paid-ads

Kochava's FTC Settlement Closes the Causation Defense Every Data Broker Used

Kochava's FTC Settlement Closes the Causation Defense Every Data Broker Used
The Kochava settlement closes a legal escape route every location-data broker has been using since 2022.

The FTC filed a settlement on May 4, 2026 barring Kochava and its subsidiary Collective Data Solutions from selling sensitive location data tied to hundreds of millions of mobile devices unless they get affirmative express consent first. The court rejected Kochava's third-party causation defense, ending the three-year case the FTC opened in August 2022. The ruling applies to every other location-data broker by precedent, which means audience-segment audits at the agency and brand level just stopped being optional.

The causation defense was the entire game

For years, the standard data broker posture in any FTC challenge was the same one: we sell the pipe, the buyer is responsible for what flows through it. That argument leaned on a reading of Section 5 of the FTC Act that required the agency to prove direct, traceable consumer harm. As long as a broker could point at downstream customers, the harm chain looked broken. Cases stalled.

The Idaho court closed that route. According to IAPP's reporting on the ruling, the court held that Section 5 "only requires a significant risk of concrete harm. If the company creates that risk, even if it is not actually inflicting the ultimate harm, it could be violating the FTC Act." That sentence is what every other broker's lawyer is reading this morning.

The privacy intrusion itself counts as a substantial injury now. You don't need a downstream stalker, a leaked address, or a documented medical disclosure to get sued. You just need to be the broker that made the chain possible. From what I've seen, that is a meaningfully different legal posture than the one most ad-tech vendors have been operating under.

What the order actually requires

Six obligations are baked into the proposed order, per the FTC's announcement and the original AdExchanger reporting:

  • Affirmative express consent before any sensitive-location data is sold, licensed, transferred, or shared, and only for a service the consumer directly requested.
  • A "privacy block" preventing data tied to health facilities, schools, jails, places of worship, addiction recovery centers, and shelters from leaving the company. In effect for at least two years.
  • A consumer-facing deletion mechanism plus a blacklist that prevents future collection from anyone who opts out.
  • A vendor program where Kochava must request proof of user consent from upstream sources before ingesting their data.
  • Reports to the FTC on certain violations.
  • Compliance restrictions on how the existing data can be used inside machine-learning systems.

The press release does not specify a monetary penalty. The pain in this order is operational, not financial. A privacy block, a vendor proof-of-consent program, and a deletion endpoint together mean Kochava has to rebuild a meaningful slice of its data pipeline, and the cost of that rebuild lands on every broker that buys from or sells to them.

Three settlements, one direction

Kochava is the third location-data broker to settle in 18 months. X-Mode and Outlogic settled in January 2024. Mobilewalla followed in December 2024. Now Kochava in May 2026. Same playbook each time: heightened consent, sensitive-location carve-outs, bans on raw SDK data sharing, vendor responsibility for upstream sources.

The Mobilewalla order is the one that programmatic teams need to actually read. It bans collecting consumer data from online advertising auctions for purposes other than participating in those auctions. That precedent reaches further than a single broker. A real chunk of bidstream ingestion across the industry currently looks like this: a partner participates in auctions, scrapes identifiers and behavioral signal off bid requests it loses on, and packages that into segments later. The FTC has now called that an unfair practice.

To be fair, the broader data broker market still generates billions and most of it is operating untouched. The FTC has clearly picked location data as the wedge issue and is grinding through cases one at a time. That grind is what makes the rules enforceable across the industry without a new federal privacy law.

The audience segments that just turned into liability

The 2024 FTC complaints called out a specific business practice: brokers building "audience segments" inferred from sensitive-location visits, including medical conditions, political affiliation, and religion. Those were the segments getting sold into programmatic activations and CRM enrichments.

If you run paid media or build retargeting audiences, here is what that means in practice. Any segment description in your DMP or DSP that reads like "frequents urgent care," "regular church attendee," "visits addiction recovery facilities," or "domestic violence shelter proximity" should be treated as a banned input. The privacy block list in the Kochava order is now the de facto floor that any plaintiff or regulator will reference. We covered the parallel state health exchange leak last week, and the through-line is the same: identifiers that look anonymous become identifiable the moment they tie back to a sensitive-place visit.

The harder problem is segments that don't name a sensitive location but were derived from one. "Likely Type 2 diabetes prospect" segments built on pharmacy and clinic visit signals are the obvious example. Vendors won't always tell you the upstream source. That's now your audit problem, not theirs.

Three audits worth running this week

One. Pull every audience segment vendor in your DMP, DSP, and retargeting stack. Send a written request to each one asking whether the location data underlying their segments was collected with affirmative express consent and whether they can produce that consent record on request. If a vendor hedges or refuses, you have your answer. The cost of running that audit is roughly half a day of legal-ops time. The cost of skipping it is whatever the next FTC action looks like for the brands that were using those segments.

Two. Get your media agency's vendor list of supply partners and look specifically at any SSP or DSP collecting bid request data for purposes beyond serving the auction. The Mobilewalla precedent makes that an unfair practice. Most boilerplate contracts I have reviewed still treat bid request collection as a freebie, which seems like a position that is not going to survive the next round of cases.

Three. If you run mobile attribution through an SDK that resells location data, check whether your contract spells out the vendor's downstream sharing rights. Kochava's settlement specifically targeted SDK-collected data being passed to third parties without consent. The fix is usually a one-paragraph contract amendment requiring proof of consent for any onward sharing. Cheap. Tedious. Not optional.

Where I think this lands

The pattern across X-Mode, Mobilewalla, and Kochava points at the same outcome. The FTC has built a workable enforcement model for location data without needing Congress to pass anything. The agency picks a broker, runs the case for two to four years, and lands a consent decree with a privacy block plus a vendor-proof-of-consent requirement. Each settlement raises the floor for the rest of the industry.

The broker-to-broker contagion is what's interesting. Once X-Mode had to vet its sources, every broker buying from X-Mode inherited that obligation. Now Collective Data Solutions, Kochava's successor entity, has to run the same checks. The web of contracts means consent obligations spread sideways without the FTC having to file a single additional case.

From what I have seen, most marketers reading this don't think they touch sensitive location data directly. They probably do, two or three vendor relationships deep. The audit isn't really optional anymore. It is just a question of whether you do it on your own timeline or someone else's.

Notice Me Senpai Editorial

Read next