TL;DR: The FTC has gone after six location data brokers in the past 18 months (X-Mode, InMarket, Gravy Analytics, Venntel, Mobilewalla, and now Kochava), banning them from selling data that tracked people to abortion clinics, addiction recovery centers, domestic violence shelters, and places of worship. Kochava's settlement, finalized on May 4, 2026, caps a lawsuit that took nearly four years to resolve. Meanwhile, Cox Media Group just paid $930,000 for lying about an AI service that could supposedly listen through your phone. The fines are small. The bans are real. But the data broker industry pulls in billions, and the FTC can only chase one company at a time.
Kochava: Four Years to Stop a Company That Tracked Abortion Clinic Visits
In August 2022, the FTC sued Kochava, an Idaho-based data broker, for selling geolocation data from hundreds of millions of mobile devices. The data showed where people went, down to the building. Reproductive health clinics. Addiction recovery facilities. Homeless shelters. Places of worship [1].
The FTC's complaint laid it out plainly: "It is possible to identify a mobile device that visited a women's reproductive health clinic and trace that mobile device to a single family residence." Anyone who bought Kochava's data could connect a clinic visit to a home address. Two months after the Supreme Court overturned Roe v. Wade [2].
Until at least June 2022, Kochava let anyone download a "data sample" containing timestamped locations from more than 61 million unique devices collected in a single week. No vetting. No restrictions. Just raw location data from hundreds of millions of phones, available to whoever wanted it [2].
Kochava countersued the FTC. It took until May 4, 2026 (nearly four years) for the settlement to land. The terms: Kochava and its subsidiary Collective Data Solutions are banned from selling sensitive location data without "affirmative express consent." They have to build a program to classify sensitive locations, vet their data suppliers for proper consent, file incident reports with the FTC when suppliers violate the rules, and let consumers request the names of every business their location data was sold to [3].
Four years. Hundreds of millions of devices tracked. And the settlement doesn't include a single dollar in fines.
Six Companies, 18 Months, One Pattern
Kochava isn't an isolated case. It's the latest in a series of FTC enforcement actions that started accelerating in January 2024. Here's the full timeline:
January 2024: X-Mode Social / Outlogic. The FTC's first-ever ban on selling sensitive location data. X-Mode collected location data through SDKs embedded in apps and sold it without removing sensitive locations until May 2023. The FTC prohibited them from selling or sharing any location data tied to health facilities, places of worship, or shelters [4].
January 2024: InMarket Media. Nine days after X-Mode, the FTC hit InMarket with the same treatment. InMarket used precise location data to build consumer profiles and target ads based on where people physically went, including sensitive sites. Banned from selling precise consumer location data entirely [5].
December 2024: Gravy Analytics / Venntel. Gravy Analytics and its subsidiary Venntel used geofencing to build lists of people who visited healthcare facilities and places of worship, then sold those lists. Venntel had a separate business selling location data to government agencies. The FTC ordered both companies to delete all historic location data and notify customers from the past three years that the data should be deleted [6].
December 2024: Mobilewalla. This one was particularly ugly. Between 2018 and 2020, Mobilewalla collected more than 500 million unique consumer advertising identifiers paired with precise locations. They harvested data from real-time advertising auctions: even when they didn't win the bid, they kept the location data from the bid request. They built audience segments targeting pregnant women based on visits to pregnancy centers. They shared location data from Grindr and Jack'd with government clients [7].
May 2026: Kochava. The settlement described above. Banned from selling sensitive location data without explicit consent [3].
Five enforcement actions in 18 months, all targeting the same business model: collect location data from phones, sell it to whoever pays, don't ask questions about what happens next.
Cox Media Group: The AI That Wasn't Listening
On May 21, 2026, the FTC announced a $930,000 settlement with CMG Media Corporation (doing business as Cox Media Group), MindSift LLC, and 1010 Digital Works LLC. The charge: they sold small businesses an "Active Listening" service that claimed to use AI to eavesdrop on conversations through smart devices and target ads based on what people said [8].
The service didn't listen to anything. It didn't use voice data at all. The companies were reselling email lists from other data brokers at a markup and calling it AI-powered surveillance. Small businesses paid for a product that didn't exist [8].
CMG paid $880,000. MindSift and 1010 Digital Works each paid $25,000. The money goes to refunds for the businesses that got scammed [8].
It's a different kind of violation than the location data cases. This was fraud, not privacy abuse. But it sits in the same FTC enforcement wave, and it shows how surveillance-as-a-service has become such a normalized business pitch that companies will fake it if they can't build it.
The Scale Problem
The FTC has been busy. Six companies in 18 months. But the data broker industry includes thousands of companies. The Data & Marketing Association estimated there were over 4,000 data broker companies operating in the United States as of 2024 [9]. Vermont's data broker registry (the only state that requires registration) lists over 500 [10].
