The Federal Trade Commission’s December 2024 crackdown on three major data brokers exposed how location data from roughly 1,100 mobile apps quietly flowed into a surveillance market built on seniors’ phones. In coordinated actions against Gravy Analytics, its subsidiary Venntel, and Mobilewalla, the agency accused the companies of collecting and selling sensitive location data without meaningful consent and ordered sweeping bans on using or selling that information, along with strict deletion and notice requirements. The cases reveal how a seemingly harmless app on an older adult’s phone can become a tracking device whose data is packaged, auctioned, and resold.
How Location Data Brokers Operate Through Apps
The FTC’s complaints describe a system in which location data brokers plug directly into the mobile app economy using software development kits, or SDKs, that app makers embed in their code. In the case of InMarket, the agency said the company distributed an SDK into third-party apps that harvested precise location data and fed it into real-time bidding, or RTB, systems that auction off ad impressions in milliseconds. According to the Official FTC description of that case, InMarket retained certain location data for up to 100 days and used it for targeted advertising, even when consumers did not have clear, informed notice of how their movements would be tracked or monetized.
The same RTB plumbing sat at the center of the allegations against Gravy Analytics and Venntel. The Canonical FTC case hub for Gravy and Venntel explains that the companies obtained precise location data from bid requests and other app-integrated sources, then transformed those pings into products that could reveal where people live, work, worship, or seek medical care. Reporting based on a hacked dataset linked to Gravy Analytics found that this RTB-driven collection touched thousands of apps, including high-profile services like fitness trackers and navigation tools, and that many developers and users had no idea their software was feeding a commercial tracking apparatus. One investigation of the Gravy Analytics dataset detailed how the company’s identifiers tied app activity to individual devices at massive scale.
The Focus on Seniors and Sensitive Locations
The Official FTC overview of the Gravy and Venntel settlement states that the companies tracked people to a wide range of what the agency calls “sensitive locations,” including medical facilities, religious organizations, domestic violence and homeless shelters, and military installations. In that order, the FTC said the firms could not use, sell, or share location data that revealed visits to these categories and had to delete previously collected records that could be linked to such places. The agency framed this as a response to the particular risk that location trails from phones can expose health conditions, religious observance, or contact with shelters and other services that people reasonably expect to keep private, especially when they have never knowingly agreed to such tracking.
Seniors sit at the intersection of those risks. Many older adults rely on health and wellness apps to monitor exercise, medications, or chronic conditions, and they increasingly use navigation and finance apps that can reveal trips to pharmacies, clinics, banks, or elder-care facilities. A report on the location-data market for older users found that about 1,100 apps used by seniors were implicated in the RTB ecosystem that fed companies like Gravy and Mobilewalla, with some of the most popular titles being fitness trackers and budget tools that looked harmless on their face. That analysis, cited by Gadget Review, concluded that seniors’ movements were quietly packaged into datasets and sold onward without clear consent or understanding.
FTC’s Enforcement Actions and Remedies
In December, the FTC announced parallel settlements with Gravy Analytics, Venntel, and Mobilewalla that it presented as a turning point in its campaign against the commercial trade in sensitive location data. The Official FTC press release on Gravy and Venntel says the companies are now banned from selling or using any location data that can reveal visits to sensitive locations and must delete previously collected datasets that identify consumers. The Canonical FTC case materials further explain that Gravy and Venntel must notify their business customers about the order and the limits it imposes, a requirement that is expected to ripple through the ad-tech firms, analytics providers, and government contractors that relied on their feeds.
The Official FTC summary of the Mobilewalla matter describes a similar but distinct set of alleged violations and remedies. According to the agency, Mobilewalla collected location data through RTB bid requests, retained that data, and sold raw feeds and audience segments built around sensitive characteristics, such as visits to medical facilities or religious institutions. In its press release on Mobilewalla, the FTC said the company is now prohibited from retaining bid-request data for RTB, from selling or licensing precise location data tied to sensitive places, and from building or selling sensitive audience segments. FTC Chair Lina Khan, quoted in that release, warned that trading in such granular location trails can expose people to discrimination and other harms, and she framed the settlement as a signal that the agency will not tolerate the unconsented surveillance of consumers’ movements.
