this data primarily from mobile apps whose publishers had integrated Kochava’s SDK — a tracking library that records device location, app usage, and other signals and transmits them to Kochava’s platform.

Kochava then sold access to this location data — typically in the form of data feeds, audience segments, or attribution reports — to clients who used it for advertising targeting, competitive intelligence, and other commercial purposes.

The FTC’s original complaint, filed in August 2022, alleged that Kochava’s data products allowed clients to track the movements of mobile users to and from specific sensitive locations, including:

  • Mental health and addiction recovery facilities
  • Reproductive health clinics (including abortion providers)
  • Places of worship
  • Shelters for homeless individuals and domestic violence survivors
  • Other locations whose association with a consumer creates elevated privacy risks

The FTC’s core allegation: Kochava collected and sold this data without obtaining meaningful consumer consent, and without implementing technical or contractual controls to prevent clients from using it to track individuals to and from sensitive locations.

What the Settlement Requires

The settlement imposes a permanent injunction with several distinct compliance obligations.

Prohibition on Selling Sensitive Location Data

Kochava and Collective Data Solutions are permanently banned from selling, licensing, transferring, sharing, or disclosing sensitive location data in any product or service unless two conditions are met:

  1. The consumer has provided affirmative express consent — meaning opt-in, specific, and informed agreement — to the collection and use of their location data for the specific purpose; and
  2. The data is being used to provide a service directly requested by that consumer.

The prohibition covers both raw location data and derived products that could be used to infer visits to sensitive locations. This is a meaningful expansion beyond the original complaint: the settlement does not just prohibit selling data about sensitive locations — it prohibits selling any location data unless the consent framework is satisfied.

Sensitive Location Data Program

Kochava must establish and maintain a formal Sensitive Location Data Program. This program must include:

  • A comprehensive list of sensitive locations — defined broadly enough to capture the categories identified in the complaint plus any additional categories that carry similar risks
  • Technical and operational controls to prevent the sale, transfer, or disclosure of location data associated with those sensitive locations
  • Regular review and updating of the sensitive location list as new location categories emerge

This requirement effectively mandates that Kochava build and maintain an internal classification system for location sensitivity — something the company demonstrably lacked.

Supplier Assessment Program

Kochava must implement a supplier assessment program requiring confirmation that data acquired from third-party suppliers — app publishers, data aggregators, and other upstream sources — was collected with appropriate consumer consent.

This is operationally significant. One of the central dynamics in the location data industry is that companies like Kochava receive data from app publishers who have, in theory, obtained consent from their users. In practice, the consent obtained through in-app disclosures and permission prompts has frequently been inadequate for the purposes to which that data is later put.

The supplier assessment requirement places affirmative due diligence obligations on Kochava to verify — not just contractually represent — that upstream consent is valid.

Incident Reporting to the FTC

Kochava must submit incident reports to the FTC when it determines that a third party shared consumers’ precise location data in violation of contractual requirements. This effectively turns Kochava into a co-regulator of its own supply chain: if a supplier is found to have provided data without valid consent, Kochava must report that to the FTC.

Consumer Rights

The settlement requires that Kochava:

  • Allow consumers to request the names of any business or individual to whom their precise location data was sold or transferred
  • Provide an accessible, easy mechanism for consumers to withdraw consent for location data collection and use

Why This Case Took Four Years

The FTC filed its original complaint in August 2022 — and Kochava immediately challenged it. The company argued that its data products were anonymized and therefore not regulated by FTC privacy authorities, and that the FTC had failed to demonstrate actual consumer harm.

Federal district court proceedings produced an important preliminary ruling: the court found in 2023 that the FTC had plausibly alleged that Kochava’s data products could be used to re-identify individual consumers and track their movements to sensitive locations, rejecting the anonymization defense.

The four-year timeline reflects the difficulty of settling data broker cases where the company disputes the underlying theory of harm. The May 2026 settlement represents a resolution on terms substantially more favorable to the FTC than Kochava’s original litigation position suggested the company would accept.

Regulatory Context: PADFAA and What Comes Next

The Kochava settlement is not occurring in isolation. In February 2026, the FTC issued a reminder to data brokers of their obligations under the Protecting Americans from Dangerous Algorithms and Foreign Adversaries Act (PADFAA) — a 2024 statute that specifically governs the sale of sensitive data, including location data, to covered foreign adversary entities and their subsidiaries.

The FTC’s February 2026 PADFAA notice was directed at the data broker industry broadly, signaling that the Kochava case is not a one-off enforcement action but part of a sustained enforcement priority.

The broader enforcement picture:

  • The FTC’s enforcement pattern on location data has been building since its 2014 action against Nomi Technologies
  • The X-Mode Social case (2023) established that selling location data enabling tracking to religious sites and political events creates unfair trade practices under Section 5
  • The Kochava settlement goes further than any previous action in specifying what compliant location data brokerage looks like in operational terms

What This Means for the Location Data Industry

The Kochava settlement creates a de facto compliance standard for any business operating in the location data ecosystem. The key implications:

For data brokers and analytics companies: The opt-in consent requirement for sensitive location data is now the regulatory standard — not opt-out, not implied consent through app permission prompts, not contractual terms of service. If your data products include location data, you need to audit your consent stack for affirmative express consent that satisfies the FTC’s settled definition.

For app publishers: The supplier assessment requirement means your downstream buyers are now contractually and regulatorily motivated to verify the quality of the consent you obtained. App publishers who rely on vague location permission prompts or buried terms of service are creating liability for themselves and their distribution partners.

For advertising technology platforms: If your platform uses location data as a targeting signal, the lineage of that data — where it came from, what consent was obtained, who collected it — is now a compliance question with enforcement consequences.

For legal and compliance teams: The Kochava settlement’s specific definitions of “sensitive locations” and “affirmative express consent” are not limited to Kochava. The FTC uses settled cases to define the standard of conduct it will apply to other companies. Treating this as a Kochava-only problem is a mistake.

The Practical Compliance Checklist

Any organization that touches precise location data should assess its practices against the following:

  • Consent audit: Can you trace every location data point in your system to an affirmative, specific, informed consent by the individual consumer? If not, what is your exposure?
  • Sensitive location classification: Do you have a policy defining which location categories are “sensitive” for your data products? If not, build one now — the FTC has provided a baseline definition.
  • Supplier due diligence: If you receive location data from third-party sources, what contractual and operational controls confirm that the upstream consent is valid? Contracts alone are insufficient.
  • Consumer request process: Can consumers request a list of entities to whom their location data was sold? Can they withdraw consent through a simple mechanism?
  • Incident response: If you discover that a supplier provided location data in violation of consent requirements, what is your reporting and remediation process?

The Kochava settlement marks the end of a regulatory grace period for the location data industry. The FTC’s four-year investment in this litigation — including surviving a motion to dismiss and negotiating a detailed operational compliance framework — signals that location data is now a sustained enforcement priority. Organizations that treat this as background noise do so at significant risk.

For related context on the broader U.S. privacy enforcement landscape, see our analysis of 20 states now enforcing consumer privacy laws and the FTC’s 2026 enforcement trends across digital advertising and data brokerage.

Sources: FTC Press Release, FTC v. Kochava Inc. (May 4, 2026); FTC Legal Library, FTC v Kochava Inc. (case timeline); Bleeping Computer; The Record from Recorded Future News; SC Media; FTC PADFAA Reminder (February 2026). This article is provided for informational purposes only and does not constitute legal advice.