Companies that you likely have never heard of are hawking access to the location history on your mobile phone. An estimated $12 billion market, the location data industry has many players: collectors, aggregators, marketplaces, and location intelligence firms, all of which boast about the scale and precision of the data that they’ve amassed.
Location firm Near describes itself as “The World’s Largest Dataset of People’s Behavior in the Real-World,” with data representing “1.6B people across 44 countries.” Mobilewalla boasts “40+ Countries, 1.9B+ Devices, 50B Mobile Signals Daily, 5+ Years of Data.” X-Mode’s website claims its data covers “25%+ of the Adult U.S. population monthly.”
See our data here.
In an effort to shed light on this little-monitored industry, The Markup has identified 47 companies that harvest, sell, or trade in mobile phone location data. While hardly comprehensive, the list begins to paint a picture of the interconnected players that do everything from providing code to app developers to monetize user data to offering analytics from “1.9 billion devices” and access to datasets on hundreds of millions of people. Six companies claimed more than a billion devices in their data, and at least four claimed their data was the “most accurate” in the industry.
The Location Data Industry: Collectors, Buyers, Sellers, and Aggregators
The Markup identified 47 players in the location data industry
1010Data
Company says it can “track the purchasing behaviors of millions of US consumers, in-store and online, with a robust history of consumer spending and shopper behavior data to gain an actionable, total-market view.”
Company response
Did not respond.
Acxiom
Company uses “a combination of location-based device data combined with Acxiom descriptive and predictive data to create audiences that show specific interests or in-market tendencies based on the consumers’ actual visits to stores and dealerships and making purchases at specific stores or with specific brands.”
- Registered California data broker
- Registered Vermont data broker
Company response
“Acxiom does not collect or license movement data in the U.S., and no location data is used at the personally identifiable level.” —Matt Ramsey, Acxiom spokesperson
AdSquare
Company says that they “overlay mobile SDK derived, background location data over specific Points of Interest (POI) locations” and “are able to calculate foot traffic and/or identify audience segments walking by or into the given locations at any given day and time.”
Company response
“Adsquare is not a location data broker. Adsquare does not resell data in a raw format to third parties. . . Adsquare doesn’t collect location data. Adsquare sources and aggregates location data from a variety of suppliers.”
—Christoph Herwig, Adsquare VP marketing
ADVAN
Company says they have “the largest and most accurate data in the market, from hundreds of millions of cellphones,” and “300 billion monthly data points since 2015” as well as “100+ observations per device per day.”
Company response
“What we provide is just aggregated metrics—what you would get if you would sit outside a Walmart with a people counter every day for the last five years, we will just give it to you.” —Yiannis Tsiounis, CEO Advan Research
Airsage
Company says their data “includes an average of 250+ million unique devices, perfect for sample selection,” with a GPS data panel that “goes back to January 2017 for historical trend analysis.”
Company response
Did not respond.
Amass Insights
Company says: “In this new era of alternative data, acquiring the right data requires countless hours and resources dedicated to sourcing, vetting, cleaning, analysis, & implementation, as well as endless back-and-forth vendor communication.”
Company response
“We are not a location data broker per se and are most similar to Datarade actually.” —Jordan Hauer, CEO Amass Insights
Alqami
Company says it specializes in “sourcing large, esoteric, data sets and finding investment managers and corporates who would find value in having this information edge. Sectors that we currently cover, include ... Geolocation....”
Company response
Did not respond.
Amazon AWS Data Exchange
Company says its data providers include “Foursquare, whose location data is derived from 220 million unique consumers and includes more than 60 million global commercial venues.”
Company response
“Only qualified data providers will have access to the AWS Data Exchange. Potential data providers are put through a rigorous application process.” —Claude Shy, Amazon spokesperson
Anomaly 6
The Wall Street Journal reported that Anomaly Six collects location data from hundreds of millions of mobile phones via more than 500 mobile apps and provides global location data to U.S. government agencies.
