The FTC’s May 4, 2026 stipulated order against Kochava Inc. and its successor Collective Data Solutions (CDS) does two things at once: it bans both companies from selling sensitive location data without affirmative express consent, and it shifts the burden of proving that consent exists from app publishers upstream to the broker itself. The order is stipulated, meaning the defendants agreed to it rather than losing a trial, and it runs for 10 years. It carries no monetary penalty. [Updated June 2026] The defendants signed in March 2026 and the FTC filed the document on May 4; as of late June 2026 it was before the U.S. District Court for the District of Idaho for entry, the step that gives a stipulated order the force of law.
What the Order Actually Requires
The proposed stipulated order, filed in the U.S. District Court for the District of Idaho (Matter No. X230009), covers a defined set of sensitive location categories. [Updated June 2026] The list the FTC has repeatedly emphasized runs to reproductive health clinics, medical facilities, places of worship, domestic violence and homeless shelters, addiction recovery facilities, schools and childcare centers, and military and federal law enforcement installations. For data touching any of these, Kochava and CDS must obtain standalone plain-language consent separate from their privacy policy or terms of service. The data may only be used for the specific service the consumer requested.
The timelines are compressed. The Sensitive Location Data Program must be implemented within 90 days, with board-level supervision, quarterly reviews, and a requirement to flag sensitive records for deletion within 2 days and complete deletion within 30. A Supplier Assessment Program runs alongside it: new suppliers get 30 days of consent verification before their data can be used; existing suppliers face annual audits. If consent can’t be confirmed, use ceases. Historical data must be de-identified or rendered non-sensitive within 90 days, with written confirmation to the FTC.
Consumer-facing obligations round out the order. Kochava and CDS must disclose buyer identities within 30 days of a consumer request, honor consent withdrawals within 30 days, and process deletion requests within 30 days. A data retention schedule must be published within 60 days. Third-party incidents must be reported to the FTC within 30 days.
How the Case Got Here
The FTC sued Kochava in August 2022, alleging the company sold precise geolocation data linked to millions of mobile devices, including visits to sensitive locations. The first complaint was dismissed in May 2023. An amended complaint survived a motion to dismiss in February 2024. The stipulated order was approved 2-0 by the Commission, with Commissioner Holyoak filing a concurring statement, nearly four years after the original filing. [Updated June 2026] The settlement is behavioral relief only. The agency extracted no fine, consistent with the FTC’s narrowed monetary authority under Section 13(b) since the Supreme Court’s 2021 AMG Capital decision, which stripped its power to seek equitable money damages in federal court for most conduct.
CDS had taken over Kochava’s data broker business by the time the order was filed, which is why both entities are named. According to ConsumerAffairs, this action is part of a broader FTC campaign targeting location data brokerage that previously reached X-Mode Social (later rebranded as Outlogic) and InMarket Media.
The Consent Burden Shifts Upstream
The standard defense in mobile ad-tech has been that consent lives with the app publisher. The SDK collects data; the app’s privacy policy presumably disclosed this; the broker receives a stream it can reasonably assume was lawfully collected. The FTC’s position, made explicit in the Kochava order, is that this chain of assumptions no longer holds for sensitive location data.
Under the Supplier Assessment Program, Kochava and CDS must actively verify that each supplier’s consent flows are valid. If a supplier can’t demonstrate affirmative express consent for the relevant data, the broker must stop using it. That’s a significant operational requirement for a business built on aggregating SDK-sourced signals from many publishers simultaneously.
The White & Case analysis via JD Supra identifies the supplier audit requirement as one of six key business takeaways. The practical implication: running a location data pipeline now requires consent documentation that traces to individual data subjects, not just a contractual representation from the publisher. The Kochava Collective product included precise geolocation, a database graph, an app graph, and audience segments. Each component of that pipeline now requires auditable consent provenance for sensitive location categories.
The State-Law Backdrop the Order Arrives Into
[Updated June 2026] The order is a federal capstone on a problem the states have already been legislating around it. The Proskauer analysis makes the point bluntly: the FTC settled a four-year-old case into a landscape that state privacy law reshaped while the litigation dragged. California’s DELETE Act now requires data brokers to honor a single deletion request through the state’s DROP portal, which the California Privacy Protection Agency is standing up for centralized opt-outs. Virginia expanded its consumer privacy law in April 2026 to bar the sale of precise geolocation data outright. Connecticut’s SB 4, signed May 27, 2026, adds a California-style centralized deletion mechanism due by 2028. A growing list of states already classify precise location as sensitive data requiring opt-in consent, which is most of what the Kochava order extracts as a one-off remedy.
