Tuesday, May 5, 2026

The Useful Daily

AI news that actually helps your business

Home📰 news
The FTC Just Banned a Data Broker From Selling Your Customers' Location Data. Here's What That Means for Small Business.

The FTC Just Banned a Data Broker From Selling Your Customers' Location Data. Here's What That Means for Small Business.

Kochava tracked hundreds of millions of phones - including who visited health clinics, churches, and shelters. The FTC's settlement sets a new standard for what location data brokers can and can't do. If you use any marketing tech that targets by location, this affects your supply chain.

By Sam Torres · May 5, 2026 · 5 min read

A data broker called Kochava collected precise GPS location data from hundreds of millions of mobile devices and sold it to advertisers and marketers - without getting any consent from the people being tracked.

On May 4, the Federal Trade Commission announced a settlement that will largely shut that practice down.

It's a landmark case. But the reason it matters to small business owners isn't just about Kochava. It's about the entire ecosystem of location-based marketing tools that most small businesses use without realizing where the data comes from.

What Kochava was doing

Kochava built its business by ingesting location data from apps - often through software development kits (SDKs) that were baked into popular mobile apps. When you open a weather app or a game, that app might quietly share your location with a company you've never heard of.

Kochava aggregated that data, built profiles, and sold it. The FTC alleged that Kochava's data could pinpoint when someone visited a reproductive health clinic, a place of worship, a domestic violence shelter, or a mental health facility. That kind of data is a surveillance tool, not a marketing tool.

The FTC sued in August 2022. Three and a half years later, the settlement is here.

What the settlement requires

Under the terms of the proposed order - still pending approval by a federal judge - Kochava and its subsidiary Collective Data Solutions (CDS) must:

  • Stop selling sensitive location data entirely unless the consumer gives affirmative, express consent and the data is used for a service they directly requested
  • Build a formal program to identify and block sensitive locations from any data they sell or share
  • Verify consent on all location data they acquire from third parties, not just their own collection
  • Give consumers the right to see who their data was sold to and to opt out
  • Delete data on a schedule - no more indefinite retention

The FTC vote was 2-0.

Why this matters to small businesses - even if you've never heard of Kochava

Here's the less obvious part: Kochava wasn't the only company doing this. It was one of a network of data brokers who sell location data to ad tech platforms - including the ones behind the "targeted local ads" that small business owners buy every week.

When you run a geofenced Facebook ad, a Google local campaign, or a hyperlocal digital ad through a regional agency, there's often a chain of data suppliers behind the scenes. Some of that location intelligence has historically come from brokers operating exactly like Kochava.

The FTC's action signals that this supply chain is under scrutiny. More enforcement is likely. That has two practical implications:

1. Location-based ad targeting may get less precise. As data brokers are forced to require consent and delete non-consented data, the inventory of precise location signals shrinks. If your entire marketing strategy relies on reaching "people who walked past a competitor in the last 30 days," that targeting may become less reliable or more expensive.

2. You are not liable for upstream data practices - but you could be associated with them. Small businesses are generally not held responsible for what their ad platforms do with third-party data. But consumer trust is another matter. If a customer asks how you're targeting them, "I buy location data from a broker who got it without consent" is not a great answer. Knowing where your marketing data comes from is increasingly good business practice.

The "sensitive locations" category is the core of this

The FTC's case turned on the concept of sensitive locations - places where knowing someone visited reveals something deeply private about them. The settlement establishes a legal obligation to create a comprehensive list of those locations and block them from data products.

The settlement names health facilities - including reproductive clinics and mental health providers - houses of worship, domestic violence shelters, correctional facilities, and homeless shelters as examples.

This is the FTC essentially defining a floor: there are some categories of location data that are too sensitive to sell, period, regardless of whether the consumer "agreed" to an opaque app permissions box.

What small businesses should actually do

Three concrete steps:

Ask your ad agency or platform where their location data comes from. Most won't give you a complete answer, but asking signals that you care. If they use a data broker network, ask whether that broker requires consumer consent. "We don't know" is an acceptable answer - and tells you something.

Use first-party data where possible. The most defensible location-based marketing is built on data your customers gave you directly - their address from a purchase, their ZIP code from your loyalty signup, their store visits tracked via your own app with explicit permission. That data doesn't touch the broker supply chain at all.

Watch what comes next. The FTC has signaled aggressive enforcement on data brokers. More settlements - and potentially new rules - are likely this year. This isn't a one-time event.

The bottom line

The FTC just established that collecting precise location data without consent - especially data that reveals visits to sensitive places - is an unfair business practice under federal law.

That's a significant line to draw. The Kochava case took three and a half years to resolve. The message to the data broker industry is that the FTC will spend that time. For small businesses, the message is simpler: the location data ecosystem is changing, and the ad targeting tools you use today may look different in 18 months.

Source: FTC press release, May 4, 2026 - "FTC to Ban Kochava and Subsidiary from Selling Sensitive Location Data" (ftc.gov); FTC original complaint, August 2022.

Sam Torres covers AI news for The Useful Daily. She spent 12 years as a local business journalist. She breaks it down so you can get back to running your business.

Are you overpaying for AI tools?

Most small businesses waste $150+/month on tools they don't need. Find out in 2 minutes.

Take the Free AI Audit →

Liked this? There's more where that came from.

Every Sunday we send the week's best AI tips for your business. Free. No spam. Ever.

← Back to all stories