Search results for: location

On September 3, 2025, the Department of Justice (DOJ) filed suit against Apitor Technology, which makes robotic toys, alleging that Apitor’s app “enabled a third party in China to collect geolocation information from children without parental consent.”

The DOJ filed suit following a referral from the Federal Trade Commission (FTC) that Apitor did not comply with the Children’s Online Privacy Protection Act (COPPA) because it failed to obtain parental consent before collecting geolocation data from children, and allowed a third party in China to collect children’s geolocation data without parental consent.

Apitor, based in China, “sells robot toys targeted to children ages 6-14 and includes a free companion mobile app that allows users to program and control the toys.” The complaint alleges that users with Android devices are required to enable location sharing to use the app. There is no ability to only enable location services while using the app. This means that the app has access to the geolocation of the user even when not using the toy. In addition, Apitor integrated a third party software development called JPush in the app that allowed JPush’s developers access to the geolocation data for any purpose. As soon as the app is downloaded to an Android device, JPush has access to users’ precise geolocation data without the children or their parent’s knowledge. The DOJ alleges that Apitor failed to notify parents that JPush was collecting and using geolocation information.

The proposed order requires Apitor to ensure that any third-party software it uses is in compliance with the COPPA Rule, a proposed $500,000 penalty, notification to parents before Apitor collects or permits a third-party to collect personal information of children under the age of 13, deletion of a child’s personal information at the request of a parent, and only retaining personal information for as long as is reasonably necessary. The complaint shows the importance of understanding what data apps are collecting when they are downloaded, especially when the app is used by children. Consider researching the app before you download it, including reading the Privacy Policy and Terms of Use. Be wary of apps that are owned by companies that are located in other countries, particularly countries that are considered threats to national security such as China, Russia, North Korea, and Iran. Understand when apps are collecting geolocation and try to limit the sharing to just when they are being used. For more information, check out Privacy Tip #293 that highlights considerations for downloading apps with location based services.

On August 15, 2025, a bipartisan coalition of 37 state Attorneys General, led by Georgia Attorney General Chris Carr and New Mexico Attorney General Raul Torrez, sent a letter to Instagram requesting that it make “immediate changes to its newly implemented location-sharing feature, which allows a user’s precise location to be displayed on a map.”

The letter “emphasizes the heightened dangers for vulnerable users, including children and survivors of domestic violence, noting that such tools can be exploited by predators, stalkers, and other malicious actors.”

The letter requests that Instagram:

  • Ensure that minors cannot enable location-sharing features;
  • Send a clear alert to all adult users explaining the feature, outlining its risks, and providing full disclosure on how Instagram will use the location data; and
  • Provide a simple, easy-to-access control to disable location sharing at any time for adults who choose to opt in.

The attorneys general of Alabama, Alaska, Arizona, Arkansas, Colorado, Connecticut, Florida, Hawaii, Idaho, Illinois, Iowa, Kansas, Kentucky, Louisiana, Maine, Michigan, Minnesota, Missouri, Montana, Nebraska, New Jersey, New York, Nevada, North Carolina, Oklahoma, Rhode Island, South Carolina, South Dakota, Texas, Tennessee, Utah, Virginia, Vermont, West Virginia, and Wyoming also joined the letter. 

The letter outlines that the new feature

[E]nables users to see and share detailed, real-time location data through Instagram’s map interface. This functionality, if not carefully controlled, poses clear risks of stalking, harassment, and other forms of exploitation. It also represents a troubling expansion of the personal data Instagram collects and makes accessible, which can be misused by malicious actors.

The letter also notes that the location-sharing feature poses a “particular risk for minors as they can be readily used by sexual predators to identify and geographically target children in the real world.”

Parents need to be aware of this new feature, discuss it with children, and decide whether to enable the feature’s functionality or location sharing at all. All users of Instagram should assess whether to enable location sharing.

How does one turn the Friend Map on and off?