Company response
Did not respond. In August 2020, a spokesperson for Anomaly Six told the WSJ: “Anomaly Six is a veteran-owned small business that processes and visualizes location data sourced from mobile devices for analytics and insights.” Source: https://www.wsj.com/articles/u-s-government-contractor-embedded-software-in-apps-to-track-phones-11596808801
Babel Street
Protocol reported that Babel Street licenses an unadvertised product called Locate X to U.S. Customs and Border Protection.
Company response
Did not respond. In March 2020, Babel Street spokesperson Lacy Talton told Protocol, “Although data content is freely available without restriction from thousands of vendors and suppliers, Babel Street employs a variety of measures to ensure appropriate use of the data.” Source: https://www.protocol.com/fintech/binance-regulation-crypto
Blis
Company says: “Using our 370m opted-in global planning and measurement panel and taking an aggregated and anonymous approach to audience targeting, Blis reaches precise audiences at scale without reliance on personal data.”
Company response
Did not respond.
Complementics
Company says customers “have access to the data that we collect and update minute-by-minute. With more than 1 billion devices globally, we're a leader in the mobile data offering space.”
Company response
Did not respond.
Cuebiq
Company says it has “the privacy-safe location data you need, plus the tools and expertise to quickly build custom solutions.” Advertises that its data can be used for “measuring the impact of your advertising dollars, planning where to open the next store or predicting market trends.”
Company response
“We do not publicly release a list of our partner apps for competitive reasons. The end users of any app working with Cuebiq though will know that Cuebiq is a partner of the app and will receive the consent window above, that is what matters.” —Bill Daddi, spokesperson for Cuebiq
Datarade
Company offers to visitors the ability to “choose the right location data with confidence. Skip months of research. Find, compare, and choose the right data for your business.... Find the best offer from 2,000+ data providers worldwide.”
Company response
Did not respond.
Foursquare
Company says: “Reach customers based on real-world movement. Take your marketing investment further by using location data to better understand your customers and target them on their journey towards your brand.”
- Registered California data broker
- Registered Vermont data broker
Company response
“Foursquare receives location data from a few types of sources: owned and operated applications, apps that use our location tools (when the app developer permits us to use such data), and carefully vetted suppliers.” —Ashley Dawkins, Foursquare VP of communications
Gimbal
Company says: “Leverage our always-on location data to accurately identify fans who have been directly exposed to your in-stadium signage.”
Company response
Did not respond.
Gravy Analytics
Company says its location data platform “aggregates raw location signals in the cloud from many different data providers and tens of thousands of apps.”
- Registered California data broker
- Registered Vermont data broker
Company response
Did not respond.
GroundTruth
Company says it has “the highest quality data and it's verified through an independent accuracy audit.” Marketing highlights: “120 Million Unique Monthly Users / 100 Million places and points of interest / 30 Billion visits annually.”
- Registered California data broker
Company response
Did not respond.
Huq Industries
Company says its data “is sourced exclusively using our own specialised software from carefully selected mobile app partners. This first-party relationship allows us to guarantee control over data quality and the collection of end-user consent.”
Company response
Did not respond.
InMarket / NinthDecimal
Company says “being best-in-class means providing our customers with access to the most accurate and precise, permission-based, SDK-derived location data available today.”
- Registered California data broker
Company response
Did not respond.
Irys
Company says they “collect and curate high quality geolocation signals from millions of connected devices worldwide.”
- Registered California data broker
Company response
Did not respond.
Kochava Collective
Company offers “rich categorical data from the Kochava Collective with all-in-one or a la carte data feeds” including “Precision Location.”
- Registered California data broker
- Registered Vermont data broker
Company response
Did not respond.
Lifesight
Company says: “Savvy Location Intelligence platforms such as Lifesight have adopted SDK methodology because of its comprehensive data points. Harnessing the power of AI, this process is further refined in order to retrieve accurate signals.”
