The Federal Trade Commission's 2024–2025 enforcement wave against location data brokers has fundamentally shifted the compliance landscape for organizations that purchase or license mobile location data. Settlements against X-Mode Social / Outlogic, InMarket Media, and Gravy Analytics / Venntel told an unambiguous story: the Commission will treat precise geolocation as sensitive, it will treat opaque upstream consent as a Section 5 deception, and it will demand deletion and injunctive relief, not just fines. Buyers who procure location data — whether for media planning, CRE research, retail analytics, or federal use-cases surfaced through GSDSI's federal intelligence work — carry independent compliance weight and cannot outsource that weight to a supplier's contractual representations.
Key Takeaways
Three FTC settlements in 12 months (Outlogic, InMarket, Gravy/Venntel) reframed 'precise geolocation' as sensitive data requiring affirmative, informed consent.
Buyers carry independent compliance weight — supplier representations are necessary but not sufficient. Provenance documentation is now a procurement gate.
Sensitive location categories (healthcare, reproductive, places of worship, domestic violence shelters, correctional facilities) require explicit exclusion geofences, not just policy language.
The durable architecture runs IAB TCF-compliant CMPs at SDK ingestion, maintains device-level consent audit trails, and bakes sensitive-category exclusions into the pipeline before the buyer ever sees a row.
What the FTC Actually Targeted
Reading the three consent orders side-by-side, the pattern is consistent. The FTC targeted (1) the sale or sharing of precise visits to sensitive locations with no meaningful consumer awareness of that downstream use, (2) consent language in upstream SDK-level flows that did not adequately disclose secondary sale to data brokers, and (3) opt-out mechanisms that either did not propagate deletion to downstream licensees or did not exist in a reasonably discoverable form. The remedies are just as telling — deletion of affected historical data, injunctive bars on future sale of sensitive categories, and multi-year assessment obligations. For comparable guidance on what sensitive-category handling looks like in practice, see the HHS Office for Civil Rights bulletin on geolocation tracking and state equivalents like the California AG's enforcement guidance on sensitive personal information.
What Buyers Must Now Verify
The vendor diligence bar has moved. A competent procurement process for any mobility or MAID dataset in 2026 documents the following before signature:
Consent-chain provenance: who collected the signal at the SDK layer, under which CMP, and what notice the end-user saw at collection time.
Sensitive-category exclusions: which categories are geofenced out of the feed, whether the exclusion is pipeline-level or just contractual, and where the exclusion list is documented.
Downstream deletion propagation: when a consumer opts out upstream, how that signal reaches the buyer and is applied to already-delivered data.
Third-party audit attestations: SOC 2, ISO 27001, or equivalent coverage specifically scoping the consent pipeline, not just infrastructure.
Breach and enforcement history: any prior consent decrees, enforcement letters, or state AG actions tied to the supplier or its upstream partners.
GSDSI's Global Mobility & Location Data product and MAID Feed operate under a consent-first architecture: every SDK partner must run an IAB TCF v2-compliant Consent Management Platform at ingestion; device-level consent state is persisted and honored downstream; sensitive-category polygons are enforced at the pipeline stage rather than only in contracts. We publish the privacy center and do-not-sell surfaces for end-user signals, and we audit upstream suppliers against the same standard we audit ourselves against. For buyers comparing vendors, the diagnostic question is simple: can the supplier show you a device-level consent record tied to a specific row? If the answer involves vague aggregates or 'our partners handle that,' the procurement risk is yours.
State Regulation Is the Next Frontier
Federal enforcement is only part of the 2026 picture. California (CPRA), Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Utah (UCPA), Texas (TDPSA), and additional states have now layered in sensitive-data protections that explicitly cover precise geolocation, and several have enforcement mechanisms that supplement rather than duplicate the FTC's authority. The California Attorney General's privacy page tracks current enforcement posture; buyers licensing national datasets should assume the most restrictive state regime applies in practice. For a compliance-calendar view of the state landscape, see privacy regulations 2026: state-by-state landscape.
Frequently Asked Questions
What are the three FTC location-data enforcement actions buyers need to know?
In 2024, the FTC settled with X-Mode Social / Outlogic (prohibiting sharing of sensitive location data), InMarket Media (banning sale of precise consumer location data), and reached a proposed order against Gravy Analytics / Venntel. Each settlement centered on sale of precise geolocation to downstream buyers without adequate upstream consent. Read the full orders on the FTC press-release archive.
Am I liable if my data supplier mishandles consent?
Buyers carry independent compliance weight under Section 5 of the FTC Act and under most state privacy regimes. Contractual representations from a supplier are necessary but not sufficient — the Commission has signaled it will consider whether the buyer exercised reasonable diligence in procurement, which now includes provenance documentation, sensitive-category exclusion verification, and ongoing audit rights.
Which location categories count as 'sensitive'?
FTC orders have specifically called out healthcare facilities, reproductive-health clinics, places of worship, domestic violence shelters, correctional facilities, and labor-union locations. State regimes have broadened the category list (see Connecticut CTDPA and Colorado CPA). The defensible procurement standard is to geofence out the union of all regulator-enumerated categories at the pipeline layer, not just in contract language.
How does GSDSI handle consent for its mobility products?
Every upstream SDK partner must run an IAB TCF v2-compliant Consent Management Platform at ingestion. Device-level consent state is persisted and honored downstream; sensitive-category polygons are enforced in-pipeline, not only contractually. The consent architecture is documented in the GSDSI privacy center and available for vendor-diligence review under NDA.