Location Tracking

Your location data can reveal a lot about you: where you live, where you work, where you shop. It should be no surprise, then, that there is big demand for your location data. 

Geolocation can be incredibly useful for pro-consumer applications such as turn-by-turn directions and finding a nearby restaurant; however, all too often this information is secretly collected and shared by dozens if not hundreds of ad networks and data brokers with whom consumers have no relationship or even awareness. The location data market is a vast and multi-layered network of actors and technology. At one end is your phone, the source of much of the location data collected about you. Various entities collect the location data generated by your phone, including your telephone service provider, stores, adverting platforms, and phone apps. The collecting companies then sell your location data to aggregators, who then either package and resell the data to further brokers or sell data products directly to end users. Much of the location data market is centered around marketing analytics, but the government has also been a major purchaser of location data.

Apps Are Tracking Your Every Move

Many an app has likely prompted you to request access to your location. Sometimes, the app has a legitimate reason to access the information, like displaying your local weather. Sometimes, it doesn’t. In either case, the app may be selling your location data to a third party. 

Apps often capture your location information through third-party Software Development Kits, or “SDKs”, which are pieces of code that data aggregators write and make available to app developers to easily add functionality to their apps—and to create a data pipeline back to the data aggregator. SDK developers pay app developers that use their SDKs based on their app’s number of active users—the more people who use the app, the more location data the developer contributes to the aggregator’s dataset, and the more valuable the dataset. A single SDK can be found in hundreds of different apps, providing the data aggregator with location data on thousands or even millions of individuals.This data could subsequently be breached, as happened with Gravy Analytics in 2025.

The Federal Trade Commission (FTC) took action against several location data brokers in 2024, building on its 2022 action against Kochava.

Other ways companies collect your location 

Apps are not the only way data aggregators can get your location data. The four major telephone service providers have sold location data to aggregators, resulting in a $200 million fine from the FCC that as of 2025 was still working its way through the courts.

The FCC, and several states legislatures, have also attempted to protect the location data of domestic violence survivors obtained via connected cars. Regarding abuser access to location data specifically, location services marketed as being useful for family safety can also be twisted to these dangerous ends.

Mobile ad companies also sell location data collected through a “bidstream,” which is data sent from a mobile device to an ad company that is used to determine what ad to serve the device. Stores and other service providers with physical locations also collect location data through bluetooth beacons, which are devices that collect information from your phone through short-ranged bluetooth radio waves. Stores often use beacons to track your movement through a store and to serve ads related to the products you spend time near. They also sell this data to aggregators, who, along with all of their customers, now know you are in the market for a car or household furnishings.

In 2025, General Motors (GM) and its subsidiary OnStar agreed not to sell drivers’ location data for five years following an investigation by the Federal Trade Commission. “GM monitored and sold people’s precise geolocation data and driver behavior information, sometimes as often as every three seconds,” said then-FTC Chair Lina M. Khan. The FTC’s complaint alleged that GM and OnStar were selling drivers’ precise geolocation to consumer reporting agencies and other third parties.

Buying Location Data: The Government’s Run Around Carpenter

In 2018, the U.S. Supreme Court said in Carpenter v. United States that the government must get a warrant to obtain cell phone-generated location data that reveals a person’s past movements. But instead of getting a warrant, many government agencies have, instead, purchased location data from data brokers. The U.S. military has purchased access to X-Mode, which runs an SDK that is embedded in apps targeting Muslims. ICE, Customs and Border Protection (“CBP”), the IRS, the FBI, and the DEA have all purchased access to Venntel (a subsidiary of Gravy Analytics), which aggregates location data from 80,000 apps, including X-Mode apps. Many of the same agencies, along with the Secret Service, have purchased access to Locate X, which produces a product similar to Venntel. Lawmakers have introduced legislation to end this practice.

In 2024, Montana became the first state to pass a law prohibiting law enforcement from purchasing certain forms of data from data brokers, closing the data broker loophole.

EPIC’s Work

EPIC has been working to stop apps from collecting and selling users’ location data without consent. One success story is EPIC’s case against AccuWeather, which resulted in AccuWeather changing its app to separate location access permissions for app function and for other purposes (i.e., sale to a third-party marketing company).

EPIC also advocates for state laws that ban the sale of precise geolocation data. Both Maryland and Oregon have adopted such bans.