  1. Open the Instagram app.
  2. Tap on the paper plane “Messenger” icon in the top right.
  3. Then, tap the “Map” at the top of your inbox.
  4. Hit “Settings” in the upper right.
  5. When it asks, “Who can see your location?”, choose “NO ONE.”

    Your location is now OFF, and other Instagram users cannot see where you’ve been.

    The California Privacy Protection Agency (CPPA) the agency responsible for implementing and enforcing the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) (collectively the CCPA), protecting consumer privacy, and ensuring compliance with data privacy regulations, has announced an investigate sweep into companies’ collection of sensitive location data. The CPPA has already sent out inquiries to “advertising networks, mobile app providers, and data brokers that appear to be in violation” of the CCPA.

    California Attorney General Rob Bonta said, “Every day, we give off a steady stream of data that broadcasts not only who we are, but where we go. This location data is deeply personal, can let anyone know if you visit a health clinic or hospital, and can identify your everyday habits and movements.” The CPPA is concerned that this sensitive location data will be used to target vulnerable populations. The CPPA urges businesses to take responsibility as stewards of this sensitive data seriously and affirmatively protect location data.

    The CPPA’s investigation will focus on how companies are informing consumers about their right to opt out of the sale and sharing of their data (as required under the CCPA), including geolocation data and other types of personal information collected by businesses. Additionally, the CPPA will investigate how companies actually apply this opt-out requirement when a consumer asserts that right.

    If your company hasn’t assessed its opt-out processes and procedures lately, now is the time to confirm that consumers are clearly notified of this right and that they can readily opt-out of such tracking and collection and subsequent sale and/or sharing of that data with their parties.

    In its continued concentration on the collection and use of consumers’ precise geolocation, on January 16, 2024, the Federal Trade Commission (FTC) settled with General Motors (GM) over allegations that it collected, used, and sold drivers’ precise geolocation and driving behavior data from millions of vehicles—data that can be used to set insurance rates—without adequately notifying consumers and obtaining their affirmative consent.

    The FTC accepted the proposed order for public comment, which will be open for 30 days.

    The complaint against GM alleged that it “used a misleading enrollment process to get consumers to sign up for its OnStar connected vehicle service and the OnStar Smart Driver feature. GM failed to clearly disclose that it collected consumers’ precise geolocation and driving behavior data and sold it to third parties, including consumer reporting agencies, without consumers’ consent.” According to the complaint, GM collected driver data through OnStar as often as every three seconds. As in the previous four cases in 2024, the FTC alleges that “tracking and collecting geolocation data can be extremely [privacy-invasive], revealing some of the most intimate details about a person’s life, such as whether they visited a hospital or other medical facility, and expose their daily routines.” The proposed order, if accepted, “prohibits GM and OnStar from misrepresenting information about how they collect, use and share consumers’ location and driver behavior data.” In addition, the order prohibits them from disclosing consumers’ geolocation and driver behavior data to consumer reporting agencies for five years; requires them to obtain affirmative express consent from consumers before collecting connected vehicle data; allows consumers to obtain and delete their data; and allows consumers to limit data collection from their vehicles.

    Many people do not understand how their geolocation data can be collected and used about them, or how massive the amount of precise location data collected from our devices.

    The Federal Trade Commission (FTC) recently filed a complaint against Mobilewalla, Inc., alleging that it violated Section 5 of the FTC Act by selling consumers’ sensitive location information and targeting consumers based on sensitive characteristics without their consent. It further alleged that Mobilewalla conducted an unfair practice by collecting consumer information from real-time bidding (RTB) exchanges and indefinitely retained consumer location information.

    According to the complaint, Mobilewalla is a data broker “that collects and aggregates huge quantities of consumer information, including precise location information tied to individual consumers that reveals sensitive information about those consumers. Mobilewalla touts its ability, among other things, to ‘create a comprehensive, cross channel view of the customer, understanding online and offline behavior.'” Mobilewalla collects this data from data suppliers, and consumers have no idea that their location information is being collected.

