On February 26, 2026, the Federal Trade Commission and Kochava Inc. filed a proposed settlement with the U.S. District Court for the District of Idaho, concluding a case that had begun more than three years earlier. The FTC sued Kochava in August 2022 for selling precise geolocation data linked to Mobile Advertising IDs — data that could identify which apps a person had opened, which streets they had walked, and — critically — which buildings they had entered. The company's database contained profiles on approximately 300 million Americans, each with up to 300 data points, derived from SDKs embedded in mobile applications and updated by 94 billion monthly geo-transactions.
The settlement imposes six requirements, according to published summaries of the settlement terms. Kochava must request proof of user consent from its data suppliers. It must implement a deletion mechanism and blacklist for consumers who opt out. It must stop selling raw location data collected from client app SDKs to third parties. And for at least two years, according to the same summaries, it must operate a "privacy block" preventing the distribution of location data tied to sensitive venues: reproductive health clinics, places of worship, homeless shelters, domestic violence shelters, addiction recovery facilities, mental health facilities, schools, and jails.
Two years. Then the block expires.
Kochava's product was not subtle. The company's own marketing materials described a database of over 300 million identified individuals, updated continuously by observing more than 90 daily transactions per device across 125 million monthly active users. This data was not anonymized in any meaningful sense: each record was linked to a Mobile Advertising ID that, when combined with even a small number of spatiotemporal points, could be readily linked to a named individual. Academic research has documented this for over a decade. A 2013 MIT Media Lab study found that four spatiotemporal points are sufficient to identify 95% of individuals in any mobility dataset. A 2021 paper in the journal Patterns showed that 93% of people in a 60-million-person dataset could be uniquely identified using just four points of auxiliary information. Location data does not become anonymous by removing names. It becomes anonymous the way a fingerprint becomes anonymous by removing the finger.
The FTC's complaint documented the specific harms this infrastructure enabled. Police in Idaho — the same state where Kochava is headquartered and where the case was litigated — used cell phone location data to investigate a woman and her son for taking a minor girlfriend to Oregon for an abortion, after Roe v. Wade was overturned. Senator Ron Wyden disclosed that a company called Near Intelligence gathered location data on visits to nearly 600 Planned Parenthood locations across 48 states and sold it to an anti-abortion group, which used it for targeted advertising campaigns. A 2022 study in JAMA Internal Medicine found that 99.1% of abortion clinic web pages contained third-party tracking code, transferring data to a median of nine unique entities — pipelines that could feed directly into the kind of database Kochava operated.
Domestic violence shelters presented a particularly acute vulnerability. Research published in the Journal of Family Violence in 2025 found that prior offline intimate partner violence increased the odds of technology-facilitated stalking by a factor of 3.8 — establishing a documented pathway through which abusers' access to location data could enable ongoing surveillance of victims. Shelter locations are sensitive markers: if an abuser's surveillance apparatus includes a data broker query, a visit to a domestic violence shelter becomes visible. The shelter does not need to be named in the data. The location coordinates are sufficient.
The two-year privacy block is the settlement's most significant provision. It is also, by design, temporary.
The FTC cannot permanently prohibit a data practice through a consent order. Its authority under Section 5 of the FTC Act is remedial, not preventive. A consent order addresses conduct that has occurred and restricts future conduct for a defined period — after which the respondent is free to resume the same conduct unless the Commission brings a new enforcement action. A new enforcement action requires investigation, litigation resources, and time. The FTC vs. Kochava case took more than three years to settle. The clock on the privacy block runs for approximately two years from the February 2026 settlement filing. If the FTC wishes to extend the prohibition after the block expires, it must, in effect, start over.
This is not a structural flaw the FTC chose. It is a structural constraint the FTC cannot escape without congressional action. The absence of a comprehensive federal privacy law means the Commission's most powerful tool against harmful data practices is a temporary injunction that expires on a schedule — and that schedule rewards delay. Every day of litigation before the settlement was entered increased the size of the database. During the proceedings, according to the FTC's complaint, "the database expanded to over 300 million identified Americans." The data that existed at the time of filing continued to circulate among Kochava's customers, who were under no obligation to delete it.
