Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Kochava is a US-based mobile measurement partner (MMP) used by app publishers to attribute installs, track campaign performance, and route conversion postbacks to ad networks. It processes device identifiers (IDFA, GAID), IP, install timestamps and post-install events. European app developers face significant compliance hurdles: GDPR consent, Apple ATT, the 2022 FTC complaint against Kochava for geolocation data sale, and the cross-border transfer to the United States.
Kochava is an established mobile measurement partner (MMP) competing with AppsFlyer, Adjust and Branch. It provides SDKs for iOS, Android, web, CTV and server-to-server APIs to attribute app installs and post-install events to specific ad campaigns, partners and creatives.
Kochava processes IDFA (iOS), GAID (Android), device model, OS, IP, language, app version, install/open timestamps, in-app events, purchases and (if enabled) geolocation. Postbacks to media partners include user identifiers needed for attribution. The web SDK additionally sets first-party cookies.
Advertising identifiers are personal data under GDPR. Their collection requires consent under Art. 6(1)(a) and Art. 5(3) ePrivacy. On iOS, the Apple ATT prompt is an additional gate; without ATT permission Kochava receives a zeroed IDFA. On Android, Google''s UMP framework is the recommended consent mechanism. Implement consent before initialising the Kochava SDK and pass the user''s decision to the SDK via setIntelligentConsent.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
In August 2022 the US FTC filed suit against Kochava over alleged sale of precise geolocation data tied to mobile advertising IDs, claiming it could be used to identify visits to sensitive locations (medical clinics, places of worship, shelters). European DPAs have referenced this case when evaluating MMP risk. Disable Kochava''s data marketplace / audience export features when operating in the EU unless you have a documented Art. 9 GDPR basis.
Kochava processes data in the US. Transfers covered by 2021 SCCs and DPF (where applicable). Run a Transfer Impact Assessment, especially given the FTC case. Document downstream media partner postbacks separately.
1. Sign Kochava DPA. 2. Implement ATT/UMP and a GDPR CMP. 3. Disable data marketplace features. 4. Run a DPIA covering identifiers, geolocation and partner postbacks. 5. Document all media partner integrations. 6. Disclose Kochava in app store privacy nutrition labels.
Websites using Kochava must obtain user consent under GDPR regulations.
DPIA considerations
Kochava processes mobile advertising identifiers (IDFA, GAID), device fingerprint, IP, install and post-install events, in-app purchase data, geolocation if SDK is configured to collect it, and partner-shared user identifiers. Key DPIA considerations: (1) advertising IDs are personal data and require explicit consent in the EU; (2) Apple ATT and Google UMP add a layer of platform-level consent on top of GDPR; (3) the FTC sued Kochava in 2022 for allegedly selling sensitive geolocation data, which heightens scrutiny; (4) US transfer triggers Chapter V; (5) post-install event attribution often combines several personal data flows from media partners. A full DPIA is essential, plus a documented decision on whether to enable Kochava's data marketplace features.
Sample consent text
With your consent, we use Kochava to measure the effectiveness of our advertising campaigns. Kochava processes your device advertising identifier (IDFA on iOS, GAID on Android), IP, and app event data on its servers in the United States. You can refuse this processing during the App Tracking Transparency prompt (iOS) or via our in-app privacy settings.
Third-party domains contacted
kochava.comcontrol.kochava.comclick.kochava.comimp.control.kochava.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| koc_uid | Marketing / Advertising | 1 year | Persistent visitor identifier set by the Kochava web SDK to attribute web installs and conversions. |
| koc_session | Functional | Session | Session identifier used to group events from the same browsing session. |
| koc_consent | Strictly necessary | 1 year | Stores the visitor's consent decision for Kochava tracking. |
Kochava places tracking cookies for advertising — comply with GDPR using FlowConsent.
Mobile: IDFA (iOS), GAID (Android), device fingerprint, IP. Web SDK: koc_uid (visitor ID), koc_session. All non-essential, all require consent.
Yes. GDPR consent for advertising identifier collection plus Apple ATT (iOS) or Google UMP (Android). The SDK must be initialised only after consent is granted.
Consent (Art. 6(1)(a) GDPR and Art. 5(3) ePrivacy) for advertising identifiers and behavioural attribution. Without consent, fall back to deterministic but non-personal attribution.
Yes. Kochava processes all data in the US. SCCs and DPF cover the transfer. Run a TIA. Document the 2022 FTC lawsuit context in your risk assessment.
Yes. Mobile attribution combines advertising IDs, behavioural events, US transfer and (potentially) geolocation, satisfying multiple Art. 35(3) GDPR criteria.
Sign the DPA, integrate a CMP and ATT/UMP, disable data marketplace, document all partner postbacks, run a DPIA, retain proof of consent for the relevant period.
EU-friendly mobile attribution: Adjust (Germany, EU hosting available), Singular (US, EU options), AppsFlyer (Israel, EU options). Self-attribution via Apple SKAdNetwork or Google Privacy Sandbox can reduce personal data flows.
In your privacy notice, identify Kochava as a processor and (for marketplace features) controller; list IDFA/GAID, IP, events; disclose US transfer; document FTC litigation context. In app store privacy nutrition labels, declare device IDs and usage data collection linked to user.