The 2024 wave of FTC enforcement actions against data brokers was the single largest structural event in the commercial-data ecosystem since the launch of Apple App Tracking Transparency. The X-Mode/Outlogic order in January, the InMarket Media order in April, and the finalized Mobilewalla order in December each took a different angle but converged on the same message: location data tied to sensitive categories (health facilities, religious sites, protest locations, reproductive-health clinics) is Section-5-exposed regardless of what the privacy policy says. Procurement diligence in 2026 has to account for the new floor. This piece is the working checklist. For the companion framing on FCRA scope see FCRA vs non-FCRA lead data: what the compliance line means for buyers; for the catalog surface see MAID Feed, Global Mobility & Location Data, and Audience Targeting solution.
Key Takeaways
The 2024 FTC orders against X-Mode/Outlogic, InMarket, and Mobilewalla are the three reference consent orders every data-broker diligence must now read against — they define what Section 5 of the FTC Act treats as unfair practices for location data at the broker level.
Sensitive-category scrubbing (health, reproductive, religious, protest-site geofences, domestic-violence shelters, immigration services) is no longer a best-practice option — it is the floor, and buyers should verify the specific exclusion list and the scrubbing methodology before paying for any location feed.
Consent-chain documentation has moved from a reps-and-warranties line item to a specific verification step — the broker must be able to produce panel-level consent scope, purpose-limitation documentation, and consumer-opt-out handling that survives audit.
The enforcement framing applies to historical data as well as forward-flowing data — brokers forced to delete historical cohorts under 2024 orders are now selling step-function-decayed graphs, and buyers should re-denominate pricing against observable-today coverage rather than peak-cohort claims (see the companion piece device graph decay: how fast MAID and HEM freshness degrades).
State-level privacy statutes (CCPA/CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, and the 14+ state laws in 2025-2026) add a parallel envelope — a broker can be Section-5 compliant and still state-law exposed, and the diligence must audit both tracks.
The Three Reference Orders Every Diligence Must Read
The X-Mode/Outlogic order in January 2024 was the first FTC action to explicitly prohibit a data broker from selling sensitive-category location data — the order's prohibition list includes visits to medical/healthcare facilities, religious organizations, correctional facilities, places designed to serve racial/ethnic minority groups, domestic-abuse shelters, political gatherings, immigration-services organizations, and welfare/homeless shelters. The InMarket Media order in April banned InMarket from selling precise location data and required deletion of historically-retained panels, with a deletion-verification regime built into the order. The Mobilewalla order in December hit both the broker and its data-aggregation subsidiary Gravy Analytics, extending the sensitive-category prohibition and adding a broader data-minimization regime. The three orders together define the minimum floor. Any broker that cannot answer "here is how our exclusion list compares to the X-Mode/InMarket/Mobilewalla orders" is under-diligenced.
Sensitive-Category Scrubbing Verification
Sensitive-category scrubbing is not a privacy-policy sentence — it is a pipeline that runs over the raw location signal and removes or suppresses visits to prohibited places. The verification questions every buyer should ask:
Exclusion list coverage. Does the broker's exclusion list match or exceed the X-Mode/InMarket/Mobilewalla categories? Specifically: medical/healthcare facilities, reproductive-health clinics, religious organizations, correctional facilities, domestic-abuse shelters, political-rally geofences, immigration-services organizations, welfare/homeless shelters, schools (for some state statutes), and addiction-treatment facilities.
POI source and update cadence. Scrubbing is only as good as the POI dataset feeding the exclusion. Is the broker using a current, sensitive-category-annotated POI file, and how often is it refreshed? Static POI files miss new clinic locations, new religious-site additions, and relocated immigration offices.
Geofence radius and buffer logic. A building-only geofence misses parking-lot visits. The working standard applies a buffered exclusion around the POI centroid (often 50-150m) and removes or suppresses signal within the buffer.
Deletion vs suppression. Does the exclusion remove the record entirely or merely flag it? Suppression-only approaches leave the record in the raw file where downstream processing could resurrect it — the working standard is deletion.
Audit log. The broker should be able to produce an audit trail per release: which records were excluded, what POI source was used, what radius was applied. No audit log means no independently-verifiable compliance.
Consent-Chain Documentation That Survives Audit
Pre-2024 diligence frequently stopped at a reps-and-warranties clause: the broker represents that its panels were collected under lawful consent. Post-2024, that is insufficient. The enforcement posture assumes the buyer shares exposure if the broker's upstream consent was deficient — and state AG activity under the 2024-2026 state privacy statutes (CCPA/CPRA, VCDPA, CPA, CTDPA, and the growing cluster) adds a parallel enforcement track. Buyers should require, for each panel source feeding the broker's graph: the consent form text and version history, the specific purpose limitation the consumer agreed to, the opt-out URL and documented opt-out-honoring pipeline, and the retention-and-deletion policy. For panels collected via SDKs bundled into third-party apps, the chain extends further — the SDK publisher's consent scope, the terms between SDK publisher and app publisher, and the end-consumer's app-level permission state all have to reconcile. A broker that cannot produce this chain within reasonable request time is carrying a latent risk the buyer inherits. For the companion FCRA framing see FCRA vs non-FCRA lead data: what the compliance line means for buyers.
