TL;DR: On February 27, 2026, the FTC and data broker Kochava announced a settlement in a lawsuit filed back in 2022. Kochava was selling geolocation data from hundreds of millions of phones that showed where people went, including reproductive health clinics, places of worship, domestic violence shelters, and addiction recovery facilities. Under the deal, Kochava must implement a "privacy block" for at least two years preventing the sale of location data tied to sensitive venues like healthcare facilities, schools, and jails. They also have to give consumers a way to delete their data. The FTC commissioners still have to approve the final terms.
What Kochava Was Selling
Kochava is a mobile analytics company that most people have never heard of. They've collected location data from billions of mobile devices worldwide through two methods:
- App SDKs: Kochava's tracking code is embedded in over 10,000 apps. When you use those apps, your location gets transmitted back to Kochava without your knowledge [1].
- Data broker networks: Kochava buys location data from other brokers and aggregates it into detailed consumer profiles.
The result: a database that can show where specific people go, when they go there, and how often they return. Kochava advertises it can provide data for "Any Channel, Any Device, Any Audience."
According to the FTC's complaint, buyers could link this location data with "email, demographics, devices, households, and channels," meaning they could put names and home addresses to the phones visiting sensitive locations [2].
The Places They Were Tracking
The FTC specifically called out Kochava for selling data revealing visits to:
- Reproductive health clinics (including abortion providers)
- Places of worship (churches, mosques, synagogues, temples)
- Homeless shelters
- Domestic violence shelters
- Addiction recovery facilities
- Hospitals and medical facilities
This isn't abstract. In a post-Dobbs world, location data showing visits to abortion clinics in states where abortion is banned could be used as evidence in criminal prosecutions. Data showing visits to domestic violence shelters could help an abuser find a victim. Data showing visits to addiction recovery could cost someone their job [3].
The FTC put it bluntly: Kochava's practices exposed people to "stigma, stalking, discrimination, job loss, and even physical violence."
What the Settlement Requires
The deal announced February 27 includes several restrictions on Kochava:
- Privacy block: For at least two years, Kochava must implement filtering to prevent sharing or using raw location data associated with healthcare facilities, schools, jails, and other sensitive venues [4].
- Consumer deletion rights: Kochava has to provide a way for consumers to request removal from their database and prevent future data collection or sale of their information.
- Client-exclusive use: Location data collected through Kochava's SDKs can only serve that specific client's interests, not Kochava's own uses or other clients'.
- Consent documentation: Kochava must request examples of consent prompts from data sources that have direct consumer relationships.
- Truthful representations: No more misrepresenting data collection and processing practices.
The settlement still requires approval from a majority of FTC commissioners before becoming final.
The Two-Year Problem
Notice that the privacy block is only required for "at least two years." After that? The restriction could expire.
Two years is also not a long time in the context of how this data could be used. Location data from 2024 showing someone visited an abortion clinic in Texas could still be relevant to a prosecution in 2028. The data Kochava already sold doesn't get deleted. It's out there, in the hands of whoever bought it.
And Kochava isn't the only company in this business. The FTC has pursued other data brokers like X-Mode and InMarket, and similar concerns apply to the massive Gravy Analytics breach that exposed location data from thousands of apps. The location data industry is vast, and this settlement covers one player.
How This Tracking Happens
Your phone doesn't report your location to Kochava directly. Instead:
- You download an app that includes Kochava's SDK (you have no way of knowing this)
- The app requests location permissions for its stated purpose
- Kochava's code transmits your location data back to Kochava's servers
- Kochava aggregates this with data from other sources
- Kochava sells access to buyers who can query specific locations or demographics
Over 10,000 apps include Kochava's tracking code. Unless you've audited every app on your phone, you don't know if you're being tracked.
What You Can Do
Disable Location for Most Apps
Go through your phone's privacy settings. Most apps don't need your location. Set location access to "Never" or "While Using" for apps that don't require it.
Use Airplane Mode at Sensitive Locations
If you're visiting a clinic, shelter, or other sensitive location, put your phone in airplane mode before you arrive. Or leave it home.
Opt Out of Data Brokers
Kochava must now provide opt-out mechanisms. Visit their privacy page to request deletion. Do the same for other major data brokers.
Consider a Faraday Bag
For truly sensitive situations, a Faraday bag blocks all signals to and from your phone. It's the only way to guarantee no location tracking.
References
- The Conversation: Data brokers know everything about you: What FTC case against Kochava reveals
- FTC: FTC Sues Kochava for Selling Data that Tracks People at Reproductive Health Clinics, Places of Worship, and Other Sensitive Locations (August 2022)
- Lawfare: The FTC's Amended Kochava Complaint and the Harms of Selling Geolocation Data
- Bloomberg Law: Kochava Inc. Settles Location Data Trade Practice Suit With FTC (February 27, 2026)
- Sourcepoint: Kochava Settlement Imposes New Location Data Safeguards
Published: February 28, 2026