Company response
Did not respond.
Mobilewalla
Company says its data covers “40+ Countries / 1.9B+ Devices / 50B Mobile Signals Daily / 5+ Years of Data”
- Registered California data broker
Company response
“Mobilewalla acquires data from various third parties in the digital ecosystem including publishers, demand side platforms (DSP), data management platforms (DMP) and data aggregators. We do not provide data in real-time. We do not have, nor do we provide, data that can be tied directly to an individual.” —Laurie Hood, Mobilewalla CMO
Narrative
Company says: “Ready to buy location data? Narrative's data streaming platform makes it quick and easy to discover and buy raw location data. Schedule a call with a member of our sales team to get started today.”
Company response
“You know, from afar, we may look like a broker, but we're really just giving them the technology that lets them buy and sell the data. We take software and license it to the buyers and sellers of the data. So the buyers and sellers can work directly with each other as opposed to working through Narrative.” —Nick Jordan, Narrative CEO
Near
Company describes itself as “The World's Largest Dataset of People's Behavior in the Real-World,” covering “1.6B people across 44 countries.... 5 billion events processed per day.”
Company response
Did not respond.
Onemata
Company claims to have “The most robust mobile location data set in the industry. We've built the most robust dataset of compliance-first mobile location data so you can focus on building game-changing products and solutions.”
Company response
Did not respond.
Oracle
Company claims to “curate the best signals from within Oracle's own datasets and those sourced from third-party providers to deliver increased quality and scale, diverse signals, and simplified buying and cost structures,” with data from companies including PlaceIQ and Gravy Analytics.
- Registered California data broker
- Registered Vermont data broker
Company response
Company declined to comment.
Phunware
Company claims its data covers “1 B monthly active unique mobile devices with 200 B+ events across 190+ countries.” It was also cited in a Wall Street Journal article as providing location data for political ads.
Company response
Did not respond.
PlaceIQ
Company offers access to “PlaceIQ’s location-based audiences to discover new and innovative ways to reach consumers based on real-world behaviors.” Includes audience examples “Loyal Customers: Reach audiences who visit your location on a regular basis” and “Competitor Customers: Reach audiences who regularly visit your competitor’s locations.”
- Registered California data broker
Company response
Did not respond.
Placer.ai
Company says they have built “the World’s Most Accurate Location Tracking SDK,” which it claims is “deployed into millions of devices.” Numbers include: “1.5B+ Monthly Visitors / 20M+ Active Devices / 13M+ Venues / 1K+ User Segments / 500+ Mobile Apps”
Company response
“We are not actually providing or selling the acquired data to anyone. We use the data as a panel to run AI and Machine Learning algorithms to make estimations on foot traffic patterns to Commercial Real Estate locations across the US. The information we provide our customers and users is based on these estimations, and not the data we aggregate.” —Ethan Chernofsky, Placer.ai VP marketing
Predicio
Company recently said it provides “ultra precise mobile location data to measure offline results of products, services, or media campaigns.”
Company response
Did not respond.
Predik Data-Driven
Company says it analyzes “traffic foot data and pedestrian flow through geo-referenced data, derived from the consumption of mobile apps.”
Company response
Did not respond.
Quadrant
Company offers “location data from 350M+ devices seen per month in nearly every country. Analyse faster, discover hidden patterns and gain deeper insights with Quadrant’s Algorithms.”
Company response
Did not respond.
QueXopa
Company offers a “unique set of aggregated Global mobile location data. With millions of high frequency DAU’s - clients have the rare accessibility to track mobile activity across a wide spectrum of use cases. Gain vital intelligence about your audience. Directly geo-target devices and view tracking on up to 2 years of historic activity.”
Company response
Did not respond.
Reveal Mobile
Company says: “We process privacy compliant location data for approximately 50 million opted-in mobile users every day across North America. Across those devices, we see about 20 billion location events every day.”
