How This Briefing Works
This report opens with key findings, then maps the gaps between what Kochava discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Analysis pending. Findings will appear here once intelligence collection is complete.
Claims vs. Observed Behavior
pending_verification
“Privacy Profiles limit SDK data collection”
Feature exists per documentation, but effectiveness depends on default configurations and whether privacy blocks cover all sensitive data categories beyond the settlement requirements
pending_verification
“Radical data transparency with raw data access”
Transparency about data collection does not address the risk of that data being resold or used beyond the measurement relationship; awaiting scanner verification of actual SDK data collection scope
pending
“Awaiting full scanner observation”
Analysis based on FTC filings, court documents, public documentation, and settlement terms. Runtime SDK behavior and current data sharing practices require direct observation.
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
Recommended Actions for Kochava
- →- Immediately assess whether your Kochava SDK deployment contributes location data to the data brokerage pipeline and implement Privacy Profiles to restrict collection to attribution-only signals. - Review your organization's data processing agreements with Kochava for clauses permitting secondary use, resale, or aggregation of data collected through your application. - Evaluate migration to an MMP that does not operate data brokerage operations alongside measurement services, given the structural conflict of interest. - Document your Kochava relationship in privacy impact assessments and be prepared to address regulator inquiries about data supply chain participation. - Monitor the ongoing FTC case and the class-action settlement injunction expiration timeline to anticipate changes in Kochava's data practices.
Negotiation Leverage
- →Leverage Points: The FTC lawsuit and class-action settlement significantly weaken Kochava's negotiating position. The company faces reputational pressure and regulatory scrutiny that creates strong incentive to accommodate customer privacy demands. The competitive MMP market (AppsFlyer, Adjust, Singular, Branch) provides credible migration alternatives, giving you walk-away power.
- →Key Questions: (1) Is any data collected through our SDK deployment used for, or contributed to, Kochava's data marketplace operations (Kochava Collective / Collective Data Solutions)? (2) What specific data fields does the SDK collect by default, and which can be disabled without breaking attribution functionality? (3) How has the corporate restructuring into Collective Data Solutions affected data flows from the MMP product? (4) What protections exist after the two-year settlement injunction expires? (5) Can you contractually guarantee that no data from our SDK deployment will be resold or used for purposes beyond our measurement relationship?
- →Contract Protections: Demand explicit contractual prohibition on any secondary use or resale of data collected through your SDK deployment. Require notification if data practices change post-settlement. Include audit rights with third-party verification capability. Negotiate termination clauses tied to adverse regulatory outcomes in the FTC case. Consider requiring data escrow or deletion verification.
IOC Manifest
Indicators of compromise across 2 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
No indicators in this category
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
10 detection signatures across scripts, domains, cookies, and network endpoints