The US Federal Trade Commission's (FTC) suit against Kochava Inc, a prominent data aggregator and analytics company, faced a recent setback when the Idaho District Court granted Kochava's motion to dismiss the FTC's claim.1 The FTC alleged that Kochava's sale of geolocation data taken from mobile devices could enable third parties to uncover sensitive, personal information about the mobile device users.

Judgment:

The FTC claim was that Kochava's sale of personal data constitutes an 'unfair' practice — one that risks 'consumer injury'. The Court did not decide this point and found that Kochava's data licensing only satisfies two out of the three legal criteria of 'unfair' practice. The Court accepted that consumers cannot easily prevent Kochava aggregating data collected from their devices and that consumers receive no counteracting benefits as a result of this collection — both of which constitute 'unfair' practice. But crucially, the FTC was unable to demonstrate that Kochava's data collection had posed or would pose a significant risk to consumers.

The Court agreed with the FTC that Kochava's sale of geographical data derived from MAIDs could be exploited by third parties if linked to specific individuals. But the FTC could not adequately prove such harm happened. It was unproven whether potential 'injuries', such as the alleged emotional trauma resulting from the publication of medical information, had ever happened, were currently happening or had a significant risk of happening. In the circumstances the Court ruled that Kochava's practices did not constitute an 'injury' to consumers.

The FTC also sought to claim that Kochava's data collection practices themselves constitute an 'invasion of privacy'. The right of privacy finds substantial protection in US law where there are precedents for interpreting an 'invasion of privacy' as an 'injury' in and of itself. And yet, the Court found it hard to view the FTC's suits according to these precedents because the alphanumerical data that Kochava sells requires separate inferences in order to reconstruct any sensitive, private details that the FTC claims were being shared. For instance, as the Court notes, one subject's repeated trips to an oncology clinic could have implications for their medical history or they could be visiting a friend. In the circumstances the Court could not deem their practice an 'invasion of privacy'.

The issue of alphanumeric data being shared is important to business-to-business activity – Kochava does not disclose personal information; it sells deidentified data from which personal information might be inferred only if linked by another entity to a specific individual.

Ultimately, while the Court did grant Kochava's Motion to Dismiss the FTC's lawsuit, it gave the FTC leave to amend — recognizing the importance of data privacy – so the FTC's revised claim will need to convince the judge that actual harm has occurred. The Court's relative circumspection in this matter indicates the fraught nature of this area of the law, particularly as data management practices have evolved over the last decade. The FTC's fears that Kochava might be trading in a form of malicious surveillance. Its concerns strike a dystopian chord — and yet, as the Idaho Court astutely recognized, if FTC puts no evidence of such activity taking place, maybe it wasn't.

Broader context:

The Idaho Court's decision does not stand alone. For instance, the EU General Court's recent judgment in Single Resolution Board (SRB) v the European Data Protection Service (EDPS) similarly raised the legal distinction between the processes underpinning data interoperability from individual data exchanges. There, the EU General Court repealed a fine which was handed down to the SRB for its sharing of data with a consulting firm, Deloitte, on the basis that the information in question which had been received was encoded and de-identified and Deloitte had legal means by which it could re-identify the information shared.2 The case reinforced the principle established in Bronner3 that much depends on the technical capability and legal constrains governing the data handler. If the data transferred is not itself personal data and the recipient cannot technically or legally use it to re-identify the individual, any risk of breach of GDPR is reduced. Moreover, even if they have the technical ability to reidentify they may be able to put in place contractual provisions enabling them to limit and control the use of data and then claim compliance.

The final case in a set of three is Lloyd v Google, which dealt with data contained in third party cookie files. The Supreme Court rejected the class claim which arose out of Google's setting of third-party cookies on Apple's Safari. This involved the "Safari Workaround", a technical mechanism adopted by Google which allowed Google to bypass Apple's cookie settings in order to place its cookie files on the Safari browser.4 Google (in this case, the third-party) successfully defended the claim for compensation for the loss of control of the claimants' personal data on the basis that its setting of cookies did not, in itself, constitute harm. The Court found that there was no evidence before it that the cookies in question in fact contained personal data or used personal data.

Like FTC v Kochava, the fact that some data is transferred does not make the transfer a breach of data protection law. Much depends on whether the data is personal data or not. As the Lloyd case also reminds us, while a file can contain personal data not all files necessarily do. Checking whether a file does indeed contain personal data is a good place to start before alleging breach.

Notwithstanding legal arguments advanced on behalf of Google, it is part of a mantra put about by the likes of Google as well as Apple that third-party cookies and third-party data is always bad and must be restricted wherever possible. Many now delete third party cookies in near fervour believing they are helping to prevent advertising and reduce the plague of pop ups. The truth, that cookies improve the ability for advertisers to provide ads that are useful to users and help promote products that users actually want to buy, has been having a difficult time against their prevailing barrage of disinformation. Meanwhile, if Google, Facebook and Apple can strangle the use of third-party data, they will become unique providers of targeted ads based on their huge stores of first party data given their enormous customer bases. Stripped of the "privacy" argument, the platforms' attempts to erode public faith in third party (aka competitors') offers can be seen for what they are – commercially driven land-grabs.

It is therefore reassuring to the see that courts on both sides of the Atlantic are looking for proof of fact, and testing what is happening on the facts before examining allegations of harm and loss.

Footnotes

1. FTC v Kochava, Case No. 2:22-cv-00377-BLW (United States District Court for the District of Idaho)

gov.uscourts.idd.50683.24.0_1.pdf (courtlistener.com)

2. SRB v European Data Protection Supervisor, Case T-557/20 (General Court)

SRB v European Data Protection Supervisor | European Data Protection Supervisor (europa.eu)

3. Bronner v Mediaprint, Case C-7/97 (Court of the Sixth Chamber)

eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:61997CJ0007

4. Lloyd v Google LLC, UKSC 2019/0213 (Supreme Court)

Lloyd (Respondent) v Google LLC (Appellant) – The Supreme Court

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.