FTC Bans Kochava From Selling Your Location Data (2026)

On May 4, 2026, the Federal Trade Commission finalized a settlement with Kochava Inc., permanently banning the Idaho-based data broker from selling sensitive geolocation data. The company had been collecting precise GPS coordinates from hundreds of millions of mobile devices and selling them in a format that allowed buyers to track individuals to addiction treatment centers, reproductive health clinics, domestic violence shelters, and places of worship. The settlement contains no fine. Kochava is one company. The location data industry has dozens more just like it.

What Kochava Was Doing

Kochava operated as a location data aggregator and marketplace. The company collected timestamped latitude-longitude coordinates from mobile devices through partnerships with app developers and advertising SDK providers. This data was tied to mobile advertising identifiers — unique strings assigned to each phone that function as persistent tracking tokens.

The FTC's complaint, originally filed in August 2022, alleged that Kochava's data products allowed buyers to identify individuals who visited specific sensitive locations. The agency's investigation found that Kochava's geolocation feeds could be used to track people to:

• Addiction treatment centers and recovery programs — revealing substance abuse treatment that people have every reason to keep private
• Reproductive health clinics — including facilities that provide abortion services, in states where that information carries legal consequences
• Domestic violence shelters — locations whose secrecy is literally a matter of physical safety
• Places of worship — exposing religious affiliation and attendance patterns
• Veterans' facilities and homeless shelters — identifying vulnerable populations

The data was not hypothetical or abstract. Kochava sold a product called the "Kochava Collective" that provided raw geolocation feeds. Buyers could draw a geofence around any building — a clinic, a mosque, an AA meeting location — and pull a list of every device that had entered that boundary, along with where those devices went before and after. It was commercial surveillance infrastructure sold as a marketing tool.

How Phone Apps Feed the Location Pipeline

To understand how a company like Kochava accumulates location data from hundreds of millions of devices, you have to understand the mobile advertising ecosystem that makes it possible.

When you install a phone app and grant it location access, you are typically not just sharing your location with that app's developer. Many free apps — weather apps, flashlight utilities, games, coupon apps — embed advertising SDKs (software development kits) from third-party data companies. These SDKs run silently inside the app and transmit your precise GPS coordinates, along with your phone's advertising ID, to data aggregators at regular intervals.

The app developer gets revenue from the SDK provider. The SDK provider — companies like Kochava, X-Mode, and others — aggregates the location streams from thousands of apps into a single marketable dataset. That dataset is then sold to advertisers, hedge funds, government agencies, and anyone else willing to pay.

Your phone's advertising identifier is the link that ties all of this together. On iOS, it is called the IDFA (Identifier for Advertisers). On Android, it is the GAID (Google Advertising ID). These identifiers persist across apps, meaning that a data broker can combine your location data from a weather app, a game, and a coupon app into a single continuous tracking record. And because other data brokers sell databases that match advertising IDs to real names, emails, and home addresses, the "anonymity" of an advertising ID is purely theoretical.

What the Settlement Actually Requires

The FTC's final order imposes several requirements on Kochava:

1. Permanent ban on selling sensitive location data. Kochava cannot sell, license, transfer, or share geolocation data that could be used to identify visits to medical facilities, religious organizations, shelters, or other sensitive locations.
2. Deletion of historical data. Kochava must delete previously collected geolocation data that falls within the sensitive categories covered by the order.
3. Implementation of a sensitive location program. The company must develop and maintain a system to identify and exclude sensitive locations from any geolocation data products it continues to sell.
4. No fine. The settlement does not include a monetary penalty. Kochava walked away from years of selling sensitive location data from hundreds of millions of devices without paying a dollar in fines.

The absence of a fine is worth pausing on. The FTC's enforcement authority under Section 5 of the FTC Act allows for civil penalties in certain circumstances, but the agency often settles for injunctive relief — banning the behavior rather than punishing it retroactively. For a company that built its business on selling people's most sensitive movements, "stop doing it" is a lenient outcome.

