The Federal Trade Commission (FTC) flexed its muscle on August 29, 2022, when it filed a lawsuit against Kochava, Inc., for harvesting, aggregating, collating, and then selling the \u201cprecise geolocation data\u201d of millions of individuals in violation of the FTC Act.FTC complaint: Data allows tracing individuals to and from sensitive locationsThe FTC explains that Kochava acquires the location data, which originated from individuals\u2019 mobile devices, from an array of data brokers. Kochava then creates customized data feeds and markets these feeds to commercial clients. Their client\u2019s rationale for paying up to $25,000 per feed, according to the FTC, is to \u201cknow where consumers are and what they are doing.\u201d Kochava is \u201cthen selling of geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations.\u201d The FTC identified \u201creproductive health clinics, places of worship, homeless and domestic violence shelters, and addiction recovery facilities\u201d as the type of locations that could be identified as having been visited by individuals.The FTC continues in its complaint that Kochava is allowing others, through the sale of the data which tracks people, to \u201cidentify and expose them to threats of stigma, stalking, discrimination, job loss, and even physical violence.\u201d The FTC complaint calls for a permanent injunction against Kochava\u2019s sale of the sensitive geolocation data and the deletion of the data it has collected.It is clear from reading the complaint that Kochava was aware that its data aggregation was creating a direct link between a given location and an identifiable individual as they leveraged the data they acquired from data brokers.FTC had given a fair warningThe FTC noted in its press release how, the commission was \u201cexploring rules to crack down on harmful commercial surveillance practices that collect, analyze and profit from information about people.\u201d On July 11, 2022, the FTC issued a warning that sensitive categories include information about an individual\u2019s precise location and information about their health. They went on the highlight how the FTC believes that data points acquired from \u201csmartphones, connected cars, wearable fitness trackers, \u201csmart home\u201d products, and the browser you\u2019re reading this on are capable of directly observing or deriving sensitive information.\u201dIn January 2021, Flo Health reached a settlement with the FTC about its sharing of sensitive health information derived from their \u201cFlo Period and Ovulation\u201d app to third parties, including Google and Facebook. Similarly, in September 2021, the FTC tightened breach notification requirements for health apps and connected devices, requiring those who are responsible for health apps to comply with the Health Breach Notification Rule. This notification specifically called out \u201cWhen a health app \u2026 discloses sensitive health information without users\u2019 authorization, this is a 'breach of security under the Rule."How Kochava aggregates and markets sensitive dataIt is this latter point that seems to tie up Kochava as its discrete aggregation specific to sensitive locations and the ability to market a consumer\u2019s \u201cprecise location.\u201dThe data provided by Kochava to its clients included \u201ctimestamped latitude and longitude coordinates for locations associated with the mobile devices.\u201d The FTC noted how the location and time data were then associated with a \u201cMobile Advertising ID (MAID) which is a unique identifier assigned to a consumer\u2019s device. Kochava, claims that they can \u201cdeliver raw latitude\/longitude data with volumes around 94B+ geo transactions per month, 125 million monthly active users, and 35 million daily active users, on average observing more than 90 daily transactions per device.\u201dThe FTC was able to acquire a data sample, as of July 2022, from the Kochava AWS depository by merely requesting a copy of the sample from Kochava, which contained information on over 61 million devices. It was only when a purchase was made was the purchaser warned that the data contains \u201csensitive categories of information.\u201dTheir review of the data showed that it was possible to \u201cidentify a mobile device that visited a women\u2019s reproductive health clinic and trace that mobile device to a single-family residence.\u201d The data then revealed that that same device visited a specific location for three evenings in a given week, which the FTC intimated as indicative of tracking the individual\u2019s routine.Takeaways for CIOs and CISOsProduct leads in conjunction with their CIOs and CISOs should go to school on this lawsuit filed by the FTC and ensure that their product suite obfuscates sensitive data in a manner so as not to be in violation of the FTC Act. The FTC lawsuit, when parsed, effectively provides a useful roadmap for those wishing to avoid the Kochava or Flo Health experience.Employ technical means to prohibit customers from identifying consumers or tracking them to sensitive locations. This may include the use of a blacklist that \u201cobfuscates or removes data concerning sensitive locations (medical care, reproductive care, religious worship, mental health, temporary shelters, shelters for the homeless, domestic violence survivors or other at-risk populations, and addiction recovery.\u201dIf data is collected from the consumer, ensure the consumer is aware of how the data is collected and used. The consumer should not have to wade through 100-page privacy and use the statement to locate the instances where the app their using is \u201csharing\u201d their data. Additionally, consumers should not be blindsided to learn that their information is being used by third parties with whom they have had no interaction and who are able to track their life\u2019s movements. The key, for product managers, is to ensure that the consumer may take \u201creasonable steps\u201d to not have their data used in this manner.