FTC order against Kochava: what “affirmative express consent” requires
A June 26, 2026 FTC stipulated order restricts Kochava from selling sensitive location data unless it gets “Affirmative Express Consent” tied to a service the consumer requested.
The FTC’s legal library lists a key court filing dated June 26, 2026 in FTC v. Kochava, Inc.—a stipulated order that restricts how Kochava (and covered related entities) may handle sensitive location data.
One practical takeaway: the order doesn’t treat location as a generic commodity. It requires “Affirmative Express Consent”—and it limits what companies can do with sensitive location data even after a consumer interacts.
Timing note: the FTC timeline item is dated June 26, 2026, while the order PDF includes an internal stamp indicating it was “Filed 06/25/26.”
What changed on June 26, 2026
On June 26, 2026, the FTC legal library timeline shows the entry of a stipulated order in the Kochava case. The order sets enforceable rules for the parties it covers.
Importantly for readers: this is case-specific and binds the covered defendants and covered entities described in the order—it is not presented as an automatic, one-size-fits-all nationwide rule for every data broker.
The core restriction: no selling/sharing/disclosure without the order’s consent test
The stipulated order restricts the transfer, sharing, or disclosure of sensitive location data except under conditions the order spells out. In the order’s own structure, the prohibitions do not apply if (1) the company has a direct relationship with the consumer tied to the sensitive location data, (2) the consumer has provided Affirmative Express Consent, and (3) the sensitive location data is used to provide a service directly requested by the consumer.
What “Affirmative Express Consent” must look like in practice
The order defines “Affirmative Express Consent” as a freely given, specific, informed, and unambiguous indication of a consumer’s wishes demonstrating agreement—after a Clear and Conspicuous disclosure to the individual.
The order also says the Clear and Conspicuous disclosure must be separate from privacy policy/terms-of-service-type documents, and it states what doesn’t count—for example, it says consent can’t be inferred from hovering, muting, pausing, or closing content.
Compliance isn’t optional: a “Sensitive Location Data Program” and ongoing controls
The order requires covered defendants to establish and maintain a “Sensitive Location Data Program” with specific operational components. For example, the program must be established within 90 days of the order’s entry, and it includes repeated oversight steps such as assessing and updating the sensitive-location list at least once every three months, including monitoring/testing intended to prevent prohibited sale, licensing, transfer, sharing, or disclosure.
Consumer notice and deletion duties
The order also builds in consumer-facing obligations. It requires customer notice—such as providing a copy of the order to customers who received covered location data within a defined lookback period—and it requires consumer pathways to request deletion, with deletion timeframes spelled out in the order.
Who is affected, and what to watch next
Affected directly: Kochava and the related entities covered by the stipulated order in FTC v. Kochava, Inc.
What to watch next: how the covered defendants operationalize the consent definition (especially the “Clear and Conspicuous” disclosure and the “directly requested” use limits), how they maintain the Sensitive Location Data Program over time, and whether the FTC follows up with additional enforcement or guidance in similar location-data arrangements.
Sources
Discover more from Interactive News
Subscribe to get the latest posts sent to your email.