    In addition, Mobilewalla has “collected large swaths of consumers’ personal information, including location data from multiple sources such as real-time bidding exchanges and data brokers. These sources may themselves obtain consumer data from other data suppliers, the mobile or online advertising marketplace, or mobile applications.” Most of the data is collected from RTB exchanges:  I had never even heard of an RTB exchange until I read the complaint. The complaint explains:

                The primary purpose of RTB exchanges is to enable instantaneous delivery of advertisements and other content to consumers’ mobile devices, such as when scrolling through a webpage or using an app. An app or website implements a software development kit, cookie, or similar technology that collects the consumer’s personal information from their device and passes it along to the RTB exchange in the form of a bid request. In an auction that occurs in a fraction of a second and without consumers’ involvement, advertisers participating in the RTB exchange bid to place advertisements based on the consumer information contained in the bid request. Advertisers can see and collect the consumer information contained in the bid request (even when they do not have a winning bid) and successfully place the advertisement.

    The FTC alleges that Mobilewalla collected and retained information contained in a bid request in an RTB exchange even when it did not win the bid, including the consumer’s device mobile advertising identifier (MAID) and precise geolocation information if location-based services were turned on. Mobilewalla then used this information and paired it with other purchased consumer data (e.g., telephone numbers) to build profiles of individual consumers. Mobilewalla then sells access to this data, including raw location data, which is not anonymized. The FTC alleges that MAIDs can be used “to identify a mobile device’s user or owner.”

    The FTC’s concern about this practice is that “Mobilewalla’s location data associated with MAIDs can be used to track consumers to sensitive locations, including medical facilities, places of religious worship, places that offer services to the LGBTQ+ community, domestic abuse shelters, and welfare and homeless shelters. It can also be used to infer sensitive information about those consumers.” In addition, “Mobilewalla’s collection and sale of consumers’ precise geolocation data to its clients to identify and target consumers based on sensitive characteristics causes or is likely to cause substantial injury in the form of stigma, discrimination, physical violence, emotional distress, and other harms.”

    Similarly, the FTC recently issued a decision and consent order against Gravy Analytics, Inc. and Venntel, Inc. following an investigation of their collection and sale of precise consumer location and sensitive data. Take a look at the complaint if you want to learn more about how your precise location and other data can be collected when the location-based services feature is enabled on your device, and consider only keeping it on when you are using an app that requires it.

    The Federal Communications Commission (FCC) has announced that it has levied almost $200 million in fines against “the nation’s largest wireless carriers for illegally sharing access to customers’ location information without consent and without taking reasonable measures to protect that information against unauthorized disclosure.”

    The FCC’s allegations include that the carriers sold access to customers’ location information to aggregators, which then resold the data to third-party location-based service providers. The disclosure to the aggregators and the redisclosures to third parties did not include customer consent. The FCC alleged that “customers’ real-time location information, revealing where they go and who they are,” is some of the most sensitive data in carriers’ possession.”

    The fines against the wireless carriers stem from a violation of § 222 of the Communications Act, which requires carriers to “take reasonable measures to protect certain customer information, including location information,” as well as maintain the confidentiality of the data and obtain “affirmative, express customer consent before using, disclosing, or allowing access to such information. The FCC maintains that these obligations apply when the carriers share customer information with third parties.

    The FCC’s Privacy and Data Protection Task Force led the investigation, which started with customer complaints that a Missouri Sheriff was using a location-finding service to track the location of individuals.

    On May 1, 2024, the Federal Trade Commission (FTC) announced a settlement with InMarket Media (InMarket), a digital marketing and data aggregator, to resolve the FTC’s allegations that InMarket “unlawfully collected and used consumers’ location data for advertising and marketing.”

    The complaint filed by the FTC against InMarket alleged that InMarket collects and aggregates location information about consumers from different sources, including its apps and other third-party apps, then aggregates the location data with other publicly available data to determine consumers’ behavior for targeted advertising. The FTC alleged that InMarket failed to properly inform consumers about how it was collecting and using their location data and how it would be combined with other data for targeted advertising. It also alleged that InMarket failed to require that third-party app providers obtain consumers’ consent for the use of the location data.

