Federal regulators have spent the past two years building enforcement cases against a chain of data brokers that collect precise phone coordinates from ordinary mobile apps and sell them onward, often without meaningful user consent. The Federal Trade Commission has now taken action against at least five companies in this pipeline, including Kochava, InMarket Media, X-Mode Social (now Outlogic), Gravy Analytics and its subsidiary Venntel, and Mobilewalla. Each case follows the same pattern: apps that users install for everyday purposes quietly pass GPS coordinates and advertising identifiers to intermediaries, who then package that data for advertisers, analytics firms, and in some instances government agencies. The trail can link a single phone to a reproductive health clinic, a place of worship, and a home address.
Why background location tracking faces a regulatory reckoning
The FTC’s string of enforcement orders creates a new cost for any app developer that grants background location access to a third-party SDK. The agency alleges that Kochava sold precise location data tied to mobile advertising IDs in a form that could trace individuals to sensitive destinations and back to their residences. A separate proposed order would ban InMarket from selling precise consumer location data, with the FTC citing inadequate disclosure and consent practices inside third-party apps that fed InMarket’s advertising and marketing operations.
These are not abstract policy debates. The data flows at issue let brokers reconstruct daily routines: which doctor’s office a person visited, which house of worship they attended, and where they slept. When the FTC took action against Gravy Analytics and Venntel, the agency specifically noted that the companies tracked health-related locations and places of worship while collecting data without verifiable consent. The practical question for phone owners is whether the apps already on their devices are participating in this supply chain, and whether new enforcement will actually shrink the volume of data reaching brokers.
Both Apple and Google have built permission frameworks meant to limit background location collection. iOS distinguishes between “While Using” and background location access, requiring apps to justify the higher-tier permission. Google Play policy requires developers to disclose why they need background location and subjects those requests to review. Yet the FTC’s cases show that these platform-level gates have not prevented large-scale data harvesting. Apps that clear the permission hurdle can still embed SDKs from brokers like X-Mode or InMarket, turning a weather widget or coupon app into a continuous location beacon without the user understanding the downstream consequences.
FTC orders, state settlements, and the Grindr precedent
The enforcement record now spans federal and state jurisdictions, plus at least one European regulator. The FTC’s case against X-Mode Social alleges the company sold sensitive location data gathered through app integrations. A finalized order against Mobilewalla, announced in January 2025, bans the company from selling sensitive location data and highlights allegations that Mobilewalla failed to verify consent before collecting and reselling coordinates harvested from real-time bidding streams. An FTC staff analysis of the Mobilewalla case explained how data collected during programmatic ad auctions can be retained and repurposed beyond the auction’s original scope, meaning a user’s location can leak through advertising infrastructure even when no single app explicitly shares it.
State enforcers have added their own restrictions. The Massachusetts Attorney General reached a settlement prohibiting geofencing around healthcare facilities, with an Assurance of Discontinuance filed in court. That case targeted the practice of drawing virtual perimeters around clinics and hospitals to serve targeted ads to people inside those boundaries, a technique that effectively infers health status from physical presence.
Outside the United States, the Norwegian Data Protection Authority imposed a fine against Grindr LLC on December 13, 2021, after finding the dating app shared GPS location and advertising IDs with third parties for advertising purposes. The European Data Protection Board’s summary of that decision confirmed that the data shared included a user’s precise GPS coordinates and the fact that they used Grindr, a combination that could expose sexual orientation. That case established an international precedent: sharing app-derived location data with ad-tech partners without valid consent carries direct financial penalties.
Gaps in the evidence and what phone owners should watch next
The FTC’s complaints describe the broker side of the data pipeline in detail but do not publish comprehensive lists of the consumer-facing apps that fed each broker. Kochava, InMarket, X-Mode, and Gravy Analytics each integrated with potentially hundreds of apps through SDKs, yet the public enforcement documents focus on the brokers’ conduct rather than naming every app that participated. That gap matters for consumers trying to audit their own phones: there is no single registry matching a specific weather, navigation, or coupon app to a specific broker relationship.
Apple and Google’s permission documentation explains what controls exist but does not disclose audit results or statistics on how many apps currently hold background location privileges. Without that data, it is difficult to measure whether the FTC’s orders will produce a measurable drop in location data reaching brokers. The enforcement actions also do not require platforms to notify users whose historical location trails may already sit in broker databases, leaving most people unaware that their past movements might be part of datasets marketed for advertising, analytics, or government contracting.
For now, phone owners who want to reduce their exposure have to work with imperfect tools. On both iOS and Android, users can review which apps have location access and downgrade permissions from “Always” or background access to “While Using” or “Only this time.” Turning off system-wide ad identifiers where possible, and avoiding apps that demand location for marginal features such as generic coupons or wallpapers, can limit the number of data streams available to brokers. None of these steps can claw back data that has already been collected, but they can narrow the future footprint.
Regulators, meanwhile, are signaling that they view precise location as inherently sensitive when it reveals visits to health facilities, religious sites, or LGBTQ+ venues. The Kochava and InMarket cases frame the sale of such data as an unfair practice even when companies argue that records are “pseudonymous” or keyed only to advertising IDs. The X-Mode and Mobilewalla matters extend that logic into the ad-tech stack, warning that harvesting coordinates from SDKs or real-time bidding streams without robust consent will draw scrutiny regardless of how many intermediaries sit between the original app and the end buyer.
The next phase of this reckoning will likely turn on transparency and verification. If app stores, mobile operating systems, and ad-tech platforms begin publishing more granular reports about which apps share location with which partners, users and watchdogs could better test whether settlements and orders are changing behavior. Until then, the public record will remain asymmetric: detailed accounts of what brokers did with location data, paired with only partial clues about which everyday apps quietly supplied the raw coordinates in the first place.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
