Federal regulators have now finalized two enforcement actions that directly connect precise location data collected by apps to real-world privacy harms, including the tracking of visits to medical clinics and places of worship. The Federal Trade Commission’s orders against data broker X-Mode Social (and its successor Outlogic) and against InMarket both prohibit the sale or sharing of precise location data, treating house-level coordinates as a category of information too sensitive for the commercial data market. For anyone still granting a weather app access to exact GPS coordinates, these cases spell out exactly what can go wrong with that data after it leaves the phone.
FTC Orders Against X-Mode and InMarket Expose the Real Cost of Precise Coordinates
A weather forecast for a ZIP code and a weather forecast for a specific street address are functionally identical. Rain does not stop at a property line. Yet many weather apps still default to requesting precise location, a setting that hands over latitude and longitude accurate to within a few meters. That data has commercial value far beyond forecasting, and two recent FTC cases show where it ends up.
The FTC finalized an order against X-Mode Social and its successor Outlogic in April 2024, barring the company from selling or sharing sensitive location data. The agency alleged that the broker sold precise location data that enabled tracking of individuals’ visits to sensitive places, including reproductive health clinics and places of worship. That data did not originate from a surveillance tool. It flowed from ordinary apps, including weather and traffic utilities, that collected GPS coordinates and passed them downstream to data brokers.
A month later, the FTC finalized a parallel order against InMarket, a separate data company, blocking it from selling or sharing precise location data. The remedy followed a similar pattern: an app user granted location access for a stated purpose, and the resulting coordinates were monetized through a data supply chain the user never agreed to. Reporting on the InMarket settlement emphasized that the FTC is now treating precise location as inherently high-risk information rather than just another advertising signal.
The hypothesis that apps defaulting to precise location feed higher downstream data-brokerage activity finds direct support in these enforcement records. Both X-Mode and InMarket acquired their inventories of sensitive coordinates from apps that requested and received precise GPS access. The FTC did not need to audit every weather app on the market to establish the connection. The enforcement filings themselves document the pipeline: an app collects precise coordinates, a software development kit or data-sharing agreement transfers them to a broker, and the broker packages and sells them to third parties who can then reconstruct individual movement patterns.
What the FTC’s Enforcement Record Reveals About App-Level Permissions
The X-Mode case, filed under FTC case 2123038, provides a detailed enforcement record. The case hub includes the original complaint, the consent order, commissioner statements, and public comments. Together, these documents trace how a single data broker assembled a commercially viable product from the precise location streams of everyday mobile apps. The complaint describes a business model in which X-Mode embedded its software development kit into third-party apps, collected raw GPS data from users of those apps, and then sold that data to clients who could identify visits to specific categories of locations.
According to the FTC, those categories included places that most people would consider highly sensitive: clinics providing reproductive health services, houses of worship, and other locations that reveal health status, religious affiliation, or other intimate details. The complaint emphasized that even when names were removed, the combination of time-stamped coordinates and known addresses allowed buyers to infer the identity and habits of specific individuals. The order therefore treats the underlying coordinates themselves as sensitive, not just the inferences drawn from them.
The InMarket order follows a nearly identical structure. The company collected precise location data through its own apps and through SDKs embedded in other developers’ products. The FTC’s final order bars InMarket from selling, licensing, transferring, or sharing precise location data for advertising or any other purpose, and requires the company to delete previously collected location information and any products derived from it. In both cases, the agency framed the core problem as a mismatch between what users were told about location access and what actually happened with their data.
Both orders carry a practical lesson for phone owners. The data pipeline starts at the moment a user taps “Allow” on a location permission prompt. Apple’s iOS and Google’s Android both offer a toggle labeled “Precise Location” that, when turned off, limits the app to receiving only an approximate location, typically accurate to a radius of several miles. That level of accuracy is more than sufficient for a weather forecast, a news feed filtered by metro area, or a restaurant search. Turning the toggle off does not break these apps. It simply cuts the data supply at its source.
For most everyday uses, the difference between a forecast keyed to a neighborhood and one keyed to a specific rooftop is negligible, while the privacy difference is enormous. Approximate location still lets an app know the city or town a device is in, but it does not support tracing a person’s regular presence at a particular clinic every Tuesday at 3 p.m. Nor does it make it easy to infer where they sleep at night, where they worship, or which support groups they attend.
Gaps in the Evidence and What Phone Owners Should Do Next
The FTC’s enforcement record is strong on the brokerage side of the equation but leaves several questions open. No complaint or order names a specific weather app as a source of the location data sold by X-Mode or InMarket. The agency’s cases target the brokers and their data practices, not the app developers who initially collected the coordinates. That gap matters because it means no weather app company has been publicly required to explain why it requests precise location or what happens to that data after collection.
There is also no published government or academic study quantifying how forecast accuracy changes when a weather app receives city-level coordinates instead of house-level ones. Meteorologists can explain, in general terms, that microclimates exist and that highly localized predictions might matter for some users. But the enforcement record does not contain empirical evidence that consumers benefit from the extra precision in proportion to the privacy risk it creates. Absent that evidence, the default to precise location looks less like a technical necessity and more like a business choice aligned with data monetization.
Consumers therefore have to make decisions under conditions of partial information. The app store listing may not spell out whether an app shares location data with third parties. The in-app privacy policy may be written at a level of abstraction that obscures the role of SDKs and brokers. And even when a policy promises that data is “anonymized,” the FTC’s cases show how easily supposedly anonymous coordinates can be linked back to real lives.
Against that backdrop, several practical steps emerge from the enforcement record. First, review which apps currently have access to location and revoke it for any that do not clearly need it. A weather app can function with approximate location; a flashlight app does not need location at all. Second, where operating systems offer the choice, favor “While Using the App” over “Always” access, and turn off “Precise” unless an app has a compelling, well-explained reason for needing pinpoint accuracy.
Third, treat vague assurances about “partners” or “service providers” in privacy policies as a signal to be cautious. The FTC’s cases against X-Mode and InMarket show that those partners can include data brokers whose core business is aggregating and reselling behavioral profiles. If an app’s business model is not obvious from its product-if it is free, ad-supported, and packed with third-party code-assume that any data you grant it may travel further than you expect.
Finally, the enforcement actions themselves suggest that regulatory expectations are shifting. By prohibiting the sale or sharing of precise location data and requiring deletion of existing datasets, the FTC is signaling that some categories of information are simply too sensitive to traffic in, regardless of how many consent boxes have been checked. Until app developers adjust their defaults to reflect that reality, the most effective response available to individuals is to withhold precise location whenever they can.
Weather apps will continue to forecast rain without knowing the exact coordinates of every doorstep. What the FTC’s orders make clear is that the privacy stakes of handing over those coordinates extend far beyond the next storm. For now, the simplest way to keep that data out of the brokerage pipeline is to say no when an app asks to know exactly where you are.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
