Federal regulators have taken direct aim at companies that collect and sell the location data of mobile phone users, often without those users knowing their movements are still being recorded after they close an app. The Federal Trade Commission finalized an order against data broker X-Mode Social and its successor Outlogic, barring them from sharing or selling sensitive location data. In a separate action, the FTC charged Mobilewalla with collecting and selling sensitive location data without reasonable steps to verify consumer consent. Together, these cases expose a supply chain in which apps, advertising technology, and data brokers work in concert to turn background location access into a tradeable commodity.
Why background location tracking is drawing federal enforcement
The core problem is not that apps ask for location access. It is what happens to that data once it leaves the device. Many popular apps request location permissions for features like weather, navigation, or local search. But embedded advertising software development kits, or SDKs, can continue pulling location signals even after a user swipes an app closed. That data then flows through real-time advertising auctions and into the hands of brokers who package and resell it.
The FTC’s enforcement actions reveal how this pipeline works in practice. X-Mode Social collected precise location data from apps and sold it onward, including information that could reveal visits to medical clinics, places of worship, and domestic violence shelters. In its January action, the agency concluded that the commercial trafficking of sensitive coordinates can be unlawful under the FTC Act’s unfairness standard. That legal finding set a precedent: collecting location data is not inherently illegal, but selling it in ways that expose people to serious harm crosses a line.
The hypothesis that apps embedding multiple ad-tech SDKs show higher rates of continued location access after force-close aligns with the mechanics described in these cases. Apps using only first-party location calls for their own features have no incentive to keep pinging GPS coordinates once closed. Apps bundling third-party advertising code, by contrast, may allow those SDKs to maintain background access or harvest location from the advertising bid stream itself. The FTC’s case against Mobilewalla illustrates this second path: the company obtained location data not just from apps directly but from online advertising auctions, a method that sidesteps traditional app-level permission prompts entirely.
FTC orders against X-Mode and Mobilewalla spell out the risks
The finalized order against X-Mode Social and Outlogic, filed under administrative docket 2123038, prohibits the companies from sharing or selling sensitive location data. The FTC defined sensitive locations to include clinics providing reproductive health services, places of worship, and shelters for survivors of domestic violence. The order also requires the companies to delete previously collected sensitive data, to refrain from using it for advertising or analytics, and to implement a comprehensive privacy program to ensure future compliance.
Those restrictions go beyond simple notice-and-consent requirements. By banning the sale of certain categories of information outright, the order signals that some uses of location data are too dangerous to be justified by boilerplate disclosures. It also obligates X-Mode and Outlogic to obtain affirmative express consent before collecting any precise location data at all, tightening the standard for how consent must be obtained and documented.
The Mobilewalla case adds another dimension. The FTC alleged that Mobilewalla sold sensitive location data without taking reasonable steps to confirm that the people whose data it handled had actually consented and without adequately screening out visits to highly sensitive locations. The agency’s action also imposes limits on harvesting data from ad auctions, a channel that many consumers do not even know exists. When a phone loads an ad, the device’s approximate location and identifier can be broadcast to dozens of bidders in milliseconds. Brokers like Mobilewalla captured that auction data and turned it into location profiles, effectively tracking people through a system designed to sell ads.
For ordinary phone users, the practical consequence is stark. A person who carefully limits which apps can access their location may still have their movements logged through the advertising bid stream. The FTC’s position is that this practice is unfair because consumers cannot reasonably avoid it, they are not meaningfully informed about it, and the potential for harm, including physical danger for people visiting shelters or clinics, is severe.
What phone users still cannot control about location data
These enforcement actions answer some questions but leave others open. The FTC’s orders target specific companies, but the broader ecosystem of data brokers and SDK providers remains vast. Neither case names the specific apps whose SDKs fed location data to X-Mode or Mobilewalla, which means users cannot simply delete a short list of apps and consider the problem solved. The underlying SDK code is often invisible to the person downloading an app, buried in developer agreements and privacy policies that most consumers never see or cannot reasonably parse.
Technical details about which SDKs maintain background location access after an app is closed are also absent from the public record in these cases. Independent security researchers have documented this behavior in weather apps, prayer apps, coupon apps, and navigation tools, but the FTC complaints focus on the data brokers rather than the app developers who integrated their code. That gap matters because it leaves the first link in the chain, the app itself, largely unaccountable in these proceedings, even though it is the app that requests permissions and embeds third-party libraries.
The advertising auction channel presents an even harder problem for individual users. Disabling location permissions for specific apps does not necessarily stop data from flowing through the ad-bidding process, because that process can infer rough location from IP addresses, Wi‑Fi networks, or other signals. Even users who disable system-level location services may still be exposed to coarse tracking that is sufficient to identify visits to sensitive places over time.
Moreover, once location data enters a broker’s systems, consumers typically have little visibility into where it goes next. Data may be shared with downstream partners, combined with other datasets, and retained for years. Opt-out tools, where they exist, are often fragmented and difficult to use. The FTC’s orders require X-Mode, Outlogic, and Mobilewalla to delete certain information and to honor more robust consent standards, but they do not automatically extend those obligations to every other company in the location data market.
What regulators’ actions mean for the future of location privacy
The X-Mode and Mobilewalla cases mark a shift in how U.S. regulators frame location privacy. Rather than focusing solely on deceptive disclosures, the FTC is using its unfairness authority to say that some data practices are inherently too risky, regardless of what a privacy policy claims. That approach opens the door to broader rules around sensitive inferences, such as identifying a person’s religious practices or health status based on where they go.
For the ad-tech industry, the message is that background collection and auction-based sourcing of precise location data now carry significant legal risk, particularly when they touch sensitive locations or lack verifiable consent. Companies that rely on SDKs or bid-stream data will need to scrutinize their supply chains, limit what they collect, and build mechanisms to filter out high-risk categories.
For consumers, the immediate protections are narrower but still meaningful. People whose movements were captured by X-Mode or Mobilewalla should see less risk that their past visits to clinics, shelters, or houses of worship will be repackaged and resold. Over time, if more cases follow this model, the market for highly precise, individually linked location trails could shrink, even if it does not disappear entirely.
The unresolved question is whether case-by-case enforcement can keep pace with a complex, opaque ecosystem. As long as advertising auctions and SDKs remain central to how mobile apps make money, the incentives to collect and monetize location data will persist. The FTC’s recent actions show that there are legal limits to that business model, but they also highlight how much of location tracking still operates beyond the practical control of the people carrying the phones.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
