The Federal Trade Commission has now taken enforcement action against four separate location-data brokers since 2022, each time alleging that precise GPS coordinates harvested from ordinary smartphone apps ended up packaged and sold to third parties. Those cases reveal a supply chain that starts with a single permission tap on a phone screen and ends with timestamped records of visits to medical clinics, houses of worship, and domestic violence shelters. For anyone who has not checked which apps hold location access on their phone, the exposed pattern offers a concrete reason to do it today.
FTC enforcement actions that explain why permission audits matter now
The chain of regulatory cases makes the risk specific rather than theoretical. The FTC filed its complaint against Kochava, Inc. on August 29, 2022, alleging the company sold precise, timestamped geolocation data tied to mobile advertising IDs. In the agency’s description of its case against the Idaho-based broker, those identifiers could be used to trace individual device owners to sensitive locations. The advertising IDs that made this possible are the same identifiers apps receive when a user grants location permission.
Kochava was not the last target. In April 2024, the FTC finalized an order against X-Mode and its successor Outlogic, prohibiting both from sharing or selling sensitive location data and requiring them to implement safeguards against misuse. A separate proceeding against InMarket Media, LLC opened on January 18, 2024, adding another broker to the enforcement record and underscoring that the practice is not confined to a single company.
Then in December 2024, the FTC announced action against Mobilewalla for collecting and selling sensitive location data and for creating audience segments based on sensitive characteristics inferred from that data. According to the agency’s press release on the Mobilewalla case, the company allegedly used location histories to categorize people by visits to places such as medical facilities and religious institutions, and then sold those segments to commercial clients.
Each of these cases traces the same path: an app collects location coordinates, a broker aggregates and sells them, and the buyer can reconstruct where specific devices, and by extension specific people, have been. The permission toggle on a phone is the first gate in that pipeline. When a weather widget or flashlight app holds background location access, it can feed coordinates into the same commercial ecosystem the FTC has repeatedly challenged.
The hypothesis that visible enforcement will prompt a measurable drop in background-location grants is plausible but unproven. Neither Google nor Apple publishes aggregate statistics on how many installed apps request location versus how many users deny the request. No public dataset tracks whether FTC press releases change user behavior at scale. What the enforcement record does establish is that the downstream consequences of granting location access are documented and real, which shifts the question from “could my data be misused?” to “has data like mine already been sold?”
Android and iOS controls that block the data pipeline
Both major mobile platforms already offer the tools the enforcement stories implicitly recommend. On Android, users can choose between approximate and precise access on a per-app basis, so a person can allow a weather app to know the general metro area without handing over exact GPS coordinates. Google’s own support pages explain how to manage location permissions for individual apps, including the option to grant access only while an app is in use. Android’s Privacy Dashboard shows which apps accessed location and when, giving users a timestamped audit trail that mirrors the kind of records the FTC cited in its broker complaints.
On iPhones, Location Services includes a time-bounded “Allow Once” option that grants access for a single session and then revokes it automatically, according to Apple’s support documentation. Users can also downgrade any app from “Always” to “While Using” or deny access entirely through Settings at any time. The system periodically surfaces prompts reminding users that an app has been using location in the background, which creates a natural moment to reconsider whether that access is still warranted.
Google Play policy adds a layer on the developer side. Apps that request background location access must provide a user-facing justification and a prominent disclosure explaining why the feature needs persistent tracking. This requirement treats background location as a high-risk permission category, signaling that even platform operators view always-on location grants as an exception rather than a default. Developers that cannot demonstrate a clear need for continuous tracking are expected to limit themselves to foreground or approximate access.
For users, the practical step is straightforward. Open the permission manager on either platform, scroll to the location category, and review each app listed. Any app that does not need real-time positioning to deliver its core function-note-taking tools, calculators, many social media clients-can safely lose location access without breaking. Navigation apps, ride-hailing services, and local mapping tools may genuinely need precise access while in use, but very few need continuous tracking when the screen is off.
This kind of audit takes a few minutes and directly cuts the supply of coordinates that could otherwise flow to brokers. Even if a particular app never shares data beyond its own servers, revoking unnecessary access reduces the number of entities that could ever see a person’s movements, whether through commercial arrangements or future security incidents.
Gaps in the evidence and what to watch next
Several important questions remain open. The FTC complaints do not name the specific consumer-facing apps whose location data reached Kochava, Mobilewalla, X-Mode, or InMarket. That gap means users cannot simply uninstall a short list of known offenders; they have to treat every app with unnecessary location access as a potential source. It also leaves responsible developers without a clear picture of which data flows regulators now consider unacceptable.
No primary case document includes user-level data showing how often people actually open permission managers after hearing about enforcement actions. The stage-one hypothesis-that periodic audits prompted by FTC visibility will produce a measurable drop in background-location grants-remains an inference rather than a measured effect. Without telemetry from the platforms or independent longitudinal studies, there is no way to quantify whether news about broker cases changes behavior beyond a small group of privacy-conscious users.
Another unknown is how brokers will adapt. Existing complaints focus on precise GPS trails and segments built around clearly sensitive places and characteristics. Companies in the same ecosystem may respond by leaning more heavily on coarser signals, probabilistic inferences, or on-device processing that keeps raw coordinates away from centralized servers. Those shifts could reduce some risks while making it harder for regulators and researchers to trace how data flows.
In the meantime, the most reliable lever available to individuals is still the one on their own devices. Every app that loses unneeded access is one less potential input into the datasets described in the FTC’s actions. That does not solve the structural issues around data brokers, but it does narrow the funnel of information leaving each phone.
The enforcement record from 2022 onward shows that location histories are not an abstract privacy concern; they are a commercial product regulators now treat as sensitive. Until there is more transparency about which apps feed that product and how often people opt out, the safest assumption is that any unused permission is worth revisiting. A short audit of location settings will not erase data already collected, yet it can prevent tomorrow’s movements from joining the next broker dataset-and that is a concrete, immediate change within reach of anyone holding a smartphone.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
