Millions of smartphone users assume that closing an app stops it from watching where they go. Federal regulators have shown that assumption is wrong. In January 2024, the Federal Trade Commission moved to ban a data company called InMarket from selling precise consumer location data collected through its apps, CheckPoints and ListEase. A separate FTC enforcement action targeting data broker Gravy Analytics reinforces the same concern: apps and their embedded software partners can keep harvesting location signals even after a user swipes them shut. The gap between what people expect and what actually happens on their phones has drawn sustained federal attention, and the evidence points to a supply chain most users never see.
Why persistent location tracking matters right now
The core problem is not simply that apps ask for location access. Most users grant that permission at least once, often during setup. The real tension is what happens next. According to the FTC’s enforcement action, InMarket collected and used precise geolocation data to build consumer profiles and serve targeted advertising, even when users believed they had limited or revoked tracking. The agency found that the company failed to obtain proper consent and did not honor the choices people made on their devices. That pattern turned routine apps into silent data pipelines.
The FTC’s complaint against InMarket described how the company’s software development kits, or SDKs, sat inside its own apps and continued gathering location signals in the background. SDKs are bundles of code that third-party companies embed inside apps to collect data, serve ads, or perform analytics. Because these kits run as part of the host app’s process, they can request and receive location updates even when the app is not actively on screen. This is the mechanism that makes post-closure tracking possible: the app publisher may not have written the tracking code, but the data broker’s SDK does the work from inside the app’s own permissions.
That distinction matters because it shifts accountability. An individual app developer may not fully understand or disclose what an embedded SDK is doing with location data. The data broker, meanwhile, aggregates signals from many apps to build detailed movement profiles. The FTC’s actions against both InMarket and Gravy Analytics suggest regulators see the SDK supply chain, not just the visible app, as the primary engine of unauthorized tracking.
FTC enforcement actions against InMarket and Gravy Analytics
The strongest public evidence comes directly from two FTC proceedings. In the InMarket case, the agency issued an order that will ban the company from selling precise consumer location data. The FTC stated that this type of data can reveal sensitive details about people’s lives, including visits to medical clinics, places of worship, and domestic violence shelters. The order requires InMarket to delete previously collected location data and to establish a program for obtaining informed consent before any future collection.
The second action targets Gravy Analytics, a data broker whose FTC docket outlines allegations and settlement terms. The FTC’s case hub for Gravy Analytics links to formal complaint and order materials and establishes that the agency has pursued multiple recent actions focused on the unlawful sale of sensitive location data sourced from the mobile app ecosystem. Gravy Analytics operated as a collector and reseller of location intelligence, purchasing raw signals from apps and SDKs and packaging them for advertisers, hedge funds, and government contractors.
Together, these two cases outline a business model. Data brokers supply SDKs to app publishers, sometimes offering revenue-sharing deals or free analytics tools in return for access to users’ location streams. The apps serve as collection points. The brokers aggregate, enrich, and resell the data. Users, meanwhile, see only the app’s name and icon on their phone and have no visibility into the SDK layer underneath.
The FTC’s orders also reveal how long-running this ecosystem can be. Location data is most valuable when it accumulates over time, allowing brokers to infer patterns such as a person’s home, workplace, and routine stops. That means SDKs embedded years ago may have been quietly sending updates long after users forgot they had installed a particular app. Even if a person rarely opened the app, the background permissions could keep the data flowing.
What the FTC record does not yet answer
The headline promise of seven specific apps that track users after closure runs into an evidence gap. The FTC’s primary materials name only two apps directly tied to the InMarket order: CheckPoints and ListEase. No public FTC document currently lists additional apps by name in connection with these proceedings. The Gravy Analytics case references the broader app ecosystem as a data source, but the formal complaint and order materials available through the FTC’s case hub do not enumerate individual apps feeding data to the broker.
That gap matters for anyone trying to audit their own phone. Without a public list of every app carrying a location-harvesting SDK, users cannot simply check a roster and uninstall offenders. The SDK model means that any free app offering location-based features, from weather widgets to coupon finders to prayer-time reminders, could theoretically carry embedded code that forwards location data to a third party. The FTC’s orders address the broker side of the equation, but they do not yet produce a consumer-facing directory of affected apps.
A second open question involves enforcement timing. The InMarket order was announced in January 2024, and the Gravy Analytics proceeding is documented in the FTC’s legal library, but neither case has produced a final public accounting of how much data was collected, how many users were affected, or whether the ordered deletions have been completed and verified. Regulators have signaled clear intent, but the practical cleanup remains in progress.
There is also no definitive technical explanation, in the public record, of precisely how each app handled background permissions on different mobile operating systems. Platform-level privacy controls have changed over the years, and the FTC’s documents focus on legal obligations rather than step-by-step engineering details. For consumers, that means the enforcement files confirm that improper tracking occurred, but they do not double as a how-to guide for spotting every risky app.
How users can respond without a complete app list
In the absence of a definitive roster of offending apps, users have to rely on general defenses. The most direct step is to review location permissions on each device and restrict access to apps that genuinely need it to function. Many operating systems now allow “only while using the app” or similar options, which can reduce the opportunity for background collection. Deleting apps that are rarely used, especially those that request continuous location access, further limits the surface area for SDK-based tracking.
Users can also pay closer attention to the business model behind the apps they install. Services that are free to download but heavily ad-supported may have stronger incentives to partner with data brokers. Reading privacy policies and in-app disclosures is imperfect, but it can reveal whether an app shares data with unnamed “partners” or “service providers” in ways that go beyond delivering the core service.
Ultimately, the FTC’s actions against InMarket and Gravy Analytics highlight a structural imbalance. Consumers interact with icons and settings screens; brokers operate through contracts and code layers that are largely invisible. Until regulators or platforms force more transparency about which SDKs sit inside which apps, users will be left managing risk in broad strokes rather than making fully informed, app-by-app choices.
The recent enforcement record does, however, send a clear signal to the industry. Companies that treat precise location as a commodity, detached from the people who generate it, now face a higher likelihood of regulatory scrutiny. Whether that pressure leads to cleaner data practices or simply more careful legal drafting will determine how much control smartphone owners truly gain over where their movements are recorded, stored, and sold.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