- Registered Vermont data broker
Company response
“Reveal Mobile does not collect, manage, market, or sell personally identifiable information (PII). We do not pair our data with any other data sets. Reveal Mobile's data supply comes from people who have opted in to location services in the mobile apps they use.” —Dan Dillon, Reveal Mobile CMO
SafeGraph
Company says it partners with “mobile applications that obtain opt-in consent from its users to collect anonymous location data. This data is not associated with any name or email address. This data includes the latitude and longitude of a device at a given point in time. We take this latitude/longitude information and determine visits to points of interest.”
- Registered California data broker
Company response
Company declined to comment.
Snowflake
Company offers “a wide range of open and commercial data sets across 16 categories including public health, weather, location, demographics, SaaS providers and more.”
Company response
Did not respond.
start.io
Company says “we don’t just find your customers in the mobile world. We know where they are in the real world in real-time. Via location-based targeting, you can use Start.io data to interact with customers when they are in physical proximity to your stores.”
Company response
Did not respond.
Stirista
Company says: “We can track where individuals go and contextually target them based on their movement” and offers “Comprehensive identities across physical and digital space.... Reach audiences with ads across every channel as they move across devices and locations throughout the day.”
- Registered California data broker
Company response
Did not respond.
Tamoco
Company claims to have “The industry’s most accurate and trustworthy location data. We pride ourself on our accuracy and transparency. No more false data, 100% consented and privacy compliant.”
Company response
Did not respond.
THASOS
Company describes itself as “an artificial intelligence engine for extracting actionable information from the real-time locations of mobile phones everywhere, based on the largest repository of high-quality location data after Google and Apple.”
Company response
Did not respond.
Unacast
Company claims “The industry’s most trustworthy location data.... 100+ countries / 10 million active users / 15 billion data points a day.”
- Registered California data broker
Company response
Did not respond.
Venntel
Company recently said as a “pioneer in mobile location information, Venntel supports our national interests through technological innovation, data reliability, and proven results.”
- Registered California data broker
- Registered Vermont data broker
Company response
Did not respond.
Venpath
Company claims “Our data is sourced from a large and unique set of sources, giving us a remarkably un-biased set of data. 212 Active Apps / 61m Unique Devices Seen Monthly.”
- Registered California data broker
Company response
Did not respond.
Veraset
Company claims “Our core population human movement dataset delivers the most granular and frequent GPS signals available in a third-party dataset. Unlike other data providers who rely on one SDK, we source from thousands of apps and SDKs to avoid a biased sample.”
Company response
Did not respond.
X-Mode (Outlogic)
Motherboard reported that X-Mode, which is now Outlogic, has been identified as a location data provider that sold data to the U.S. military.
- Registered California data broker
Company response
Did not respond.
1010Data
Acxiom
AdSquare
ADVAN
Airsage
Amass Insights
Alqami
Amazon AWS Data Exchange
Anomaly 6
Babel Street
Blis
Complementics
Cuebiq
Datarade
Foursquare
Gimbal
Gravy Analytics
GroundTruth
Huq Industries
InMarket / NinthDecimal
Irys
Kochava Collective
Lifesight
Mobilewalla
“40+ Countries, 1.9B+ Devices, 50B Mobile Signals Daily, 5+ Years of Data”
Narrative
Near
“The World’s Largest Dataset of People’s Behavior in the Real-World”
Onemata
Oracle
Phunware
PlaceIQ
Placer.ai
Predicio
Predik Data-Driven
Quadrant
QueXopa
Reveal Mobile
SafeGraph
Snowflake
start.io
Stirista
Tamoco
THASOS
Unacast
Venntel
Venpath
Veraset
X-Mode (Outlogic)
“There isn’t a lot of transparency and there is a really, really complex shadowy web of interactions between these companies that’s hard to untangle,” Justin Sherman, a cyber policy fellow at the Duke Tech Policy Lab, said. “They operate on the fact that the general public and people in Washington and other regulatory centers aren’t paying attention to what they’re doing.”
