Data Broker Location Tracking: What Is Confirmed and What Is Overclaimed

Introduction

The claim that a sprawling industry of data brokers collects, aggregates, and sells detailed location and behavioral data on hundreds of millions of people — often without their meaningful knowledge or consent — is not a conspiracy theory. It is a confirmed, extensively documented, and legally contested fact. Federal Trade Commission enforcement actions, congressional testimony, investigative journalism by the New York Times, ProPublica, and the Markup, and academic research have collectively established that the data broker industry operates at enormous scale with limited regulatory oversight.

This article examines what is confirmed, what specific harms have been documented, and where the narrative of "total surveillance" overstates the evidence or fails to account for meaningful legal and technical developments that have changed the landscape.

What Is Confirmed

The industry is large and loosely regulated. The FTC's 2014 landmark report on data brokers identified nine major firms — including Acxiom, CoreLogic, Datalogix, eBureau, ID Analytics, Intelius, PeekYou, Rapleaf, and Recorded Future — collecting data on virtually every American adult. The report documented that these firms maintained profiles with hundreds or thousands of data points per individual, including purchasing behavior, estimated income, health interests, relationship status, and — critically — precise location histories derived from mobile app data.

Location data is particularly sensitive. The New York Times Privacy Project's 2019 investigation, "One Nation, Tracked," used a dataset of location pings from 12 million Americans to demonstrate that precise location data can reveal home addresses, workplace locations, medical appointments, religious attendance, political activity, and relationships — without any microphone or audio collection. The investigation showed that supposedly anonymized location datasets could be re-identified to named individuals with relative ease.

The FTC has taken enforcement action. In December 2023 and January 2024, the FTC brought enforcement actions against data brokers X-Mode Social (operating as Outlogic) and InMarket Media, prohibiting them from selling precise location data that revealed visits to sensitive locations including medical facilities, religious sites, and political events. The Kochava FTC action (filed 2022, settled 2024) specifically addressed the sale of geolocation data revealing visits to reproductive health clinics. These are landmark cases: the FTC explicitly found that this data collection and sale was an unfair practice harming consumers.

Congressional investigations have confirmed broker practices. A 2024 Senate investigation by the Judiciary Subcommittee documented that data brokers sold location data on U.S. military personnel, intelligence community members, and other sensitive government employees — including data showing visits to overseas bases and sensitive government facilities. The investigation found that the data was available for purchase with minimal vetting of buyers.

The Markup's investigations documented specific harms. The Markup, a nonprofit investigative newsroom, published multiple investigations between 2020 and 2024 documenting that major retailers, insurance companies, and healthcare platforms shared user data with data brokers and advertising platforms including Meta Pixel and Google Analytics embedded on their websites — often in violation of their own privacy policies and, in healthcare contexts, potentially in violation of HIPAA.

Opt-out mechanisms are partially effective at best. EPIC (Electronic Privacy Information Center) and consumer privacy researchers have documented that industry opt-out mechanisms — including the Data & Marketing Association's opt-out portal — are fragmented, confusing, and cover only a subset of the industry. Opting out of one broker does not affect data held by hundreds of others. Data purchased before an opt-out remains in buyers' systems.

The Limits and Overclaims

The confirmed scale of data broker activity is substantial enough to warrant serious concern without requiring exaggeration. Some framings of the data broker surveillance narrative overstate specific claims:

Not all data brokers collect raw geolocation. The data broker industry is heterogeneous. Firms like Acxiom focus primarily on demographic and financial data aggregated from public records, retail transactions, and survey data — not precision GPS tracking. The most sensitive location data concerns derive primarily from mobile app-based data brokers and advertising technology firms, not the entire industry uniformly.

CCPA and other state laws have changed the landscape. California's Consumer Privacy Act (CCPA, effective 2020) and its amendment (CPRA, effective 2023) created meaningful rights to access, deletion, and opt-out of sale of personal information for California residents. The Virginia Consumer Data Protection Act, Colorado Privacy Act, and similar state laws have followed. These laws are imperfect and enforcement has been uneven, but they represent a real change from the pre-2020 regulatory vacuum. Describing the data broker ecosystem as entirely unregulated is no longer accurate.

IP-level and aggregated location tracking is less sensitive than GPS-precision data. Some data brokers work primarily with IP-address-derived location (which is typically accurate to city or neighborhood level, not home address) and aggregated mobility data rather than individual GPS pings. The distinction matters for harm assessment, though even coarser location data can enable meaningful inferences.

GDPR has substantially limited broker practices in Europe. The EU's General Data Protection Regulation (effective 2018) created significantly stronger requirements for consent, purpose limitation, and data minimization than U.S. law. European enforcement actions against data brokers and advertising technology firms have been substantial, including major fines against Meta, Google, and others. The U.S.-EU distinction is real and significant.

Verdict

Data broker location tracking is confirmed. The FTC has found it causes real harm and has taken enforcement action. Congressional investigations have documented national security implications. Investigative journalism has shown specific consumer harms. The legitimate concern — that a large, loosely regulated industry maintains extraordinarily detailed behavioral profiles on the majority of Americans and sells them with minimal vetting — is supported by the evidence. The more extreme claim that this constitutes total, inescapable surveillance with no meaningful remediation overstates the uniformity of the industry, understates the effect of recent regulatory developments, and conflates the most invasive practices of specific actors with the entire sector. The most important policy work — comprehensive federal privacy legislation, stronger FTC enforcement authority, and meaningful opt-out mechanisms — is ongoing and contested.