Data Broker Location Tracking: What Is Confirmed and What Is Overclaimed

Introduction

The claim that a sprawling industry of data brokers collects, aggregates, and sells detailed location and behavioral data on hundreds of millions of people — often without their meaningful knowledge or consent — is not a conspiracy theory. It is a confirmed, extensively documented, and legally contested fact. Federal Trade Commission enforcement actions, congressional testimony, investigative journalism by the New York Times, ProPublica, and the Markup, and academic research have collectively established that the data broker industry operates at enormous scale with limited regulatory oversight.

This article examines what is confirmed, what specific harms have been documented, and where the narrative of "total surveillance" overstates the evidence or fails to account for meaningful legal and technical developments that have changed the landscape.

What Is Confirmed

The industry is large and loosely regulated. The FTC's 2014 landmark report on data brokers identified nine major firms — including Acxiom, CoreLogic, Datalogix, eBureau, ID Analytics, Intelius, PeekYou, Rapleaf, and Recorded Future — collecting data on virtually every American adult. The report documented that these firms maintained profiles with hundreds or thousands of data points per individual, including purchasing behavior, estimated income, health interests, relationship status, and — critically — precise location histories derived from mobile app data.

Location data is particularly sensitive. The New York Times Privacy Project's 2019 investigation, "One Nation, Tracked," used a dataset of location pings from 12 million Americans to demonstrate that precise location data can reveal home addresses, workplace locations, medical appointments, religious attendance, political activity, and relationships — without any microphone or audio collection. The investigation showed that supposedly anonymized location datasets could be re-identified to named individuals with relative ease.

The FTC has taken enforcement action. In December 2023 and January 2024, the FTC brought enforcement actions against data brokers X-Mode Social (operating as Outlogic) and InMarket Media, prohibiting them from selling precise location data that revealed visits to sensitive locations including medical facilities, religious sites, and political events. The Kochava FTC action (filed 2022, settled 2024) specifically addressed the sale of geolocation data revealing visits to reproductive health clinics. These are landmark cases: the FTC explicitly found that this data collection and sale was an unfair practice harming consumers.

Congressional investigations have confirmed broker practices. A 2024 Senate investigation by the Judiciary Subcommittee documented that data brokers sold location data on U.S. military personnel, intelligence community members, and other sensitive government employees — including data showing visits to overseas bases and sensitive government facilities. The investigation found that the data was available for purchase with minimal vetting of buyers.

The Markup's investigations documented specific harms. The Markup, a nonprofit investigative newsroom, published multiple investigations between 2020 and 2024 documenting that major retailers, insurance companies, and healthcare platforms shared user data with data brokers and advertising platforms including Meta Pixel and Google Analytics embedded on their websites — often in violation of their own privacy policies and, in healthcare contexts, potentially in violation of HIPAA.

Opt-out mechanisms are partially effective at best. EPIC (Electronic Privacy Information Center) and consumer privacy researchers have documented that industry opt-out mechanisms — including the Data & Marketing Association's opt-out portal — are fragmented, confusing, and cover only a subset of the industry. Opting out of one broker does not affect data held by hundreds of others. Data purchased before an opt-out remains in buyers' systems.

Recent Enforcement Actions and Documented Harms

The abstract concern about data broker practices became substantially more concrete between 2022 and 2024, as regulators brought specific enforcement actions and investigative journalism documented individual cases of harm with named victims and documented consequences.

The 2024 FTC settlement with X-Mode/Outlogic. In January 2024, the FTC settled with X-Mode Social, operating as Outlogic, over the company's collection and sale of precise location data. The settlement prohibited Outlogic from selling data showing visits to sensitive locations including medical facilities, religious institutions, correctional facilities, domestic violence shelters, and locations associated with political or union activity. The FTC's complaint found that Outlogic had sold this data without adequate disclosure to consumers and without meaningful controls on buyer use. The settlement required deletion of previously collected sensitive location data.

The Vermont Data Privacy Act (2024). Vermont enacted a data broker registration and regulation law in 2024 that, among other provisions, required data brokers to register with the state attorney general, created specific restrictions on the sale of precise location data, and established a private right of action for certain violations. Vermont's approach was notable for directly targeting data brokers as a category rather than regulating only data collection by first-party services.

Geofence warrants and law enforcement access. Court records documented that federal and state law enforcement agencies issued geofence warrants -- requests to technology companies and location data brokers for all devices present in a defined geographic area during a specified time window -- in connection with investigations including the January 6, 2021 Capitol breach. The use of location broker datasets in law enforcement contexts, distinct from direct collection by government agencies, represents a documented privacy harm that existing Fourth Amendment doctrine had not fully addressed as of 2024.

The 2022 Catholic priest outing case. In July 2022, a Catholic priest resigned after The Pillar, a Catholic news publication, reported that smartphone location data purchased from a data broker showed visits to a gay bar and use of the Grindr application at sensitive locations over a period of months. The case was widely cited by privacy advocates as a concrete illustration of the harm enabled by precise location data sales: a private individual's sexual behaviour and religious-professional double life was exposed through the purchase of commercial data that had been collected from his phone without explicit awareness that it would be used in this way.

The Limits and Overclaims

The confirmed scale of data broker activity is substantial enough to warrant serious concern without requiring exaggeration. Some framings of the data broker surveillance narrative overstate specific claims:

Not all data brokers collect raw geolocation. The data broker industry is heterogeneous. Firms like Acxiom focus primarily on demographic and financial data aggregated from public records, retail transactions, and survey data — not precision GPS tracking. The most sensitive location data concerns derive primarily from mobile app-based data brokers and advertising technology firms, not the entire industry uniformly.

CCPA and other state laws have changed the landscape. California's Consumer Privacy Act (CCPA, effective 2020) and its amendment (CPRA, effective 2023) created meaningful rights to access, deletion, and opt-out of sale of personal information for California residents. The Virginia Consumer Data Protection Act, Colorado Privacy Act, and similar state laws have followed. These laws are imperfect and enforcement has been uneven, but they represent a real change from the pre-2020 regulatory vacuum. Describing the data broker ecosystem as entirely unregulated is no longer accurate.

IP-level and aggregated location tracking is less sensitive than GPS-precision data. Some data brokers work primarily with IP-address-derived location (which is typically accurate to city or neighborhood level, not home address) and aggregated mobility data rather than individual GPS pings. The distinction matters for harm assessment, though even coarser location data can enable meaningful inferences.

GDPR has substantially limited broker practices in Europe. The EU's General Data Protection Regulation (effective 2018) created significantly stronger requirements for consent, purpose limitation, and data minimization than U.S. law. European enforcement actions against data brokers and advertising technology firms have been substantial, including major fines against Meta, Google, and others. The U.S.-EU distinction is real and significant.

Verdict

Data broker location tracking is confirmed. The FTC has found it causes real harm and has taken enforcement action. Congressional investigations have documented national security implications. Investigative journalism has shown specific consumer harms. The legitimate concern — that a large, loosely regulated industry maintains extraordinarily detailed behavioral profiles on the majority of Americans and sells them with minimal vetting — is supported by the evidence. The more extreme claim that this constitutes total, inescapable surveillance with no meaningful remediation overstates the uniformity of the industry, understates the effect of recent regulatory developments, and conflates the most invasive practices of specific actors with the entire sector. The most important policy work — comprehensive federal privacy legislation, stronger FTC enforcement authority, and meaningful opt-out mechanisms — is ongoing and contested.