Kochava & Epic Games: Important FTC Cases

By Kewa Jiang

In August 2022, the Federal Trade Commission (FTC) brought enforcement actions against data broker Kochava. In the complaint, the FTC alleges Kochava violated “unfair or deceptive acts or practices” in its sale of sensitive precise mobile geolocation data. The data includes consumers’ mobile advertising I.D. (MAID), which is assigned to every mobile device, and time stamped coordinates of consumers’ locations. The FTC describes how the data that is not anonymized can be re-identified and used to track consumers over time to reveal private characteristics, such as sexual orientation, health status, or religious affiliation. For example, the location data can reveal that a consumer visited a reproductive health clinic, place of worship, addiction center, homeless shelter, or domestic abuse shelter. The FTC alleges that such exposure of private characteristics can cause “injures or is likely to injure consumers through exposure to stigma, discrimination, physical violence, emotional distress, and other harms.”

The FTC also outlines how easy it is for the public to access the sensitive data of millions of consumers from Kochava via Amazon Web Services (AWS) Marketplace. Buyers can create a free AWS account with their personal email, subscribe to Kochava’s data feed, and designate their purchase as for business use. Buyers can choose from a free sample of the data feed, a data sample that covers only seven-days, or a longer subscription for $25,000. The agency alleges Kochava lacks “any meaningful controls over who accesses its location data feed.”

EPIC Games Agree to $520 Million Settlement with the FTC  

In December 2022, Epic Games, the creator of the popular video game Fortnite, settled two separate complaints brought by the FTC. In one complaint, the FTC alleges Epic violated the Children Online Privacy Protection Act (COPPA) by collecting data of users 13 years old or younger without parental consent and using unfair default privacy settings for voice and text communications. For instance, Epic failed to implement verified parental consent and did not disable voice and text communications by default when young users were matched to play with strangers. As a result, young users were bullied, harassed, and threatened. Epic agreed to pay $275 million, the largest COPPA violation fine. Additionally, Epic will be required to create default privacy settings that better protect its young users and to delete certain personal information of children that were previously collected.

In a separate complaint, the FTC alleges Epic used “dark patterns,” user-interface designs that push users towards certain behaviors, that led to unauthorized in-game purchases by young users or unintended purchases by console users of all ages. Many users were unaware their payment information was saved to their account or that they made an unintended in-game purchase. But, when users disputed payment charges as fraudulent or unauthorized, Epic would deactivate users’ access to their accounts. Epic agreed to pay $245 million to refund users and must provide a simple mechanism for users to revoke consent at any time for charges for in-game purchases.