Hello all, and happy Thursday!
The FTC this week banned data broker Kochava and its subsidiary from selling precise location data—data tied to hundreds of millions of devices and traceable to visits at health clinics, places of worship, and other sensitive locations—without consumers' affirmative, express consent.
The settlement terms are worth reading closely, because they look less like a punishment and more like a blueprint. Kochava must now build supplier assessment programs, maintain a comprehensive list of sensitive location categories, honor consumer opt-out requests, and enforce data retention schedules. These are the hallmarks of a mature privacy program, especially for an organization involved in handling risky data like geolocation.
While these requirements are instructive, the order’s consent requirement is particularly interesting. Under this settlement, Kochava will have to secure affirmative, opt-in consent directly tied to fulfilling a service the consumer actually requested before selling, licensing, transferring, sharing, or disclosing geolocation data.
It’s no secret that opt-in consent means less data. How will data brokerages pivot as more and more states–and now the FTC–require opt-consent for the sale of sensitive personal information? It’s important to remember, too, that this isn’t a risk limited to data brokers; anybody reliant on sensitive personal information like consumer geolocation likely has to meet an opt-in standard of consent under numerous state privacy laws. As enforcement ramps up in the US, are businesses prepared to meet this shift?
Best,
Arlo
Highlights From Osano
Blog: The SECURE Data Act: A Federal Privacy Framework (But for Real This Time?)
On April 22, 2026, Rep. John Joyce (R-PA) introduced the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act, or SECURE Data Act. It’s the first major federal consumer privacy bill released in years—will this time be different?
Events
Webinar: The Missing Ingredient in Most First-/Zero-Party Data Strategies? Effective Consent Management.
With the future of third-party data trackers looking increasingly uncertain, savvy marketers are investing in first- and zero-party data strategies. They’re optimizing every aspect of their strategies, except for one: collecting and managing consent. In this webinar, Osano experts provide guidance for marketers looking to solve the consent management aspect of their data strategy.
Register | May 14th, 1 PM EST
The data broker Kochava has agreed to refrain from selling or disclosing certain sensitive location data without consumers' affirmative consent, in order to settle privacy charges brought by the Federal Trade Commission. If approved, the settlement will resolve claims by the FTC that Kochava sold the type of geolocation data that could expose information such as visits to doctors' offices or religious institutions.
Ireland's Data Protection Commission has opened an inquiry into Chinese online retailer Shein over the transfer of European users' data to China, the company's lead EU privacy regulator said on Tuesday. The DPC, which has the power to impose heavy fines, will examine and assess the extent to which the company's Europe, Middle East, and Africa headquarters in Dublin has complied with its relevant obligations under the GDPR.
In a recent editorial, the Electronic Privacy Information Center (EPIC) clarifies its position on the recently proposed federal data privacy bill, the SECURE Data Act, calling it “worse than any privacy law we have evaluated.” Chief among EPIC’s criticisms are the law’s broad preemption, eliminating stronger protections in states and shutting down long-standing privacy protections across the country.
Companies are increasingly turning to AI to support or run their customer service operations, potentially opening the door to significant legal risks. Few states have AI-specific laws on the books, but regulators and plaintiffs’ attorneys are relying on older laws (wiretap, biometrics, common law privacy, etc.) to challenge these new practices. Recent court cases show that AI transcription opens companies up to lawsuits under wiretap laws like the California Invasion of Privacy Act, or CIPA.
Security researcher Alexander Hanff has published a new analysis claiming that Google Chrome is silently downloading a roughly 4GB on-device AI model to users' machines without notice or consent. According to Hanff, the behavior mirrors a separate issue he recently identified involving Anthropic's desktop software, and together the two cases point to a broader pattern of how large tech companies deploy AI features.
There's more to explore:
We go deeper into additional privacy topics with incredible guests monthly. Available on Spotify or Apple.
Join our official subreddit to stay up to date on the latest news, analysis, guidance, and content from Osano!
The book inspired by this newsletter: Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start building a privacy program from the ground up. More details here.
If you’re interested in working at Osano, check out our Careers page!