Data Brokers' Auction Layer Escapes Kochava Settlement Reforms

On May 4, 2026, the Federal Trade Commission announced a proposed settlement that will prohibit data broker Kochava and its subsidiary Collective Data Solutions from selling, licensing, transferring, sharing or disclosing sensitive location data without consumers' affirmative express consent. The order, which settled nearly four years of litigation, represented the agency's most aggressive posture yet toward a data-broker industry that has operated for decades largely beyond the reach of federal privacy law.

The FTC's original complaint, filed in 2022, alleged that Kochava sold geolocation data tied to hundreds of millions of mobile devices, data precise enough to trace individuals to reproductive health clinics, domestic violence shelters, and places of worship. As The Verge reported, the settlement prohibits the company from selling sensitive location data without express consent, language that tracked the agency's theory that the mere sale of such data constituted an unfair practice under Section 5 of the FTC Act. The order requires Kochava to delete the sensitive location data it already holds and to establish a sensitive-location-data purging programme for data it receives from third parties.

But the settlement, for all its precedential weight, addresses only one node in a sprawling data-broker ecosystem that has evolved well beyond location pings on a smartphone. The architecture that makes Kochava's business possible, the auction layer where personal data is sliced, priced, and sold in sub-second transactions, remains almost entirely unregulated. And the feedstock powering that auction is no longer limited to app-based telemetry. It now includes enterprise data drawn from ERP systems, supply-chain platforms, and connected-vehicle telematics, each pipeline operating under its own ambiguous consent framework.

The real-time bidding infrastructure that underpins digital advertising processes billions of bid requests per day, each one carrying device identifiers, location coordinates, browsing history, and inferred demographic profiles. In October 2025, Amazon Web Services launched AWS RTB Fabric, a real-time bidding service designed to bring the company's cloud infrastructure directly into the programmatic advertising supply chain. Variety reported that the service would allow advertisers and media companies to run auctions on AWS infrastructure, effectively embedding the auction layer deeper into the enterprise cloud stack where corporate data already lives.

That convergence is not accidental. Forbes contributor Robert Kramer wrote in March 2026 that ERP data now plays a central role in the enterprise data ecosystem, connecting core business transactions with analytics environments and emerging AI platforms. The same ERP systems that track inventory, payroll, procurement, and customer orders are increasingly connected to external data marketplaces and identity-resolution services, often through API integrations sold as enterprise analytics upgrades. The result is that purchase histories, supply-chain relationships, and workforce data become available as enrichment signals in the same bidstream that carries a user's location from their weather app.

The data flow is difficult to map end to end because no single entity sees the full chain. A mobile SDK embedded in a shopping app collects device-level signals and sends them to an analytics provider like Kochava. That provider enriches the data with hashed email addresses or mobile ad IDs and passes it to a data marketplace. The marketplace makes the data available to bidders in real time through supply-side platforms and demand-side platforms, each of which may append additional third-party data segments purchased from enterprise data vendors. An ERP data extract, perhaps a retailer's transaction log or a manufacturer's shipment record, enters the same auction environment through a separate data-onboarding vendor, matched probabilistically to the same device graph.

The scale is documented, though unevenly. Kochava itself had claimed in court filings, as Bleeping Computer reported, that its data marketplace contained location information linked to millions of mobile devices. But location data is only the most visible category. The data-broker industry also trades in health-inference data, financial-propensity scores, and employment-status flags, much of it derived from enterprise records that were never collected for advertising purposes. Every new category of enterprise data that enters the auction layer expands the surface area of surveillance without expanding the legal framework that governs it.

The Federal Trade Commission will prohibit data broker Kochava and its subsidiary from selling, sharing or disclosing sensitive location data without consumers' affirmative express consent., FTC press release, May 4, 2026

California has moved faster than the federal government to impose structural obligations on the data-broker industry. In January 2026, the state launched the Data Rights Opportunity Platform, or DROP, a web portal that allows California residents to submit a single deletion request to every data broker registered with the state. The Los Angeles Times reported that the platform was built under the Delete Act, the 2023 law that established the first mandatory data-broker registry in the United States and gave the California Privacy Protection Agency authority to enforce deletion requests across all registered brokers simultaneously.

The DROP system is the closest any US jurisdiction has come to creating a one-button mechanism for opting out of the data-broker economy, but its reach depends entirely on compliance by the brokers themselves. As of May 2026, more than 500 data brokers were registered in California, according to JD Supra's analysis of the state's evolving requirements. The registry includes familiar names in programmatic advertising, but it also captures companies whose primary business is enterprise software, credit reporting, or fraud detection, firms that may not define themselves as data brokers even when their data flows into the auction layer.

