Smartphone users who leave app permissions set to “always” are feeding a steady stream of location coordinates to data brokers, some of which the Federal Trade Commission has already moved to shut down. The FTC barred X-Mode Social and its successor Outlogic from selling sensitive location data, and separately took action against Gravy Analytics and Venntel for tracking consumers near medical facilities, places of worship, and other protected sites. Switching every app to “while using” on both iPhones and Android devices cuts off the background data pipeline that made those broker operations possible in the first place.
FTC enforcement actions expose the cost of background tracking
The commercial value of always-on location data became clear through two distinct federal enforcement cases. The FTC issued an order prohibiting X-Mode Social and Outlogic from selling sensitive location data collected from consumers’ phones, explaining that the broker had gathered precise coordinates through software development kits embedded in ordinary apps and then resold that information without meaningful consent, according to an FTC enforcement summary.
A separate case targeted a different link in the supply chain. The FTC took action against Gravy Analytics and Venntel for unlawfully selling location data that tracked consumers to sensitive sites, including healthcare clinics and religious institutions; the proposed order in that matter would ban the sale or use of such data and require a formal compliance program, as described in an FTC press release.
Both cases share a common thread: the data that powered these broker operations came from apps running in the background with persistent location access. When a weather widget, coupon app, or navigation tool holds “always” permission, it can collect coordinates around the clock, even while a phone sits in a pocket. Those coordinates are then packaged and sold downstream, often passing through several intermediaries before reaching advertisers or analytics firms. The FTC actions confirm that this pipeline is not hypothetical. It operated at commercial scale until regulators intervened.
How “while using” permission blocks the data pipeline on iOS and Android
Apple and Google have built the technical controls needed to sever background collection, but the default behavior still depends on what users choose during initial setup prompts. On iPhones and iPads, selecting “While Using the App” limits location access to moments when the app or one of its features is visible on screen; choosing “Always” allows the app to read GPS coordinates even when running in the background, and a blue status bar appears when an app is actively using location, as Apple explains in its location privacy guidance.
Android follows a parallel but slightly different path. On Android 10, the runtime permission dialog can include an “Allow all the time” option that grants background access in a single tap. Starting with Android 11 and later versions, Google tightened the process so that users must navigate to a separate settings page to enable background location, governed by a dedicated background permission. That extra step was designed to make always-on tracking a deliberate choice rather than an accidental one, and it gives users a clearer sense that they are enabling continuous monitoring rather than a one-time lookup.
The practical effect of switching every app to the narrower permission is straightforward. Apps that genuinely need location, like turn-by-turn navigation or ride-hailing services, still work normally while they are open and in active use. But they lose the ability to silently ping GPS satellites at two in the morning, generating the kind of timestamped coordinate logs that data brokers have turned into a commodity. For anyone who installed apps years ago and tapped through permission prompts without reading them, a single pass through the settings menu can revoke background access across every installed program in a few minutes, sharply reducing the volume of new data entering commercial tracking systems.
Gaps in evidence and what users should watch next
The FTC enforcement record proves that brokers collected and sold background location data. What it does not provide is a direct measurement of how quickly downstream advertising profiles change after a user revokes always-on permissions. No publicly available study has tracked a cohort of users through repeated ad-interest audits before and after switching all apps to “while using,” then measured the reduction in sensitive-location inferences appearing in broker databases within a defined window. That gap matters because revoking permission stops new data from flowing, but it does not erase coordinates already collected and distributed, which may persist in archives or models for months or years.
Apple and Google developer documentation describes permission mechanics in detail, yet neither company publishes aggregated data on how many users currently grant “always” access or how often people change their settings after receiving system reminders. Apple has noted in its privacy materials that iOS may later ask users whether they want to continue allowing background access for a given app, surfacing a reminder when the system detects ongoing location use over time. That periodic prompt is helpful, but it only appears for apps that already hold the broader permission, and it depends on the user reading and acting on the notification rather than dismissing it as another routine alert.
The regulatory picture is also still developing. The proposed FTC order against Gravy Analytics and Venntel had not reached a final resolution at the time the agency announced the action, leaving open questions about how broadly its terms will apply and how aggressively the commission will enforce future violations. Additional investigations could expand the list of companies barred from selling sensitive coordinates, or they could clarify what counts as sufficient consent for location-based services that rely on background access. Until those details are resolved, consumers have limited visibility into which downstream buyers still hold historical records derived from earlier, always-on collection.
For individual users, that uncertainty is a reason to focus on what can be controlled directly on their own devices. Reviewing the list of installed apps and downgrading location access to “while using” or “never” wherever possible reduces the risk that ordinary utilities will quietly feed data into opaque markets. Deleting apps that no longer serve a clear purpose further narrows the number of entities with technical access to a phone’s sensors. Combined with built-in prompts and operating system safeguards, those manual steps make it harder for any single company to assemble a continuous, long-term map of a person’s movements.
At the same time, revoking permissions is not a complete solution. Historical location trails may remain in broker files, cloud backups, or derived analytics products even after a user tightens settings. Some services, such as mapping tools that provide real-time traffic estimates, may still require background access to function as expected, forcing people to weigh convenience against privacy on a case-by-case basis. And without independent research into how quickly data brokers’ profiles decay when new inputs stop, it is difficult to quantify the exact privacy gains from any single change.
Still, the enforcement actions against X-Mode, Outlogic, Gravy Analytics, and Venntel show that background permissions are not a trivial toggle. They are the front door to a commercial ecosystem that regulators now describe as unfair and unlawful when it reaches into sensitive spaces. Until stronger legal limits or technical safeguards are in place, treating “always” as the rare exception and “while using” as the default is one of the most direct ways smartphone owners can shrink their role in that ecosystem and reduce the volume of intimate location data available for sale.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