Step-Function-Decayed Graphs From the 2024 Orders
The 2024 orders required deletion of historically-retained panels — InMarket and Mobilewalla both carried deletion-verification regimes, and downstream graphs that sourced signal from those panels lost the historical cohort contribution in step functions rather than smooth decay. The procurement implication: brokers who advertise peak-cohort size numbers from 2022-2023 are quoting against a graph that partially no longer exists in its advertised form. The honest denominator is observable-today coverage, re-measured after the 2024 deletions worked through the pipeline. Buyers who use peak-cohort denominators overpay relative to buyers who re-denominate against current reachable coverage. The working diligence question: "What fraction of your historical cohort traces back to panels affected by the 2024 orders, and how has your observable-today coverage shifted as a result?" A broker that cannot answer specifically is quoting against a cohort they no longer fully have. For the decay-math framing see device graph decay: how fast MAID and HEM freshness degrades.
The Parallel State-Law Envelope
Section 5 of the FTC Act is one enforcement track; state-level privacy statutes are a parallel one with independently-enforceable obligations. California's CCPA/CPRA with its data-broker registration regime and 2024 delete-my-data rights, Virginia's VCDPA, Colorado's CPA, Connecticut's CTDPA, and the rapidly-growing cluster of state privacy statutes (the IAPP state-privacy tracker counts 14+ laws in effect as of 2026) each add sensitive-category and purpose-limitation obligations that sit on top of Section 5. A broker can be Section-5 compliant on location scrubbing and still exposed on state-law consumer-delete-request handling, on purpose-limitation requirements, or on data-broker-registration obligations. Institutional buyers whose downstream use touches multiple states should diligence the broker's posture on each state track separately, not just the federal one. The operational implication for audience activation: campaign targeting that crosses state lines has to honor the strictest applicable state's consumer-delete handling, not the broker's Section-5-only baseline. For the audience-activation surface see Audience Targeting solution and the companion piece privacy-safe audience targeting after third-party cookies.
Procurement Diligence Checklist
The working checklist every institutional buyer should run before paying for a location or identity-graph feed in 2026:
Map the broker's exclusion list against the X-Mode/InMarket/Mobilewalla order categories — identify gaps, ask for remediation or decline.
Verify the POI file underlying the scrubbing, its age, its sensitive-category annotation coverage, and its update cadence.
Require an audit log per release showing which records were excluded and what POI source + radius was applied.
Require consent-chain documentation for each panel source: form text + version, purpose limitation, opt-out pipeline, retention policy.
For SDK-sourced panels, require the SDK-publisher-to-app-publisher chain documentation down to the end-consumer's app-level consent state.
Ask for pre-2024 vs post-2024 observable-today cohort sizing; re-denominate any catalog pricing against observable-today, not peak-cohort.
Diligence state-law posture separately from Section 5: CCPA/CPRA data-broker registration, consumer-delete-request pipeline, purpose limitation, and sensitive-category handling per each state touching the downstream use.
Obtain reps-and-warranties covering ongoing compliance with the 2024 FTC orders' standards, sensitive-category exclusions, state-law obligations, and notification of future enforcement actions affecting the broker.
A broker that passes all eight is diligenced to the 2026 floor. A broker that cannot pass five or more is not shippable into an institutional pipeline without remediation. The procurement bar moved in 2024 and is not moving back — buyers who underwrite their data pipeline to the old floor will find themselves inheriting exposure that the FTC has now explicitly framed as the broker's burden to carry. For the GSDSI catalog surface see MAID Feed, Global Mobility & Location Data, and Audience Targeting solution.
Frequently Asked Questions
Which three FTC orders should anchor data-broker diligence in 2026?
The X-Mode/Outlogic order from January 2024 (first sensitive-category prohibition), the InMarket Media order from April 2024 (precise-location ban + historical-panel deletion), and the Mobilewalla order finalized December 2024 (extended scope + data-minimization). Every broker should be diligenced against these three consent orders as the Section-5 floor.
What sensitive-category exclusions does a 2026-ready data broker need?
At minimum: medical/healthcare facilities, reproductive-health clinics, religious organizations, correctional facilities, domestic-abuse shelters, political-gathering geofences, immigration-services organizations, welfare/homeless shelters, and addiction-treatment facilities. The exclusion must apply to a buffered radius around each POI centroid (50-150m typical), use deletion rather than suppression, and come with an auditable log showing which records were excluded and what POI source was used. For the audience-surface context see Audience Targeting.
Does state privacy law add obligations beyond the FTC orders?
Yes — the IAPP state-privacy tracker records 14+ state privacy laws in effect as of 2026, starting with CCPA/CPRA and now spanning VCDPA, CPA, CTDPA, and many others. These statutes add data-broker registration, consumer-delete-request pipelines, sensitive-category obligations, and purpose-limitation requirements on top of Section 5. A broker can be Section-5 compliant and still exposed on a specific state's consumer-delete or registration track. Diligence both.
How should buyers handle pre-2024 catalog sizing claims?
Re-denominate. Brokers forced to delete historical panels under the 2024 orders carry step-function-decayed graphs, and pre-2024 peak-cohort sizing claims do not describe the graph that ships today. Ask specifically: "What fraction of the historical cohort traces back to panels affected by the 2024 orders, and how has observable-today coverage shifted?" Price against observable-today, not peak-cohort. For the decay-math framing see device graph decay.