Understanding FTC Data Broker Enforcement Actions

The Federal Trade Commission has launched an unprecedented crackdown on data brokers, and the results are reshaping how the entire industry operates. In 2025 and 2026, the FTC has brought enforcement actions against multiple major data brokers for selling sensitive location data, tracking consumers without proper consent, and putting Americans' personal safety at risk. For the first time, the federal government is treating precise location data as inherently sensitive — and the consequences for data brokers that mishandle it are severe.

The Gravy Analytics and Venntel Case

The most significant FTC enforcement action in this space targeted Gravy Analytics and its subsidiary Venntel. These companies collected and sold billions of location data points harvested from smartphone apps. The data was precise enough to track individual consumers' visits to medical facilities, religious institutions, domestic violence shelters, and military installations.

The FTC determined that Gravy Analytics and Venntel collected this data without obtaining meaningful consent from consumers, and sold it in ways that could expose individuals' most sensitive life details — their health conditions, religious beliefs, and personal circumstances. The FTC's order banned the companies from selling or sharing sensitive location data and required them to delete previously collected data and establish a comprehensive privacy program.

This case was groundbreaking because the FTC explicitly stated that certain categories of location data are so sensitive that their collection and sale is inherently harmful, regardless of whether individual consumers can be "named" in the dataset.

X-Mode Social and Outlogic

In a closely related case, the FTC took action against X-Mode Social (now operating as Outlogic) for similar practices. X-Mode embedded software development kits (SDKs) into popular mobile apps, collecting precise location data from users who had no idea their movements were being tracked and sold. The FTC imposed a similar ban on the sale of sensitive location data and required the company to delete historical location datasets.

InMarket Settlement

The FTC also reached a settlement with InMarket, a location data company that tracked consumers' real-world movements to build marketing profiles. The FTC found that InMarket failed to obtain proper informed consent before collecting location data and used that data to categorize consumers based on sensitive characteristics, including their health-related behaviors. The settlement imposed restrictions on InMarket's data practices and required enhanced consumer disclosures.

The Foreign Adversaries Dimension

The FTC's enforcement push extends beyond domestic privacy concerns. Under the Protecting Americans' Data from Foreign Adversaries Act (PADFAA), which took effect in 2024, the FTC issued formal warnings to 13 data brokers about the risks of selling American consumers' data to entities connected to China, Russia, and other designated foreign adversaries.

The warnings put the industry on notice that selling Americans' personal data — including financial data, health data, biometric data, and precise geolocation — to foreign-controlled companies or governments is a federal violation. Companies found in violation face penalties of up to $53,088 per violation, and given the volume of data transactions these brokers process, the total exposure can be staggering.

This enforcement angle is particularly significant because it connects individual privacy to national security. Data brokers that sell precise location data to foreign entities are not just violating consumer trust — they are potentially enabling foreign surveillance of American military personnel, government employees, and intelligence officers.

State-Level Enforcement

Federal action has been complemented by aggressive state-level enforcement. One of the most notable cases involved Texas suing Allstate and its subsidiary Arity for secretly collecting driving data from millions of consumers through mobile apps. Arity embedded tracking code into popular apps — including life insurance and roadside assistance apps — and used the data to build driving behavior profiles that were sold to insurance companies to set premiums.

The Texas Attorney General alleged that consumers never consented to this surveillance and had no idea their driving habits were being monitored and monetized. This case illustrates how data collection has extended far beyond traditional people-search sites into everyday apps that consumers trust for entirely unrelated purposes.

Other states, including California, Vermont, and Oregon, have strengthened their data broker registration and enforcement regimes, creating additional layers of accountability for companies that trade in personal data.

What This Means for Consumers

The FTC's enforcement wave signals a real shift in how the federal government views data brokers. For consumers, this translates into several practical developments:

• More companies are being forced to delete data: FTC orders have required multiple data brokers to purge their databases of improperly collected information. This means some of your previously exposed data may have already been removed.
• Opt-out requests carry more weight: With the FTC watching, data brokers are more likely to honor opt-out requests promptly rather than risk an enforcement action.
• Sensitive data categories are better protected: The FTC's stance on location data, health data, and other sensitive categories means brokers face higher legal risk when dealing with your most personal information.
• Foreign data sales are being curtailed: PADFAA enforcement is reducing the flow of American consumer data to foreign governments and adversary-linked companies.

However, these protections have limits. The data broker industry remains vast, and no single enforcement action covers all of the companies that hold and sell your data. Federal privacy legislation that would provide comprehensive, baseline protections for all Americans has stalled in Congress. Until such a law exists, consumers must take proactive steps to protect their own data.

How to Protect Yourself

1. Opt out of data broker sites: Submit removal requests to major data brokers including Spokeo, WhitePages, BeenVerified, and others. This is time-consuming but effective.
2. Review app permissions: Check which apps on your phone have access to your location data and revoke permissions for any app that does not genuinely need it.
3. Disable advertising identifiers: Both iOS and Android allow you to limit ad tracking or reset your advertising ID, reducing the ability of data brokers to link your app activity across services.
4. Use a VPN: A virtual private network masks your IP address, making it harder for data brokers to correlate your online activity with your physical identity.
5. Monitor for your data: Regularly check people-search sites to see what information about you is publicly available, and submit removal requests when you find your data listed.

For most people, manually opting out of hundreds of data broker sites is not realistic. That is where PrivacyOn comes in. PrivacyOn continuously monitors over 100 data broker and people-search sites, submits removal requests on your behalf, and verifies that your data is actually taken down. In an era when the FTC is finally holding data brokers accountable, PrivacyOn ensures you are taking full advantage of your rights by keeping your personal information off the market.