The [FTC’s May 4, 2026 stipulated order against Kochava Inc.]1 and its successor Collective Data Solutions (CDS) does two things at once: it bans both companies from selling sensitive location data without affirmative express consent, and it shifts the burden of proving that consent exists from app publishers upstream to the broker itself.
What the Order Actually Requires
[The stipulated final order]2, filed in the U.S. District Court for the District of Idaho (Matter No. X230009), covers a defined set of sensitive location categories: medical facilities, religious institutions, schools and childcare centers, domestic violence shelters, and military and federal law enforcement installations. For data touching any of these, Kochava and CDS must obtain standalone plain-language consent separate from their privacy policy or terms of service. The data may only be used for the specific service the consumer requested.
The timelines are compressed. The Sensitive Location Data Program must be implemented within 90 days, with board-level supervision, quarterly reviews, and a requirement to flag sensitive records for deletion within 2 days and complete deletion within 30. A Supplier Assessment Program runs alongside it: new suppliers get 30 days of consent verification before their data can be used; existing suppliers face annual audits. If consent can’t be confirmed, use ceases. Historical data must be de-identified or rendered non-sensitive within 90 days, with written confirmation to the FTC.
Consumer-facing obligations round out the order. Kochava and CDS must disclose buyer identities within 30 days of a consumer request, honor consent withdrawals within 30 days, and process deletion requests within 30 days. A data retention schedule must be published within 60 days. Third-party incidents must be reported to the FTC within 30 days.
How the Case Got Here
[The FTC sued Kochava in August 2022]3, alleging the company sold precise geolocation data linked to millions of mobile devices, including visits to sensitive locations. The first complaint was dismissed in May 2023. An amended complaint survived a motion to dismiss in February 2024. The stipulated order was approved 2-0 by the Commission, with Commissioner Holyoak filing a concurring statement, nearly four years after the original filing.
CDS had taken over Kochava’s data broker business by the time the order was filed, which is why both entities are named. [According to ConsumerAffairs]4, this action is part of a broader FTC campaign targeting location data brokerage that previously reached X-Mode Social (later rebranded as Outlogic) and InMarket Media.
The Consent Burden Shifts Upstream
The standard defense in mobile ad-tech has been that consent lives with the app publisher. The SDK collects data; the app’s privacy policy presumably disclosed this; the broker receives a stream it can reasonably assume was lawfully collected. The FTC’s position, made explicit in the Kochava order, is that this chain of assumptions no longer holds for sensitive location data.
Under the Supplier Assessment Program, Kochava and CDS must actively verify that each supplier’s consent flows are valid. If a supplier can’t demonstrate affirmative express consent for the relevant data, the broker must stop using it. That’s a significant operational requirement for a business built on aggregating SDK-sourced signals from many publishers simultaneously.
[The White & Case analysis via JD Supra]5 identifies the supplier audit requirement as one of six key business takeaways. The practical implication: running a location data pipeline now requires consent documentation that traces to individual data subjects, not just a contractual representation from the publisher. The Kochava Collective product included precise geolocation, a database graph, an app graph, and audience segments. Each component of that pipeline now requires auditable consent provenance for sensitive location categories.
Two Fronts, Same Gap
[The webXray audit showing Google ignores GPC signals 86% of the time]6 traces the same failure on the platform side: users signal opt-out and the signal is discarded. The Kochava order addresses the broker side: sensitive location data flows without verified consent collection in the first place.
Together they outline a supply chain where consent is nominal at both ends. Platforms don’t honor withdrawal signals. Brokers don’t verify that consent was collected before data enters the pipeline. The FTC’s remedy for the broker side is mandatory infrastructure with hard deadlines and board-level accountability. None of that maps onto how the broader broker industry has been operating since 2022.
The 2-0 Commission vote and the precedents from X-Mode and InMarket suggest the FTC is working through a list. Brokers with SDK-sourced location pipelines and thin consent documentation are the logical next targets. The 90-day implementation timeline for both the Sensitive Location Data Program and historical data de-identification is aggressive for any organization building consent verification infrastructure from scratch. That appears to be deliberate: the FTC is pricing in the assumption that compliant infrastructure should already exist, not that companies need time to invent it.
Frequently Asked Questions
Does the consent mandate cover all location data Kochava handles?
The standalone consent and supplier audit requirements target only the enumerated sensitive categories (medical, religious, schools, domestic violence shelters, military and law enforcement). But the order also mandates a comprehensive privacy program — with annual employee training and regular risk assessments reported to the board — that applies to Kochava/CDS’s operations broadly, creating standing compliance overhead even for non-sensitive data products.
How does the Kochava order differ from the X-Mode and InMarket settlements?
Those prior actions were conduct prohibitions — stop selling data without consent. Kochava layers on standing organizational obligations: annual employee training on sensitive data handling, regular risk assessments, and a comprehensive privacy program with its own 90-day implementation deadline separate from the Sensitive Location Data Program. These persist regardless of whether Kochava handles sensitive location data in the future, making compliance an ongoing operating cost rather than a one-time behavior change.
What makes retroactive de-identification hard for Kochava’s data specifically?
Kochava’s Collective product fused precise geolocation with database graph, app graph, and audience segment layers — location traces were stored as nodes in interconnected graph structures, not standalone rows in a flat table. De-identifying data embedded in cross-referenced graphs and segmentation models requires unwinding linkages across all four product components simultaneously, a harder technical problem than scrubbing isolated records.
What does the 2-0 Commission vote signal for other location data brokers?
The FTC normally seats five commissioners. A 2-0 vote means only two members were seated — and both approved, with Commissioner Holyoak filing a concurrence rather than a dissent. That unanimous signal from a pared-down commission, combined with timelines that assume compliance capacity already exists rather than allowing time to build it, suggests the FTC expects the industry to meet this consent-verification standard proactively rather than waiting for individual enforcement actions to phase it in.