Occasionally, stories illuminate just how invasive this industry can be. In 2020, Motherboard reported that X-Mode, a company that collects location data through apps, was collecting data from Muslim prayer apps and selling it to military contractors. The Wall Street Journal also reported in 2020 that Venntel, a location data provider, was selling location data to federal agencies for immigration enforcement.
A Catholic news outlet also used location data from a data vendor to out a priest who had frequented gay bars, though it’s still unknown what company sold that information.
Many firms promise that privacy is at the center of their businesses and that they’re careful to never sell information that can be traced back to a person. But researchers studying anonymized location data have shown just how misleading that claim can be.
The truth is, it’s hard to know all the ways in which your movements are being tracked and traded. Companies often reveal little about what apps serve as the sources of data they collect, what exactly that data consists of, and how far it travels. To piece together a picture of the ecosystem, The Markup reviewed the websites and marketing language of each of the 47 companies we identified as operating in the location data industry, as well as any information they revealed about how the data got to them. (See our methodology here.)
How the Data Leaves Your Phone
Most times, the location data pipeline starts off in your hands, when an app sends a notification asking for permission to access your location data.
Apps have all kinds of reasons for using your location. Map apps need to know where you are in order to give you directions to where you’re going. A weather, waves, or wind app checks your location to give you relevant meteorological information. A video streaming app checks where you are to ensure you’re in a country where it’s licensed to stream certain shows.
But unbeknownst to most users, some of those apps sell or share location data about their users with companies that analyze the data and sell their insights, like Advan Research. Other companies, like Adsquare, buy or obtain location data from apps for the purpose of aggregating it with other data sources. Companies like real estate firms, hedge funds and retail businesses might then turn and use the data for their own advertising, analytics, investment strategy, or marketing purposes.
Serge Egelman, a researcher at UC Berkeley’s International Computer Science Institute and CTO of AppCensus, who has researched sensitive data permissions on mobile apps, said it’s hard to tell which apps on your phone simply use the data for their own functional purposes and which ones release your data into the economic ether.
“When the app asks for location, in the moment, because maybe you click the button to find stuff near you and you get a permission dialog, you might reasonably infer that ‘Oh, that’s to service that request to provide that functionality,’ but there’s no guarantee of that,” Egelman said. “And there’s certainly usually never a disclosure that says that the data is going to be limited to that purpose.”
Companies that trade in this data are reluctant to share which apps they get data from.
The Markup asked spokespeople from all the companies on our list where they get the location data they obtain.
Companies like Adsquare and Cuebiq told The Markup that they don’t publicly disclose what apps they get location data from to keep a competitive advantage but maintained that their process of obtaining location data was transparent and with clear consent from app users.
“It is all extremely transparent,” said Bill Daddi, a spokesperson for Cuebiq.
He added that consumers must know what the apps are doing with their data because so few consent to share it. “The opt-in rates clearly confirm that the users are fully aware of what is happening because the opt-in rates can be as low as less than 20%, depending on the app,” Daddi said in an email.
Yiannis Tsiounis, the CEO of the location analytics firm Advan Research, said his company buys from location data aggregators, who collect the data from thousands of apps—but would not say which ones. Tsiounis said the apps he works with do explicitly say that they share location data with third parties somewhere in the privacy policies, though he acknowledged that most people don’t read privacy policies.
“There’s only so much you can squeeze into the notification message. You get one line, right? So you can’t say all of that in the notification message,” Tsiounis said. “You only get to explain to the user, ‘I need your location data for X, Y, and Z.’ What you have to do is, there has to be a link to the privacy policy.”
Only one company spokesperson, Foursquare’s Ashley Dawkins, actually named any specific apps—Foursquare’s own products, like Swarm, CityGuide, and Rewards—as sources for its location data trove.
