The most important question in 2026 mobility procurement is no longer "how many devices are in the panel?" It is what data is intentionally excluded before the feed reaches you. FTC orders against location-data companies changed the buyer baseline: sensitive-place categories, weak consent chains, historical deletion obligations, and unclear downstream uses now belong in the first diligence packet, not the final redline. Buyers evaluating Global Mobility and Location Data, POI and geofencing, or audience activation should treat sensitive-location controls as a product requirement. Pair this checklist with FTC location data enforcement, data brokers post-FTC consent orders, and the 2026 geo-panel audit.
Key Takeaways
Sensitive-place exclusions are table stakes. Ask for the category list, update cadence, QA owner, and evidence that exclusions run before delivery.
Consent provenance beats panel size. A smaller panel with documented collection notices is more usable than a larger panel with unclear SDK or bidstream origin.
Aggregates are not automatically safe. Require minimum cell sizes, suppression rules, and retention limits for any cohort or trade-area output.
Permitted uses must be explicit. Activation, measurement, site selection, and risk analytics carry different downstream obligations.
Deletion rights need a workflow. Contracts should say how revoked consent and source removals propagate into delivered files and derivative tables.
What Counts as Sensitive Location Data
Sensitive location data generally means precise location information that can reveal visits to places such as medical facilities, reproductive-health clinics, religious institutions, domestic-violence shelters, correctional facilities, military sites, and other venues where inference risk is high. The exact category list should be defined in the vendor's control framework and your contract. The FTC X-Mode / Outlogic order and related location-data enforcement actions are useful primary sources because they name the risk pattern clearly: location traces can reveal intimate facts even when identifiers are pseudonymous.
The buyer-safe frame is not "we do not use names." It is: we do not receive or activate device-level traces tied to sensitive venues, and any aggregate insight is governed by documented suppression and use limits.
Evidence to Request Before a Pilot
Source inventory: collection paths, SDK partners or supply types, and whether bidstream data is present.
Consent artifacts: examples of notices and choices shown at collection, plus the date they were last reviewed.
Sensitive-place taxonomy: venue categories excluded, POI provider used, polygon QA process, and exception handling.
Suppression policy: minimum device counts, minimum household counts, and rules for small geographies or narrow segments.
Deletion propagation: how source opt-outs, revoked consent, and vendor deletion obligations flow into your delivered files.
Contract Controls That Matter
The DPA and order form should do more than say "privacy compliant." They should define prohibited uses, venue exclusions, retention limits, audit rights, subprocessor notice, security controls, and the steps taken when a source is removed. For higher-risk use cases, add a control that requires written approval before combining mobility data with identity graphs, CTV/ACR, or CRM segments. This is especially important for audience targeting and cross-channel measurement, where the same technical join can be benign in aggregate reporting and risky in individual-level activation.
Use the NIST Privacy Framework as a neutral vocabulary for mapping identify, govern, control, communicate, and protect activities. It will not answer every legal question, but it helps procurement, security, and privacy teams score evidence consistently.
Pilot Design for Sensitive-Location Use Cases
Pre-register the intended use: site selection, measurement, market research, or activation.
Use sample geographies that include edge cases such as dense urban trade areas, malls, airports, and healthcare corridors.
Inspect exclusions by category before model testing so lift does not hide policy failure.
Require delivery in a clean workspace or secure bucket with limited retention and access logging.
Document how pilot outputs will be deleted or converted into production tables after the test.
Yes, but usually through aggregation, suppression, and strict permitted-use limits rather than device-level traces. Buyers should avoid receiving or activating person- or device-level visits to sensitive venues and should require documented sensitive-place exclusions before delivery.
Is aggregated location data always outside privacy risk?
No. Aggregation reduces risk only when minimum cell sizes, geography limits, retention controls, and suppression rules are enforced. Sparse cohorts or small polygons can still create inference risk.
What is the fastest red flag in a mobility-data review?
A vendor that cannot show consent provenance and sensitive-place exclusion logic for the current feed. Treat that as a stop-and-escalate item before any sample leaves the vendor environment.
Where should buyers start if they need location data for measurement?