Before the FTC case concluded, a separate consumer class action against Kochava had already produced a settlement requiring the implementation of the "Privacy Block" system — the same technical mechanism the FTC would later cite as a remedy. The class action system covered over 2.1 million locations. By the time the FTC's case settled, the blocking infrastructure already existed.
The parallel is instructive. The class action's Privacy Block was designed by Kochava's own engineers in response to litigation, not by a regulator evaluating systemic risk. The locations covered by the block were determined through negotiation between Kochava and plaintiffs' attorneys, not through an agency proceeding with rulemaking authority. When the FTC entered the case, it incorporated the Privacy Block as a settlement requirement — effectively ratifying a technical remedy that the defendant had already built, in a proceeding the defendant had already partially resolved.
This is how the surveillance economy absorbs regulatory pressure: by building the minimum required infrastructure under the first round of litigation, then presenting that infrastructure as the ceiling of reform in subsequent proceedings.
The privacy block applies to raw location data tied to sensitive venues. Reported summaries of the settlement terms indicate it does not cover derived data, behavioral inferences, or audience segments that incorporate sensitive location history without explicitly referencing a coordinate. If an advertiser purchases a segment labeled "frequent visitors to religious institutions" — rather than raw coordinate data linked to a specific place of worship — the block, reportedly, does not apply.
The CNIL, France's data protection authority, demonstrated in its 2022–2023 GeoTrouveTous project that location data could be re-identified from a dataset of 100 million rows covering approximately 800,000 mobile phones. Using clustering algorithms, researchers identified home and workplace addresses for nearly all devices. In a test of 20 device identifiers, seven were successfully re-identified within a single day. The dataset cost €100,000 or more per year to license — a sum that is, the CNIL noted, "sometimes trivial compared to potential profits."
Kochava's data was priced in the tens of thousands of dollars per month for commercial subscribers, with government contractors and hedge funds among the documented buyers. The data's value was precisely its precision: the ability to say not just that a person was near a clinic on a particular day, but that they entered the building.
The FTC has brought five major enforcement actions against location data brokers since 2022: X-Mode/Outlogic (finalized April 2024), InMarket Media (settlement finalized in 2024), Mobilewalla (December 2024), Gravy Analytics/Venntel (December 2024), and Kochava (February 2026). Each case produced a settlement with a defined duration. The X-Mode/Outlogic settlement, the first to impose a sensitive location data ban, required deletion of all historical sensitive location data and implemented a supplier assessment program. The InMarket settlement prohibited selling or sharing any precise location data and required deletion of all previously collected location data. The Mobilewalla and Gravy Analytics settlements imposed similar restrictions.
Each settlement addresses conduct going forward. None retroactively deletes data already purchased and distributed. None creates a statutory prohibition that survives the consent order's expiration. The FTC has constructed a regulatory framework in which the most harmful data practices are addressed through time-limited injunctions that require repeated, resource-intensive enforcement to maintain.
The two-year horizon matters most for the most sensitive data flows. The pipeline that tracked domestic abuse victims to their shelters — if it resumes after the privacy block expires — does not need to be re-established. It needs only to be un-paused. The FTC would need to notice, investigate, litigate, and settle again, on the same timeline it just completed. In the interim, the data flows.
Privacy advocates who commented on the related X-Mode/Outlogic settlement — including EPIC, Demand Progress, and the Electronic Frontier Foundation — argued that all precise location data should be treated as sensitive, that the distinction between "sensitive" and "non-sensitive" locations is inherently arbitrary, and that the FTC should rely on data minimization rather than consent-based remedies. These arguments did not prevail in the settlement terms. The FTC imposed a block on specific sensitive venues and required consent-gating for data suppliers. It did not define all location data as sensitive. It did not impose a permanent prohibition.
The settlement's most accurate description is a regulatory timeout. The surveillance infrastructure remains intact. The data that was already sold continues to circulate. The two-year clock runs. And after it expires, unless the FTC acts again, the same pipeline that tracked people to domestic violence shelters resumes operation — not because anyone decided it should, but because no one decided it shouldn't.