Your Phone Is Selling Your Location — Here's the Industry That Profits From It
Your phone knows where you sleep, where you work, which doctor you visit, which house of worship you attend, which political rallies you go to, and which bars you close down on Friday nights. This information — derived from the GPS signal your phone broadcasts, the Wi-Fi networks it connects to, and the Bluetooth beacons it pings — is collected by apps on your device, aggregated by data brokers, packaged into mobility datasets, and sold to buyers you'll never meet, for purposes you were never told about.
This is not a hypothetical privacy concern. It's an active, multi-billion dollar industry that has been operating at commercial scale since approximately 2015 and that touches the data of most smartphone users in the United States, Europe, and many other regions. Understanding how it works, who profits, and what — if anything — can be done about it requires looking past the reassuring language in app permissions dialogs to the infrastructure those permissions feed.
How Location Data Is Collected
The primary collection mechanism is the SDK (Software Development Kit) model. Location data broker companies provide free SDKs to app developers — code libraries that handle functions like analytics, advertising attribution, or weather data. In exchange, the SDK collects location signals from every user of the app and sends them back to the broker's servers. The app developer gets analytics tooling for free; the broker gets location data from the app's user base.
The scale of SDK deployment is staggering. SafeGraph, one of the largest US location data brokers before it merged with Placekey and rebranded in 2022, was collecting data from SDKs embedded in over 45 million apps. Veraset, Foursquare, X-Mode (now Outlogic), Unacast, and dozens of smaller players operate similar SDK networks. The overlapping deployment of multiple SDK networks means that a single smartphone user's location may be simultaneously collected by five or more distinct data brokers through different apps they've installed.
The location data collected is typically timestamped GPS coordinates — latitude, longitude, and timestamp — captured at intervals ranging from every few seconds to every few minutes when the app is in use or running in the background. Over months and years, this produces a movement history that is more revelatory than most people's social media presence: it shows not what someone says they do, but what they actually do, consistently, across time.
What the Data Is Sold For
The uses of commercial location data are more varied than most people realize. The most widely known use is targeted advertising: knowing that a user regularly visits a particular type of retail location allows advertisers to serve location-relevant ads. This is the use case app stores emphasize in permissions disclosures and most users vaguely understand.
Less visible is the financial applications of location data. Hedge funds purchase mobility datasets to track foot traffic at retail locations before earnings announcements — if foot traffic at a competitor's stores is declining, that's a trading signal. REITs and commercial real estate investors use mobility data to assess the viability of potential properties. Insurance companies have explored using mobility data for behavioral underwriting (how someone drives, where they park, whether their stated home address matches their actual sleep location).
Government use is extensive and legally murky. The Wall Street Journal, Vice/Motherboard, and the New York Times have all documented US government agencies — including the Department of Defense, IRS, ICE, and CBP — purchasing commercial location data to track individuals without obtaining warrants. The legal theory is that purchasing commercially available data doesn't constitute a search under the Fourth Amendment, because users "voluntarily" shared it with apps. The Supreme Court's Carpenter v. United States decision in 2018 held that obtaining historical cell-site location data without a warrant is unconstitutional, but the ruling didn't explicitly cover commercially purchased location datasets, creating a legal gray zone that agencies have exploited.
The Consent Problem
Location data brokers argue that collection is consensual — users agree to data collection when they accept app permissions. This argument fails scrutiny on several grounds. App permission dialogs do not disclose that location data will be sold to third parties, who will aggregate it with data from other apps, retain it indefinitely, and sell it to buyers including government agencies. The permission dialog says "Allow access to location" — it does not say "Your location will be combined with location data from your other apps and sold to 200 companies including hedge funds, insurance companies, and federal law enforcement."
The "consent" is also structurally coerced: many apps don't function without location permission even when location isn't necessary for their core function. A game that requests location access to "personalize your experience" is exploiting users' desire to use the game to extract valuable data that has nothing to do with the game. The Federal Trade Commission has documented numerous cases of apps requesting unnecessary permissions specifically for data monetization.
What's Changing
Regulatory pressure has been building. The FTC has brought enforcement actions against several data brokers, including a 2024 settlement with X-Mode/Outlogic that prohibited it from selling sensitive location data (data revealing visits to medical facilities, religious organizations, or political events) without explicit consent. The FTC also settled with InMarket in 2024, prohibiting it from selling location data derived from advertising identifiers without consent.
Apple's App Tracking Transparency (ATT), launched in iOS 14.5 in 2021, required apps to ask permission before tracking users across other apps and websites. The impact was significant: an estimated 75–80% of iOS users decline tracking when asked explicitly. This reduced the signal available to advertising-focused SDKs substantially, and several location data companies that depended on iOS data reported significant revenue impacts.
The EU's GDPR has been more aggressive in requiring affirmative consent for location data collection. Several large advertising technology companies have faced substantial GDPR fines for location data processing without adequate legal basis. However, enforcement has been uneven across EU member states, and the consent infrastructure many companies have implemented (consent banners, IAB Transparency and Consent Framework) has been repeatedly found to be inadequate by data protection authorities.
What You Can Actually Do
The most effective protection is limiting location permissions at the OS level. Both iOS and Android now allow "Precise Location" to be restricted to "Approximate Location" for apps that don't genuinely need precision, and both allow location access to be limited to "Only when using the app" rather than background access. Reviewing and revoking location permissions for apps that don't need them reduces the SDK collection surface materially.
Resetting your advertising identifier periodically reduces the linkability of your location data to a persistent identity. On iOS, this is under Settings > Privacy > Tracking; on Android under Google > Ads. It doesn't prevent collection but breaks the long-term continuity of the dataset associated with your device.
The structural problem — that location data collection is embedded in a commercial infrastructure that app developers participate in passively through SDK adoption — cannot be solved by individual user settings. The changes that would address it require regulatory requirements for affirmative disclosure of data sales, warrant requirements for government access, and meaningful penalties for brokers who violate them. The US is beginning to move in that direction, but the distance between current enforcement and adequate protection remains large.