The Federal Trade Commission has now taken enforcement action against four separate data brokers for selling precise location data collected from consumers’ mobile phones, turning what was once an invisible advertising practice into a named, regulated violation. The agency banned InMarket from selling consumer location data, finalized restrictions on X-Mode Social and its successor Outlogic, sued Kochava for tracking visits to reproductive health clinics and places of worship, and acted against Mobilewalla for collecting and selling sensitive location records tied to advertising identifiers. Together, these cases expose the core business model behind many free apps: the quiet sale of where people go, when they go there, and how often they return.
Federal enforcers are treating location data as sensitive personal property
For years, the exchange worked like this: a free weather, navigation, or fitness app would embed a third-party software development kit, or SDK, from a data broker. That SDK would collect the phone’s GPS coordinates and pass them to the broker, which would package and resell the data to advertisers, hedge funds, or government contractors. Users rarely understood the chain of custody, often seeing only a vague prompt about improving services or personalizing ads. The FTC’s recent string of enforcement actions signals that regulators now view this data as sensitive personal property rather than neutral advertising fuel.
The FTC’s case against Kochava, filed in August 2022, alleged the company sold data that tracked people at reproductive health clinics, places of worship, and other sensitive locations. That case marked one of the first times the agency explicitly framed commercial location sales as a consumer harm rather than a standard advertising transaction. The Kochava complaint made clear that even so-called anonymized location trails can reveal medical decisions, religious affiliations, and domestic patterns, especially when combined with other datasets that can re-identify individuals.
By calling out specific categories of sites, such as addiction recovery centers or shelters, the complaint also underscored how location data can facilitate discrimination and surveillance. A phone that regularly appears at a dialysis clinic signals a chronic health condition; a device that moves between a particular mosque and a specific workplace can be enough to infer the identity of its owner. The FTC’s theory of harm rests on these inferences: even if names are stripped from the files, the paths themselves are intimate.
A central question is whether these enforcement actions will actually change app-level behavior. One testable hypothesis is that if public naming of data brokers carries real market consequences, the number of new SDK integrations from those brokers should decline within a year of each enforcement announcement. Repeated static analysis of top free apps on U.S. app stores could measure that effect by scanning app binaries for known SDK signatures and tracking changes over time. No such large-scale measurement has been published yet, which means the deterrent value of these cases is still an open question and an area where independent researchers could provide accountability.
Four FTC cases map the data broker supply chain
The FTC’s actions against InMarket, X-Mode/Outlogic, Kochava, and Mobilewalla are not isolated complaints. Read together, they outline the full supply chain that converts a phone’s GPS signal into a product sold to marketing firms, political campaigns, and other buyers. Each case targets a different link in that chain, from SDK operators to data aggregators.
The order against InMarket addressed a company that collected geolocation through its own apps and through SDKs embedded in other developers’ apps. The order prohibits InMarket from selling or licensing precise location data and requires the company to implement a comprehensive privacy program to ensure consumer data is handled in compliance with the restrictions. InMarket is also required to delete or de-identify certain previously collected data, signaling that the FTC is willing not only to shape future practices but also to roll back past stockpiles of sensitive information.
The X-Mode case followed a similar pattern but emphasized the risks of third-party code embedded across the mobile ecosystem. X-Mode Social collected location data through its SDK, which was integrated into hundreds of third-party apps, many of which had little to do with location-based services. The FTC finalized its order against X-Mode and Outlogic earlier this year, prohibiting the companies from sharing or selling sensitive location data and requiring them to implement safeguards around any remaining data flows. The finalized order confirmed the Commission’s position that location data tied to sensitive sites, such as health care providers and religious institutions, deserves heightened protection and cannot be treated as just another advertising segment.
The most recent action targeted Mobilewalla, a firm that built detailed audience segments by combining mobile location information with other data sources. The FTC alleged that Mobilewalla collected and sold sensitive location data linked to advertising identifiers, building consumer profiles that could reveal visits to health care providers, houses of worship, and similar locations. That action against Mobilewalla extended the agency’s enforcement pattern into late 2024, showing that the crackdown is accelerating rather than winding down and that the Commission is looking beyond a single high-profile defendant.
Taken together, the four cases map how location data moves from individual devices to commercial buyers. App developers integrate an SDK to monetize their user base; the SDK operator harvests coordinates and device identifiers; the data broker aggregates those signals into movement profiles; and downstream clients purchase access to those profiles for targeted advertising, analytics, or other uses. Each enforcement action clips a different part of that pipeline, suggesting the FTC is trying to reshape the economics of location tracking rather than simply penalize one bad actor.
Research and health regulators echo the alarm
Peer-reviewed research supports the FTC’s findings about how deeply SDKs penetrate free apps. A study in Big Data and Society examined pervasive SDK-based tracking in mobile apps, documenting how third-party code modules operate as data collection pipelines that app users never directly interact with. The authors found that many apps bundled multiple trackers, making it difficult for consumers to understand which entities received their data or how it might be combined and resold.
A separate survey in the International Journal of Information Security mapped information flows in mobile advertising, detailing how third-party tracking and data exchange move user data from apps to brokers to buyers. That work highlighted the opacity of contractual relationships, where a single SDK integration can open the door to dozens of downstream partners. Both studies bolster the FTC’s argument that individual consent screens are insufficient when the underlying ecosystem is so complex and interconnected.
The U.S. Department of Health and Human Services has also acknowledged the problem from a health privacy perspective. In post-Dobbs guidance, HHS warned that location data linked to visits to reproductive health clinics could expose patients to legal and social risks and urged providers to limit the use of tracking technologies on patient-facing websites and apps. While the guidance focuses on entities covered by health privacy law, it implicitly recognizes that commercial data brokers can assemble detailed maps of who seeks which kinds of care, and when.
What comes next for apps and consumers
For app developers, the message from these enforcement actions is that “free” cannot mean unlimited collection and sale of precise location trails, especially when they reveal visits to sensitive places. Developers that rely on third-party SDKs will need to scrutinize their partners’ data practices, revise contracts, and in some cases remove modules that are no longer tenable under the FTC’s evolving standards.
For consumers, the practical steps remain limited but not meaningless. Turning off system-level ad identifiers, restricting location permissions to “while in use,” and uninstalling apps that do not clearly justify their need for location access can reduce exposure. However, the FTC’s cases underscore that individual settings alone cannot fix a structural problem built into the business model of the mobile economy. That is why regulators are now targeting the brokers themselves, redefining the sale of precise location data as a sensitive practice that demands strict limits rather than quiet acceptance.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