The Location Data Brokers Still Operating

Kochava's settlement removes one player from the location data market. The market itself remains intact. Dozens of companies continue to collect, aggregate, and sell precise geolocation data from mobile devices. Some of the most prominent:

• Babel Street — sells a tool called Locate X that provides real-time and historical location tracking. Government contracts have shown Babel Street selling location data to CBP, ICE, the IRS, and the Secret Service. The company obtains data from the same mobile advertising ecosystem that fed Kochava.
• Venntel — a subsidiary of Gravy Analytics that has sold mobile location data to the Department of Homeland Security and Immigration and Customs Enforcement. The FBI has also purchased commercial location data through similar channels.
• Gravy Analytics — the parent company of Venntel. The FTC took action against Gravy Analytics in December 2024 for selling sensitive location data, but the company's data assets continue to circulate through the market.
• X-Mode Social (now Outlogic) — the FTC ordered X-Mode to stop selling sensitive location data in January 2024. The company rebranded to Outlogic and continues to operate in the location data space.
• Near Intelligence — collected location data from approximately 1.6 billion devices monthly before filing for bankruptcy in late 2023. Its data assets and technology were acquired by other entities, meaning the data it collected did not disappear — it changed hands.
• Placer.ai, SafeGraph, Foursquare — companies that sell location analytics derived from mobile device data, marketed primarily to commercial real estate, retail, and financial services clients.

This is not an exhaustive list. The location data industry is fragmented and opaque. Many companies operate as middlemen, buying data from aggregators and reselling it to end customers, creating a supply chain where your location data may pass through three or four companies before reaching its final buyer. California's data broker registry — the same resource that informed the FTC's recent action against 13 brokers selling data to China — has identified 33 brokers that sell data to foreign adversaries, including 5 that sell precise geolocation data.

Why "Anonymous" Location Data Is Never Anonymous

The location data industry has long defended itself by claiming it sells "anonymized" or "de-identified" data. The claim does not hold up to scrutiny.

A landmark 2013 study by MIT researchers analyzed 15 months of mobile location data for 1.5 million people and found that just four spatiotemporal data points — four places you visited at approximate times — were enough to uniquely identify 95% of individuals in the dataset. Your home location (where your phone rests every night) and your work location (where it sits every weekday) are typically enough on their own.

Location data brokers sell data tied to advertising IDs, not names. But other data brokers — the people-search sites, the consumer data aggregators — maintain databases that link advertising IDs to real identities. The gap between "anonymous" advertising ID and "John Smith at 123 Main Street" can be closed with a single database lookup. The FTC recognized this reality in the Kochava case, noting that the company's data products enabled the identification of specific individuals at specific sensitive locations.

This has real consequences. Journalists have used commercially purchased location data to identify and track specific individuals. A Catholic news outlet purchased location data from a broker and used it to identify a priest who visited gay bars, leading to his resignation. Law enforcement agencies have purchased location data to track suspects without obtaining warrants. In every case, the "anonymization" provided by advertising IDs was no barrier at all.

What You Can Do Right Now

The FTC's enforcement actions are necessary but insufficient. Waiting for regulators to shut down location data brokers one at a time is not a strategy. Protecting your location data requires direct action at the device level and proactive removal of data that brokers have already collected.

1. Audit your phone's location permissions. Open your phone's privacy settings and review every app with location access. Revoke access for anything that does not genuinely require your GPS coordinates to function. For apps that do need location — maps, ride-sharing — switch from "precise" to "approximate" location where possible.
2. Kill your advertising identifier. On iOS: Settings > Privacy & Security > Tracking > disable "Allow Apps to Request to Track." On Android: Settings > Privacy > Ads > Delete advertising ID. This severs the link that allows data brokers to tie your location data to your identity across apps.
3. Remove your data from broker databases. Even after you lock down your phone, data brokers already have years of your historical location data and personal information in their systems. A data removal service like GhostVault automates opt-out requests across 500+ data broker sites for $3.99/month, systematically removing your records from the databases that feed the location data pipeline.
4. Be skeptical of free apps. Free apps from unknown publishers are the primary entry point for location data SDKs. A flashlight app does not need your GPS coordinates. A free game does not need to know where you sleep. If an app is free and its purpose does not require your location, it is likely monetizing your data through SDK partnerships with companies like the ones described above.
5. Use a VPN and private DNS. While a VPN does not block GPS-level location collection by apps, it prevents your IP address from being used as an additional data point by web-based trackers and data brokers that harvest web browsing data.