That overlap cuts two ways. For a broker already building toward state compliance, the Kochava obligations are not a new architecture so much as documentation the company should arguably have on hand. For the FTC, the case is a reminder of how slow federal enforcement is relative to legislatures: a complaint filed in 2022, dismissed once, amended, litigated through a motion to dismiss, and finally resolved in 2026 produced a 10-year order covering one company. State statutes reached the entire industry faster. The strategic read is that the FTC is setting a national floor for conduct that does not depend on which state a consumer lives in, while the states set the ceiling. Neither layer answers the harder question of enforcement: a consent-verification mandate is only as strong as the audits that test it, and the order leaves the FTC dependent on the same compliance reports it is requiring Kochava to file.
There is also a federalism wrinkle worth flagging. A consent definition that varies by jurisdiction, opt-in in Virginia, deletion-portal mechanics in California and Connecticut, affirmative express consent in the FTC order, forces brokers to engineer to the strictest standard or to geo-fence their consent flows. Geo-fencing consent is itself a location-data problem, which is the kind of recursion the industry has spent years trying to avoid acknowledging. Groundy’s reporting on Canada’s ruling that OpenAI trained ChatGPT on medical and ideological data tracks the same fault line on a different surface: regulators converging on the idea that sensitive-category data needs provenance, not just a contractual assurance that someone, somewhere, clicked agree.
Two Fronts, Same Gap
The webXray audit showing Google ignores GPC signals 86% of the time traces the same failure on the platform side: users signal opt-out and the signal is discarded. The Kochava order addresses the broker side: sensitive location data flows without verified consent collection in the first place.
Together they outline a supply chain where consent is nominal at both ends. Platforms don’t honor withdrawal signals. Brokers don’t verify that consent was collected before data enters the pipeline. The FTC’s remedy for the broker side is mandatory infrastructure with hard deadlines and board-level accountability. None of that maps onto how the broader broker industry has been operating since 2022.
The 2-0 Commission vote and the precedents from X-Mode and InMarket suggest the FTC is working through a list. Brokers with SDK-sourced location pipelines and thin consent documentation are the logical next targets. The 90-day implementation timeline for both the Sensitive Location Data Program and historical data de-identification is aggressive for any organization building consent verification infrastructure from scratch. That appears to be deliberate: the FTC is pricing in the assumption that compliant infrastructure should already exist, not that companies need time to invent it.
Frequently Asked Questions
Does the consent mandate cover all location data Kochava handles?
The standalone consent and supplier audit requirements target only the enumerated sensitive categories (medical, religious, schools, domestic violence shelters, military and law enforcement). But the order also mandates a comprehensive privacy program, with annual employee training and regular risk assessments reported to the board, that applies to Kochava/CDS’s operations broadly, creating standing compliance overhead even for non-sensitive data products.
How does the Kochava order differ from the X-Mode and InMarket settlements?
Those prior actions were conduct prohibitions, stop selling data without consent. Kochava layers on standing organizational obligations: annual employee training on sensitive data handling, regular risk assessments, and a comprehensive privacy program with its own 90-day implementation deadline separate from the Sensitive Location Data Program. These persist regardless of whether Kochava handles sensitive location data in the future, making compliance an ongoing operating cost rather than a one-time behavior change.
What makes retroactive de-identification hard for Kochava’s data specifically?
Kochava’s Collective product fused precise geolocation with database graph, app graph, and audience segment layers, location traces were stored as nodes in interconnected graph structures, not standalone rows in a flat table. De-identifying data embedded in cross-referenced graphs and segmentation models requires unwinding linkages across all four product components simultaneously, a harder technical problem than scrubbing isolated records.
What does the 2-0 Commission vote signal for other location data brokers?
The FTC normally seats five commissioners. A 2-0 vote means only two members were seated, and both approved, with Commissioner Holyoak filing a concurrence rather than a dissent. That unanimous signal from a pared-down commission, combined with timelines that assume compliance capacity already exists rather than allowing time to build it, suggests the FTC expects the industry to meet this consent-verification standard proactively rather than waiting for individual enforcement actions to phase it in.
Did Kochava pay a fine?
No. The order is behavioral relief only: a sale ban, the consent and supplier programs, and consumer-rights deadlines, with no civil penalty or disgorgement. That tracks the FTC’s reduced monetary authority after the Supreme Court’s 2021 AMG Capital ruling, which held that Section 13(b) does not authorize the agency to seek equitable monetary relief in federal court. Without a separate penalty statute in play, a 13(b) case like this one buys conduct change, not money. The teeth are the 10-year term and the threat of contempt if Kochava or CDS violates it.
How does the order compare to state location-data laws?
It overlaps heavily and arrives later. Several states already treat precise geolocation as sensitive data requiring opt-in consent: Virginia banned precise-location sales outright in an April 2026 amendment, and California and Connecticut are building centralized deletion portals under the DELETE Act and SB 4 respectively. The FTC order’s affirmative-express-consent requirement is roughly the federal-enforcement equivalent of those opt-in rules, but it binds one company rather than an industry. For a broker already engineering toward the strictest state standard, the marginal cost of the Kochava obligations is mostly the auditable supplier-consent documentation, not a wholly new compliance architecture.