The FTC doesn't have the budget or staff to go after all of them. Each case takes years. The Kochava lawsuit ran from August 2022 to May 2026. During that time, Kochava kept operating. The data kept flowing. Hundreds of millions of devices kept getting tracked.
And the penalties? Kochava paid no fine. The Cox Media Group settlement was $930,000, pocket change for a company owned by Apollo Global Management. Even the strongest orders only ban future sales. They don't claw back data that's already been sold, analyzed, and acted on.
Mobilewalla tracked pregnant women visiting clinics and sold that data to government agencies. The consequence: a ban on future sales and a requirement to delete old data. Nobody went to jail. No executive was named personally. The company still exists.
What Actually Changed
Despite the limited penalties, these enforcement actions did establish something new. Before January 2024, no federal agency had ever banned a company from selling location data. Now the FTC has done it six times.
The Mobilewalla case set a first: the FTC ruled that harvesting location data from advertising auction bid requests (even losing bids) is an unfair practice. That threatens the entire real-time bidding ecosystem, which processes billions of bid requests per day, each containing a user's precise location [7].
The Kochava settlement established "affirmative express consent" as the standard for selling location data. Not buried-in-a-terms-of-service consent. Not implied-by-using-the-app consent. Actual, explicit, you-said-yes consent [3].
And the Gravy Analytics order went furthest: delete everything. All historic location data. All products derived from it. Tell your customers to delete their copies too [6].
These are real structural changes to how data brokers can operate. The question is whether six cases out of four thousand companies is enforcement or theater.
What You Can Do
The FTC can't protect you from every data broker. Here's what actually works:
- Kill location permissions. Go through every app on your phone. If it doesn't need your location to function (and most don't), set it to "Never." Not "While Using." Never.
- Disable your advertising ID. On iPhone: Settings → Privacy & Security → Tracking → toggle off "Allow Apps to Request to Track." On Android: Settings → Privacy → Ads → Delete advertising ID.
- Use California's Delete Act. If you're in California, the Delete Act lets you submit a single request to have your data deleted from every registered data broker. Over 215,000 people have signed up as of May 2026 [11].
- Opt out of real-time bidding. Use a browser with ad-blocking built in (Firefox, Brave) and install uBlock Origin. Every ad auction leaks your location to dozens of companies bidding on your eyeballs.
- Check Vermont's registry. Vermont requires data brokers to register publicly. Search the registry at sos.vermont.gov to see which brokers might have your data, then submit opt-out requests directly.
What Comes Next
The FTC's enforcement wave has established that selling sensitive location data without real consent is illegal. But the agency is doing this without a federal privacy law behind it, relying on its general authority to police "unfair or deceptive" practices under Section 5 of the FTC Act.
That authority could evaporate. Industry groups have challenged the FTC's jurisdiction over data brokers in court. Kochava itself countersued the FTC before eventually settling. A single unfavorable ruling could undermine the entire enforcement strategy.
Meanwhile, Congress has failed to pass comprehensive federal privacy legislation for over two decades. The SECURE Data Act, the latest attempt, has been criticized by the EFF as "not a serious piece of privacy legislation" because it would preempt stronger state laws [12].
So the FTC keeps swinging, one company at a time, with settlements that take years and penalties that amount to rounding errors. The data broker industry watches, adjusts its consent flows, renames its products, and keeps selling your location to the highest bidder.
Six down. A few thousand to go.
References
- FTC: "FTC Sues Kochava for Selling Data that Tracks People at Reproductive Health Clinics, Places of Worship, and Other Sensitive Locations" (August 2022)
- CNN: "FTC sues data broker Kochava for selling location information that could unmask abortion-seekers" (August 2022)
- FTC: "FTC to Ban Kochava and Subsidiary from Selling Sensitive Location Data" (May 2026)
- FTC: "FTC Order Prohibits Data Broker X-Mode Social and Outlogic from Selling Sensitive Location Data" (January 2024)
- FTC: "FTC Order Will Ban InMarket from Selling Precise Consumer Location Data" (January 2024)
- FTC: "FTC Finalizes Order Prohibiting Gravy Analytics, Venntel from Selling Sensitive Location Data" (January 2025)
- FTC: "FTC Takes Action Against Mobilewalla for Collecting and Selling Sensitive Location Data" (December 2024)
- FTC: "FTC to Require Cox Media Group, Two Other Firms to Pay Nearly $1 Million" (May 2026)
- WilmerHale: "FTC Continues to Bring Enforcement Actions Against Data Brokers" (December 2024)
- Vermont Secretary of State: Data Broker Registry
- Privacy Guides: "FTC to Ban Data Broker From Selling Location Data" (May 2026)
- EFF: "The SECURE Data Act Is Not a Serious Piece of Privacy Legislation" (May 2026)