    The FTC has been focused on collecting and using location-based services due to this data “including sensitive information about where [consumers] live, work and worship.” This marks one of several settlements in the last year.

    The Order prohibits InMarket from “selling, sharing or licensing any precise location data and any product or service that categorizes or targets consumers based on sensitive location data,” as well as other provisions related to the destruction of such data from its systems. The FTC’s continued enforcement of transparency and consumer consent for the collection and use of location services shows that the FTC is serious about this issue. Those who are collecting and using location services from consumers would do well to take a thorough look at internal processes and procedures, including updating Privacy Policies and consents, to react to the FTC’s focus.

    In a matter of weeks, the Federal Trade Commission (FTC) has settled another case against a company it alleges tracks consumers and sells their “precise location data” to third parties. This continues the FTC’s aggressive approach toward location-based consumer data.

    According to the FTC’s complaint, Texas-based InMarket offered two apps to consumers: shopping rewards app CheckPoints, and shopping list app ListEase. According to the FTC’s press release, the FTC alleged in its complaint that when InMarket requested consent to use a consumer’s location data, it told the customer that it was only using the data “for the app’s function, such as to provide shopping reward points or to remind consumers about items on their shopping list.” The FTC alleges that InMarket “fail[ed] to inform users that the location data will also be combined with other data obtained about those users and used for targeted advertising.”

    Frankly, I don’t understand why my location would need to be shared to provide me with points or remind me what’s on my list. If I received that popup, I would think twice about the transparency and accuracy of the popup. At any rate, other consumers allowed access to precise location data for this alleged purpose, and the FTC intervened on behalf of consumers to stop the practice. According to the FTC, InMarket was combining precise location data with other data to profile consumers and then categorize them as “parents of preschoolers,” “Christian church goers,” and “wealthy and not healthy.” Ouch.

    The settlement prohibits InMarket from selling or licensing any precise location data and from “selling, licensing, transferring or sharing any product or service that categorizes or targets consumers based on sensitive location data.”  If this settlement doesn’t tell you that the FTC has location-based services on its radar, nothing will. The clear messages from this settlement are: 1) if you are a business that is collecting and using precise location data of consumers, transparency with consumers about why you are collecting and how you are using that data is critical; 2) be mindful of the FTC’s message that “firms do not have free license to monetize data tracking people’s precise location”; and 3) read the popups and consider how your data will be used before clicking “I agree.” If the collection and use doesn’t make sense, consider not downloading it and find a better alternative.

    On January 9, 2024, the Federal Trade Commission (FTC) announced its settlement with X-Mode Social and its successor Outlogic that will prohibit them “from sharing or selling any sensitive location data that could be used to track people’s visits to sensitive locations such as medical and reproductive health clinics, places of religious worship and domestic abuse shelters.”

    The FTC’s settlement with X-Mode/Outlogic marks its first with a “data broker concerning the collection and sale of sensitive location information.” The FTC’s complaint alleged that Outlogic failed to put reasonable and appropriate safeguards in place regarding the use of the data by third parties. It further alleged that the company “did not have any policies in place to remove sensitive locations from the raw location data it sold…putting consumers’ sensitive personal information at risk.” The FTC alleged that the location data that Outlogic sold exposed consumers “to potential discrimination, physical violence, emotional distress, and other harms.”

    The FTC alleged that the privacy policies did not inform consumers about how their location data would be used, which entities would receive the data and did not obtain informed consent to obtain access to sensitive location data.

    To illustrate how sensitive location data can be used by data brokers, the FTC provided an example of how X-Mode in one contract with a customer “provided a private clinical research company information for marketing and advertising purposes about consumers who had visited certain internal medical facilities and then pharmacies or specialty infusion centers within a certain radius in the Columbus, Ohio area.”