But Foursquare also produces a free software development kit (SDK)—a set of prebuilt tools developers can use in their own apps—that can potentially track location through any app that uses it. Foursquare’s Pilgrim SDK is used in apps like GasBuddy, a service that compares prices at nearby gas stations, Flipp, a shopping app for coupons, and Checkout 51, another location-based discount app.
GasBuddy, Flipp, and Checkout 51 didn’t respond to requests for comment.
When the app asks for location … you might reasonably infer that ‘Oh, that’s to service that request to provide that functionality,’ but there’s no guarantee of that.
Serge Egelman, AppCensus
A search on Mighty Signal, a site that analyzes and tracks SDKs in apps, found Foursquare’s Pilgrim SDK in 26 Android apps.
While not every app with Foursquare’s SDK sends location data back to the company, the privacy policies for Flipp, Checkout 51, and GasBuddy all disclose that they share location data with the company.
Foursquare’s method of obtaining location data through an embedded SDK is a common practice. Of the 47 companies that The Markup identified, 12 of them advertised SDKs to app developers that could send them location data in exchange for money or services.
Placer.ai says in its marketing that it does foot traffic analysis and that its SDK is installed in more than 500 apps and has insights on more than 20 million devices.
“We partner with mobile apps providing location services and receive anonymized aggregated data. Very critically, all data is anonymized and stripped of personal identifiers before it reaches us,” Ethan Chernofsky, Placer.ai’s vice president of marketing, said in an email.
Into the Location Data Marketplace
Once a person’s location data has been collected from an app and it has entered the location data marketplace, it can be sold over and over again, from the data providers to an aggregator that resells data from multiple sources. It could end up in the hands of a “location intelligence” firm that uses the raw data to analyze foot traffic for retail shopping areas and the demographics associated with its visitors. Or with a hedge fund that wants insights on how many people are going to a certain store.
“There are the data aggregators that collect the data from multiple applications and sell in bulk. And then there are analytics companies which buy data either from aggregators or from applications and perform the analytics,” said Tsiounis of Advan Research. “And everybody sells to everybody else.”
Some data marketplaces are part of well-known companies, like Amazon’s AWS Data Exchange, or Oracle’s Data Marketplace, which sell all types of data, not just location data. Oracle boasts its listing as the “world’s largest third-party data marketplace” for targeted advertising, while Amazon claims to “make it easy to find, subscribe to, and use third-party data in the cloud.” Both marketplaces feature listings for several of the location data companies that we examined.
Amazon spokesperson Claude Shy said that data providers have to explain how they gain consent for data and how they monitor people using the data they purchase.
“Only qualified data providers will have access to the AWS Data Exchange. Potential data providers are put through a rigorous application process,” Shy said.
Oracle declined to comment.
Other companies, like Narrative, say they are simply connecting data buyers and sellers by providing a platform. Narrative’s website, for instance, lists location data providers like SafeGraph and Complementics among its 17 providers with more than two billion mobile advertising IDs to buy from.
But Narrative CEO Nick Jordan said the company doesn’t even look at the data itself.
“There’s a number of companies that are using our platform to acquire and/or monetize geolocation data, but we actually don’t have any rights to the data,” he said. “We’re not buying it, we’re not selling it.”
To give a sense of how massive the industry is, Amass Insights has 320 location data providers listed on its directory, Jordan Hauer, the company’s CEO, said. While the company doesn’t directly collect or sell any of the data, hedge funds will pay it to guide them through the myriad of location data companies, he said.
“The most inefficient part of the whole process is actually not delivering the data,” Hauer said. “It’s actually finding what you’re looking for and making sure that it’s compliant, making sure that it has value and that it is exactly what the provider says it is.”
Oh, the Places Your Data Will Go
There are a whole slew of potential buyers for location data: investors looking for intel on market trends or what their competitors are up to, political campaigns, stores keeping tabs on customers, and law enforcement agencies, among others.