The state's enforcement appetite appears to be growing. On May 8, 2026, California Attorney General Rob Bonta announced a record $12.75 million settlement with General Motors over the automaker's collection and sale of connected-vehicle data without adequate consumer notice or opt-out mechanisms. JD Supra reported that California regulators characterised the settlement as the largest CCPA penalty in the state's history and its first data-minimisation enforcement action. The GM case signals that the state is willing to pursue not only traditional data brokers but also manufacturers whose products generate data streams that were never meaningfully disclosed to consumers.

The Regulatory Patchwork

The gap between what the FTC can do under Section 5 and what state regulators can do under comprehensive privacy statutes is widening. The Kochava settlement, however significant, applies to one company's handling of one category of data. It does not establish a general prohibition on the sale of sensitive location data, nor does it impose obligations on the exchanges, marketplaces, and identity graphs through which Kochava's data flowed. The FTC's authority remains case by case, bounded by the unfairness standard and the agency's willingness to litigate against well-funded defendants.

California's legislature is attempting to close some of those gaps legislatively. In late May 2026, the state Senate unanimously passed SB 923, a bill sponsored by Senator Josh Becker that would strengthen Californians' right to delete personal data by requiring data brokers to process deletion requests within 30 days and to notify downstream recipients of the data. The bill's unanimous passage, rare for privacy legislation, reflects a growing political consensus that the existing opt-out architecture places an unreasonable burden on individuals.

Yet the legislative approach still treats data brokerage as a registration-and-opt-out problem rather than an architecture problem. The auction layer itself, the real-time bidding protocol, the device graph, the identity-resolution vendors, the supply-side platforms that package and price inventory, is not addressed by any state privacy law currently in force. Consent, where it is collected at all, is gathered by the app or website that sits at the very edge of the data flow, not by the dozens of intermediaries that receive, enrich, and resell the data milliseconds later. The consumer who taps Accept on a cookie banner has no way of knowing that their decision will authorise a bid request containing their location, device ID, and inferred household income to travel through five companies before the page finishes loading.

What the Architecture Conceals

The structural opacity of the auction layer is not a bug. The Interactive Advertising Bureau's Transparency and Consent Framework, which governs how consent signals are passed through the programmatic supply chain, relies on a chain of trust in which each participant asserts that it has a lawful basis to process the data it receives. But audits by academic researchers have repeatedly found that consent signals are stripped, ignored, or overwritten as data moves through the bidstream. A 2025 study by researchers at University College London and the University of Edinburgh, which crawled programmatic auctions across European publishers, found that more than 60 percent of bid requests containing sensitive data categories were transmitted after the user had explicitly rejected consent for those categories.

The European Union's General Data Protection Regulation provides a sharper enforcement framework than anything available in the United States, regulators in Ireland, France, and Belgium have issued fines against adtech companies for unlawful data sharing in the RTB system, but even the GDPR has struggled to reach the full depth of the auction layer. NOYB, the Austrian privacy group led by Max Schrems, has filed scores of complaints arguing that RTB constitutes a systematic violation of the GDPR's purpose-limitation and data-minimisation principles. Enforcement, however, has been slow. The Irish Data Protection Commission took nearly four years to issue a decision on RTB-related complaints against the IAB Europe, and the fine, when it arrived in 2024, was 1 million euros, a fraction of the revenue generated by the targeted advertising ecosystem in a single hour.

What makes the current moment different is that the data-broker ecosystem is no longer just an adtech problem. As the Forbes analysis of ERP data integration makes clear, enterprise data that was once siloed inside corporate IT systems is now being piped into the same cloud environments that power the programmatic auction. Microsoft Build 2026, held in early June, showcased a suite of tools designed to connect ERP platforms directly to AI model training pipelines and customer-data platforms, according to Forbes contributor Robert Kramer. The boundaries between enterprise analytics, AI training data, and advertising targeting are dissolving, and the legal frameworks that govern each domain were written for a world where those boundaries existed.

Regulators on both sides of the Atlantic are beginning to recognise that the data-broker problem cannot be solved by going after brokers one at a time. The UK's Information Commissioner's Office has opened a consultation on regulating data intermediaries as a distinct category. The European Data Protection Board is drafting guidelines on the use of enterprise data in programmatic advertising. And in the United States, the FTC's Kochava settlement includes a provision requiring the company to provide a model for how other data brokers should handle sensitive location data, a signal that the agency views this enforcement action as a template, not a one-off.

The next checkpoint arrives in late 2026, when California's Privacy Protection Agency is expected to release the first enforcement report under the Delete Act, disclosing how many deletion requests were submitted through DROP and how many brokers complied. That report will provide the first systemic measure of whether the registration-and-deletion model can work at scale. The numbers will matter. But what matters more is the question the Kochava settlement could not answer: whether any regulatory framework built on individual consent can govern a data architecture designed to make consent impossible to trace.