FTC bans data brokers from selling Americans’ sensitive location data
Today, the FTC banned data brokers Mobilewalla and Gravy Analytics from harvesting and selling Americans' location tracking data linked to sensitive locations, like churches, healthcare facilities, military installations, and schools.
The FTC says Mobilewalla and Gravy Analytics unlawfully collected and sold location data collected from consumers, including data linked to their visits to places of worship and health-related locations.
Virginia-based Gravy Analytics and its subsidiary Venntel used this information to build products and services, allowing customers to search through at least three years of historical data (including raw, precise mobile location data).
Customers—including government agencies like the IRS, DEA, FBI, Customs and Border Protection (CBP), and Immigration and Customs Enforcement (ICE), as 404 Media reported—could also get a list of Mobile Advertising IDs (MAIDs) who attended a specific event or were present at a location during a custom timeframe, according to the FTC's complaint.
Venntel also provided them with other tools that allowed them to:
- Geo-fence specific locations and collect VIDs (Venntel unique persistent identifiers) that enter the location, along with IP addresses and timestamps, among other information associated with the identifier;
- "Continuously" track a single device;
- Obtain device information about the mobile device associated with a VID, such as operating system, device brand, carrier type, and IP address; and
- Search location signals associated with specific IP addresses.
The FTC also estimates that Georgia-based Mobilewalla collected over 2 billion unique advertising identifiers between January 1, 2018, and June 30, 2020. It also harvested MAIDs paired with location information for more than 183 million devices in 2021 and over 10 million in the first four months of 2022.
"Under today's proposed order, which settles FTC's allegations, Gravy Analytics and Venntel will be prohibited from selling, disclosing, or using sensitive location data in any product or service, and must establish a sensitive data location program," the independent consumer protection agency said.
"Under the FTC's proposed settlement order, Mobilewalla will also be banned from collecting consumer data from online advertising auctions for purposes other than participating in those auctions, marking the first time the agency has alleged such a practice was an unfair act or practice," the FTC added.
The order also mandates that the two data aggregators erase all historical location data along with any data products created using this information.
Today's actions are just the latest targeting companies that have unlawfully collected and sold Americans' sensitive location data.
In 2022, the FTC also sued location data broker Kochava for selling precise geolocation data (in meters) tracking millions of mobile users' movements to and from sensitive locations like mental care, reproductive health, addiction recovery facilities, or shelters for domestic violence survivors.
Earlier this year, it also banned data brokers InMarket Media and Outlogic (formerly X-Mode Social) from selling Americans' precise location data.
Police seizes largest German online crime marketplace, arrests admin
Police seize Matrix encrypted chat service after spying on criminals
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability
MediumHTTP Only Site
MediumRelative Path Confusion
InformationalGET for POST
HighPath Traversal
InformationalSec-Fetch-Site Header Has an Invalid Value
InformationalRetrieved from Cache
Free online web security scanner