Data from location intelligence firm Thasos Group has been used to measure the number of workers pulling extra shifts at Tesla plants. Political campaigns on both sides of the aisle have also used location data from people who were at rallies for targeted advertising.
Fast food restaurants and other businesses have been known to buy location data for advertising purposes down to a person’s steps. For example, in 2018, Burger King ran a promotion in which, if a customer’s phone was within 600 feet of a McDonalds, the Burger King app would let the user buy a Whopper for one cent.
The Wall Street Journal and Motherboard have also written extensively about how federal agencies including the Internal Revenue Service, Customs and Border Protection, and the U.S. military bought location data from companies tracking phones.
Of the location data firms The Markup examined, the offerings are diverse.
$240,000
Per year cost of a license for one location dataset from Outlogic
Advan Research, for instance, uses historical location data to tell its customers, largely retail businesses or their private equity firm owners, where their visitors came from, and makes guesses about their income, race, and interests based on where they’ve been.
“For example, we know that the average income in this neighborhood by census data is $50,000. But then there are two devices—one went to Dollar General, McDonald’s, and Walmart, and the other went to a BMW dealer and Tiffany’s … so they probably make more money,” Advan Research’s Tsiounis said.
Others combine the location data they obtain with other pieces of data gathered from your online activities. Complementics, which boasts data on “more than a billion mobile device IDs,” offers location data in tandem with cross-device data for mobile ad targeting.
The prices can be steep.
Outlogic (formerly known as X-Mode) offers a license for a location dataset titled “Cyber Security Location data” on Datarade for $240,000 per year. The listing says “Outlogic’s accurate and granular location data is collected directly from a mobile device’s GPS.”
At the moment, there are few if any rules limiting who can buy your data.
Sherman, of the Duke Tech Policy Lab, published a report in August finding that data brokers were advertising location information on people based on their political beliefs, as well as data on U.S. government employees and military personnel.
“There is virtually nothing in U.S. law preventing an American company from selling data on two million service members, let’s say, to some Russian company that’s just a front for the Russian government,” Sherman said.
Existing privacy laws in the U.S., like California’s Consumer Privacy Act, do not limit who can purchase data, though California residents can request that their data not be “sold”—which can be a tricky definition. Instead, the law focuses on allowing people to opt out of sharing their location in the first place.
We know in practice that consumers don’t take action. It’s incredibly taxing to opt out of hundreds of data brokers you’ve never even heard of.
Ashkan Soltani, privacy expert
The European Union’s General Data Protection Regulation has stricter requirements for notifying users when their data is being processed or transferred.
But Ashkan Soltani, a privacy expert and former chief technologist for the Federal Trade Commission, said it’s unrealistic to expect customers to hunt down companies and insist they delete their personal data.
“We know in practice that consumers don’t take action,” he said. “It’s incredibly taxing to opt out of hundreds of data brokers you’ve never even heard of.”
Companies like Apple and Google, who control access to the app stores, are in the best position to control the location data market, AppCensus’s Egelman said.
“The real danger is the app gets booted from the Google Play store or the iOS app store,” he said.” As a result, your company loses money.”
Google and Apple both recently banned app developers from using location reporting SDKs from several data companies.
Researchers found, however, that the companies’ SDKs were still making their way into Google’s app store.
Apple didn’t respond to a request for comment.
“The Google Play team is always working to strengthen privacy protections through both product and policy improvements. When we find apps or SDK providers that violate our policies, we take action,” Google spokesperson Scott Westover said in an email.
Digital privacy has been a key policy issue for U.S. senator Ron Wyden, a Democrat from Oregon, who told The Markup that the big app stores needed to do more.
“This is the right move by Google, but they and Apple need to do more than play whack-a-mole with apps that sell Americans’ location information. These companies need a real plan to protect users’ privacy and safety from these malicious apps,” Wyden said in an email.
Update
The interactive graphic for this story has been updated to add additional comments from a few companies.