    The complaint and settlement agreement provide a road map of how data brokers are accessing, using, and disclosing location services, and serves as guidance for both consumers and marketing companies.

    For consumers, this is a reminder to read the privacy policies of any application that seeks access to location services, and to frequently check which apps you have allowed access to location services on your devices. When you turn location services on, all of those apps are tracking your specific location. Stay abreast of who you are providing access to, check the access frequently, and consider only turning it on when using a particular app.

    For companies who wish to request access to location services of consumers for marketing purposes, you may wish to revisit your privacy policy to determine whether you are transparent about how you are collecting, using, and disclosing location services. You might also consider creating and developing a program “that maintains a comprehensive list of sensitive locations, and ensure it is not sharing, selling or transferring location data about such locations.” In addition, it may be a good idea to: review and update internal policies and procedures around destruction of location data; develop a supplier assessment program to confirm that consumer consent is being obtained before the collection, use, or disclosure of location data; and “ensure that recipients of location data do not associate the data with locations that provide services to LGBTQ+ people…locations of public gatherings of individuals at political or social demonstrations or protests, or use location data to determine the identity or location of a specific individual…and establish and implement a comprehensive privacy program that protects the privacy of consumers’ personal information and also create a data retention schedule.” The settlement terms offer valuable guidance for compliance teams to note and use for their internal compliance programs if location services are being collected from consumers.

    INRIX, a company that provides location-based data analytics, has been collecting, analyzing, and selling aggregated vehicle, traffic, and parking data for over 17 years. Now, after the Roe v. Wade decision, INRIX is under scrutiny for its data collection tactics and the ability to view data related to Planned Parenthood clinics. In a brochure for its “Vehicle Trips” product, INRIX details the fact that it “captures over 150 million anonymous trips” and 36 billion “real-time data points” each day, with updates as frequent as every three seconds.

    By using only the free trial version of the INRIX IQ Location Analytics platform, a user can locate at least 71 Planned Parenthood clinics in numerous states. The free version of this platform only lists the address, hours, and average annual daily traffic counts on nearby streets for each clinic, but the paid version shows more detailed statistics for sample points of interests in its database, including demographic and ethnic breakdowns of visitors, visitor counts by hour and day, aggregated heat maps of the origins and destinations for visitors, and drive times to and from the business location.

    While this type of data collection, and availability and accessibility may seem problematic in the current legal landscape related to reproductive rights, INRIX has publicly stated that it only receives anonymized data and de-identifies it further as necessary, before aggregating those data for use in its products. According to INRIX, individual identities are not relevant to its business – the location analytics only display results based on the census block group level and the data are sourced from map providers, which are commercially available.

    Other location-based data analytics companies, such as Safegraph and Placer. AI, also had Planned Parenthood visitor data in their products, but those data have been removed. Even some Internet search engines have pledged to delete visitor location data when a user visits an abortion provider, fertility center, or other sensitive reproductive health location. 

    The problem with this data collection and sharing, although inclusive only of location-based data, comes when the individuals seeking an abortion face increased risks to their privacy, and potentially, their own safety and wellbeing. Before the recent overturning of Roe v. Wade, pro-life activists have used software and services like geofencing from the location data industry to dissuade abortion-seeking patients with targeted advertisements. With the procedure criminalized in nine states, the effects could be even more impactful.

    As a result of this data collection and use, lawmakers have sent letters to these location data companies to gather details about their data collection and requesting that they stop including abortion clinics in their platforms and reports.

    While most of the data on the free version of the INRIX dashboard are aggregated, risks still remain. Most companies in the location data industry boast that individual privacy is protected due to the fact that they only sell aggregated data (e.g., the number of people visiting a particular business during a specific week). However, even aggregated data might carry risks for individual privacy because individuals could still be identified in some circumstances. If location data show that a particular user frequents one central location (e.g., home or work) while also visiting a Planned Parenthood clinic, it may be easier than you’d think to determine the identity of that individual.

    For more on this investigation conducted by The Markup click here.