The Bigger Picture

The Kochava settlement illustrates a fundamental problem with how the United States regulates data privacy: enforcement happens after the damage is done, one company at a time, with penalties that amount to "stop doing it" rather than meaningful deterrence.

Kochava operated for years, collecting and selling sensitive location data from hundreds of millions of Americans. The FTC filed its complaint in 2022. The case settled in 2026. During those four years, the data was collected, sold, resold, and used. No fine was imposed. The data that was already sold cannot be recalled.

Meanwhile, the structural conditions that enabled Kochava's business model have not changed. The mobile advertising ecosystem still relies on persistent device identifiers. Apps still embed location-harvesting SDKs. And no federal privacy law comprehensively restricts the collection and sale of sensitive personal data by commercial entities. PADFAA addresses sales to foreign adversaries. The FTC's case law addresses specific bad actors. But the underlying data collection apparatus remains fully operational.

Until that changes, protecting your location data is your responsibility. The regulatory system is not designed to prevent the collection — only to punish the worst abuses after the fact. Proactive steps — restricting permissions, disabling tracking identifiers, and removing your data from broker databases — remain the only reliable way to limit your exposure.

Frequently Asked Questions

What did the FTC do to Kochava?

On May 4, 2026, the FTC finalized a settlement with data broker Kochava that permanently bans the company from selling or licensing sensitive geolocation data. The FTC's complaint alleged that Kochava collected precise GPS-level location data from hundreds of millions of mobile devices and sold it in a way that allowed buyers to track individuals to addiction treatment centers, reproductive health clinics, domestic violence shelters, and places of worship. The settlement requires Kochava to delete previously collected sensitive data and implement safeguards, but imposes no monetary fine.

How did Kochava get people's location data?

Kochava obtained location data through the mobile advertising ecosystem. When you grant location permissions to phone apps — weather, navigation, games, flashlight utilities — many of those apps embed advertising SDKs from third-party data companies. These SDKs transmit your precise GPS coordinates along with your phone's advertising ID to data aggregators at regular intervals. Kochava aggregated these streams from hundreds of app developers into a single dataset that covered hundreds of millions of devices.

What location data brokers are still operating after the Kochava ban?

Dozens of location data brokers continue to operate. Babel Street sells location tracking tools to government agencies. Venntel, a Gravy Analytics subsidiary, has sold data to DHS and ICE. X-Mode Social (rebranded as Outlogic) continues in the location data space despite a 2024 FTC order. Near Intelligence's data assets were acquired by other companies after its bankruptcy. Placer.ai, SafeGraph, and Foursquare sell location analytics to commercial clients. California's data broker registry has identified 33 brokers selling data to foreign adversaries, including 5 that sell precise geolocation data.

Can location data reveal my identity even without my name?

Yes. Research from MIT demonstrated that just four location data points are enough to uniquely identify 95% of individuals in a dataset. Your home address and workplace — visible as the locations where your phone spends nights and weekdays — are typically sufficient to identify you. Location data brokers sell data tied to advertising IDs, which other data brokers can match to your real name, email, and physical address through commercially available cross-reference databases.

How can I stop my location data from being sold by data brokers?

Start by auditing and restricting location permissions for all apps on your phone. Disable your mobile advertising ID entirely to break cross-app tracking. Remove your existing data from broker databases using a data removal service — GhostVault automates removal across 500+ broker sites for $3.99/month. Avoid free apps from unknown publishers, as they are the most common carriers for location-harvesting SDKs. These steps cannot undo past data sales, but they significantly reduce what brokers can collect and sell going forward.