Mobile Apps and Precise Geolocation Data: Why Consent Won’t Save You

Last updated: June 27, 2026

Precise geolocation data is location information that pinpoints a person within a radius of about 1,750 feet, and if your mobile app collects it, you are sitting on one of the most heavily regulated categories of personal data in the United States. Here is the part that surprises people: getting the user to tap “I agree” no longer makes it safe to sell. In a growing number of states you cannot sell it at all, and the FTC has spent the last two years banning data brokers from doing exactly that.

I’m Jeremy Aber, a software and SaaS attorney, and I represent software vendors (you can read more about me here). A SaaS product running in a browser almost never pulls your literal location. A mobile app is a different animal. The phone in your user’s pocket is a bundle of location sensors, and the moment your app taps them, you have walked into location-data law whether you meant to or not.

Your Phone Is a Location Sensor.

Modern phones figure out where you are in several overlapping ways, and most of them are precise enough to trip the legal definition. GPS (and assisted GPS) can place you within a few meters. Wi-Fi positioning reads the networks around you and matches them to a database of known access points. Bluetooth beacons in stores ping your device as you walk past. Cell-tower triangulation estimates your position from the towers you connect to. And the motion sensors (accelerometer, gyroscope, magnetometer, even the barometer) fill in movement and elevation.

Stitch a few of these together and you are well inside the 1,750-foot radius that state laws treat as “precise.” Your app does not need a map feature to get there. A weather widget, a fitness tracker, a store locator, a “find my kids” feature, even an advertising SDK you dropped in for monetization can all be collecting it.

How Mobile Apps Turn Location Into a Product.

Here is the business model the regulators are chasing. Your app collects location and attaches it to a mobile advertising ID (Apple’s IDFA or Android’s AAID), a unique identifier tied to the device. That ID plus a stream of lat/long points is not anonymous. It is a map of one person’s life. Most apps do not sell it directly. They embed a third-party SDK from a data broker, the broker aggregates location from hundreds of apps, and then it sells or licenses that data downstream to advertisers, analytics firms, hedge funds, and (this is the part that made headlines) government contractors.

That pipeline is exactly what the enforcers have been taking apart.

The Enforcement Actions Every App Developer Should Know.

This is not theoretical. The cases are real, recent, and aimed straight at the mobile location pipeline:

• FTC v. Kochava. In May 2026 the FTC settled its long-running case against data broker Kochava, banning it from selling, licensing, or transferring sensitive location data unless the consumer gave affirmative express consent and the data is used only to deliver a service the consumer asked for. The data came from hundreds of millions of mobile devices.
• FTC v. X-Mode / Outlogic. In January 2024 the FTC’s first-of-its-kind order barred this broker from selling sensitive location data. X-Mode had collected precise location through SDKs embedded in ordinary apps and tied it to advertising IDs, exposing visits to reproductive health clinics, places of worship, and domestic abuse shelters.
• The prayer-app pipeline. Reporting by The Markup and Vice showed X-Mode bought location data from apps like Muslim Pro and a gay and bi dating app, then sold it to U.S. military and government contractors. That story is a big reason this is now a front-burner issue.
• The Weather Channel app. The Los Angeles City Attorney sued IBM and the app’s operator in 2019, alleging the app asked for location to “personalize your local weather” while quietly selling it. IBM settled in 2020 and had to rewrite its consent disclosures.
• Life360. Investigations found the family-safety app, used by tens of millions, was selling precise location on families and kids to roughly a dozen data brokers. The reputational fallout was its own punishment.

Consent Used to Be the Unlock. Not Anymore.

Almost every state privacy law treats precise geolocation as sensitive data, which historically meant one thing: get opt-in consent and you could process it. That bargain is breaking down. Maryland’s Online Data Privacy Act now bans the sale of sensitive data outright, and in Maryland there is no consent checkbox that makes selling precise location legal. Virginia (under SB338, effective July 1, 2026) and Oregon ban the sale of precise geolocation too. Watch the definition of “sale”: Virginia counts only money, while Maryland and Oregon count money or other valuable consideration, which sweeps in data swaps and “free” SDK deals.

The FTC is rowing the same direction. Both the Kochava and X-Mode orders treat consent as necessary but not sufficient: you need affirmative express consent and a legitimate, consumer-requested use. Collect broadly and monetize later is dead.

What Your App Should Do Now.

I’ve written before about privacy issues for app developers and why privacy by design beats bolting it on after launch. For location specifically, here is the short list:

• Inventory your sensors and SDKs. Map every place location enters your app, including third-party SDKs you added for ads or analytics. The broker pipeline usually rides in through an SDK nobody on the team thinks about.
• Assume you have “precise” data. If you combine GPS, Wi-Fi, or beacons, you are almost certainly inside 1,750 feet. Treat it as sensitive.
• Stop selling it, or prove it is not a “sale.” In Maryland, Oregon, and Virginia, do not sell precise location. Remember Maryland and Oregon count valuable consideration, not just cash.
• Get real opt-in, and tie it to the feature. Affirmative, specific consent at the moment of collection, and collect only what the requested feature actually needs.
• Make your disclosures match the code. The Weather Channel case was a disclosure case. Your privacy policy, your permission prompt, and what your SDKs actually do all have to line up.
• Fix your contracts. Your DPAs and SDK agreements need to carry these restrictions downstream, so a broker partner does not become your liability.

Quick Answers.

What counts as precise geolocation data? Information that identifies a person’s location within about 1,750 feet. Combine GPS, Wi-Fi, or Bluetooth signals and you are almost certainly there.

Can I sell location data if my users consent? In Maryland, no. MODPA bans selling sensitive data even with consent. Virginia and Oregon also ban selling precise location. Everywhere else, consent plus a legitimate, consumer-requested use is the floor, not a free pass.

Does my app even collect it? If you use GPS, Wi-Fi positioning, beacons, or an ad or analytics SDK, probably yes, often without any map feature at all.

Bottom line: if you build mobile apps, stop treating consent as a permission slip to sell location. Collect it only when the feature truly needs it, and sell it never. Trust me on this one!

Resources:

• A Brief Outline of Privacy Issues for App Developers
• I Have Seen the Future, and It Is “Privacy by Design”
• A Few Things You Should Know About the NAI and SaaS Privacy
• Are Your Clickwrap Agreements Actually Enforceable?

Disclaimer:

This post is for informational and educational purposes only, and is not legal advice. You should hire an attorney if you need legal advice, which should be provided only after review of all relevant facts and applicable law.