The 1,100 Apps Implicated
The figure of roughly 1,100 apps tied to seniors’ location data comes from an analysis of how Gravy Analytics and related brokers tapped into the RTB ecosystem. Gadget Review reported that about 1,100 mobile apps popular with older adults were caught feeding location data into systems that ultimately supplied companies like Gravy, Venntel, and Mobilewalla. Many of these apps fell into categories that seniors use heavily, including health and fitness trackers, coupon and shopping tools, weather services, and personal finance apps. Because the data flowed through RTB bid requests and embedded SDKs, users often had no direct relationship with the brokers receiving their coordinates, and the permissions prompts they saw rarely spelled out that their movements could be sold.
Major accountability reporting on the Gravy Analytics leak showed how a single dataset could link back to thousands of apps that participated in RTB auctions, even if only a subset were heavily used by seniors. That reporting described high-profile examples, including popular fitness and navigation apps, whose code contained advertising or analytics SDKs that transmitted location data to ad exchanges where Gravy was listening. Developers interviewed for that coverage said they were unaware that their use of standard ad-tech tools could route users’ location data to a broker that then repackaged it into products for marketers or government clients. For seniors who had installed those apps to count steps or find the nearest pharmacy, the presence of such SDKs effectively turned their phones into tracking beacons.
Broader Privacy Implications and What Changed
The December actions against Gravy, Venntel, and Mobilewalla came after a year in which the FTC steadily tightened its approach to location data brokers. Earlier in the year, the agency finalized an order against X-Mode Social and its successor Outlogic that, according to an Official FTC release, prohibits the company from sharing or selling sensitive location data and requires deletion or destruction of certain datasets. That order also obliges X-Mode and Outlogic to conduct supplier assessments to ensure that third parties providing them with data obtained it lawfully and with appropriate consent. By the time the FTC announced its December settlements, it had already built a template that combined bans on sensitive-location tracking with structural obligations to clean up existing data and police the supply chain.
Privacy advocates see particular stakes for seniors in this shift. When a broker can infer that an older adult visits a cardiology clinic, a memory-care center, or a debt-relief office, that information may feed into targeted advertising, profiling, or even fraud attempts that exploit health or financial stress. The Verge’s coverage of the December crackdown noted that the FTC orders against Gravy, Venntel and Mobilewalla collectively ban the sale of sensitive location data and require the companies to implement safeguards that limit how other firms can use any non-sensitive data they still handle. For older adults, this could mean fewer invisible trackers inside the apps they rely on and more leverage to push companies for clear disclosures about what happens to their movements.
What Remains Uncertain and Next Steps
Despite the sweeping language of the new orders, several gaps remain. The FTC’s actions target data brokers, not the thousands of app developers whose software supplied the raw coordinates, and the agency has not yet announced parallel enforcement against specific app makers tied to the 1,100 senior-focused apps identified by Gadget Review. The Canonical FTC materials on Gravy and Venntel refer broadly to consumers affected by the firms’ practices but do not break out how many were older adults or which specific apps were most responsible for feeding seniors’ data into RTB. That leaves seniors and their families with limited visibility into whether the apps they use every day were part of the problem or whether those apps have since removed the SDKs and tracking tools at the heart of the cases.
The FTC has tried to fill some of that gap with public guidance that urges consumers to review app permissions, limit location sharing to services that genuinely need it, and periodically delete apps that no longer serve a clear purpose. Reporting on the InMarket case shows how an Official FTC order can force a broker to stop selling precise location data and to shorten retention periods, but it also illustrates how much power remains in the hands of app developers who choose which SDKs to include. Until there is more transparency around those choices and stronger baseline privacy rules, seniors will continue to depend on piecemeal protections from enforcement actions that arrive only after their data has already been collected, shared, and in some cases sold.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
