When Mobilewalla's general counsel received a due diligence questionnaire from a prospective client in 2020, the question was straightforward: can you prove that U.S. consumers consented to their location data being collected and sold? Mobilewalla's internal response, according to an email cited in an FTC complaint: "If, for US consumers, [the client wants] specific consents…. This deal is dead."
The deal was not dead. The deal continued. The data flowed. The client went away, and Mobilewalla kept selling precise location histories — stripped to 25-meter radii, covering billions of mobile signals daily from 2.2 billion devices across 40-plus countries — to anyone with a budget and an audience to find.
This is not a story about a rogue company. It is a story about a ledger that does not reconcile.
The Federal Trade Commission's complaint against Mobilewalla, filed December 2024 and finalized in January 2025 (Docket No. 202-3196), describes a data broker with no direct relationship to the consumers whose movements it tracked, aggregated, and sold. Mobilewalla collected more than 500 million unique consumer advertising identifiers paired with precise location data between January 2018 and June 2020, and estimates it has collected more than 2 billion unique identifiers in total. It stores five or more years of data cheaply, using proprietary compression. It sells audience segments built from that data to marketers, political campaigns, and — the complaint notes with particular concern — to government buyers.
The company did not collect this data by placing tracking pixels on its own properties. It bought it. From suppliers who collected it from apps. From apps that users installed and, in some cases, never opened. The chain runs: app developer → data aggregator → Mobilewalla → Mobilewalla's customer. At no point in that chain is there a moment where a human being meaningfully agrees to what is happening.
What Mobilewalla required from its suppliers, the FTC found, was "vague contractual assurances that the suppliers' sale of consumers' information complied with applicable law." That is the entire consent infrastructure. A sentence in a contract. Not a verified consent mechanism. Not a documented opt-in. A sentence.
The FTC cited paragraph after paragraph of this gap in its complaint. "Mobilewalla does not contractually require its suppliers to obtain consumer consent." It "does not know whether consumers were informed of or consented to Mobilewalla's collection and use of their information." It "fails to take reasonable steps to verify that its suppliers have obtained consumer consent." Even when Mobilewalla began requiring annual certifications from suppliers in 2020, it "failed to implement any procedures to verify the accuracy of these certifications."
This is the supply chain of assumptions. Each party assumes the next party handled it.
The specific number that appears in the complaint — and that deserves to be more widely known — is three to five.
"Although some suppliers collect consumers' information from thousands of apps," the complaint states in paragraph 44, "Mobilewalla has typically only checked whether three to five of the apps disclosed to consumers that the app was collecting location information and sharing it with third parties."
And it only did this once. When evaluating whether to sign a new supplier. It never checked again.
Here is what that looks like in practice: suppose a supplier has 10,000 apps feeding it data. Mobilewalla's due diligence consists of opening the App Store listing for three of them. If those three disclose data sharing — which most do, in fine print that no human reads — the supplier is cleared. The other 9,997 apps are never examined. The supplier's contract is signed. The data flows.
This is not a security vulnerability or a technical oversight. It is the designed throughput of a compliance function. The three-to-five app check is not a safeguard that sometimes fails. It is the safeguard. Everything else is paperwork.
The client who asked for specific proof of U.S. consumer consent received the "deal is dead" response. The FTC received the full data architecture.
There is a specific technical mechanism in the complaint that deserves separate attention, because it represents what appears to be a first in FTC enforcement: the allegation that Mobilewalla collected data from real-time bidding exchanges it did not win.
In standard programmatic advertising, when you load a webpage, an auction occurs. Publishers offer ad inventory. Advertisers bid on it. The winner gets to show you an ad. The bid request — containing your device ID, IP address, rough location, and browsing context — is broadcast to all bidders simultaneously. Most bidders lose. They see the request, decide not to bid, and move on.
Mobilewalla, according to the FTC, was not always moving on. The complaint alleges that Mobilewalla collected consumer data from bid requests it did not win — capturing information from auctions it lost — for purposes beyond participating in the auction. This appears to be the first time the FTC has alleged this specific practice as an unfair practice under Section 5.
The distinction matters because it separates two things that the industry often collapses: using bid data to place ads, and using bid data as a surveillance feed. If you lose every auction but still extract the device identifiers, you are not running an advertising business. You are running a data extraction business that uses the ad auction as its collection mechanism.
Mobilewalla's order bans collection from RTB exchanges "for any purpose other than participating in the auctions themselves." The FTC has now drawn a line: the bid stream is not a public resource available for secondary harvesting.
Daniel Solove, a privacy law scholar at George Washington University, has spent years cataloging why consent fails as a regulatory mechanism. His 2024 Boston University Law Review paper — "Murky Consent" — argues that the notice-and-choice model that underlies U.S. privacy law is "a fiction too fanciful even for magical realism." At scale, consent cannot be informed. The terms are unreadable. The frequency of consent requests produces not deliberation but fatigue.
The Annenberg School for Communication's 2022 survey of 2,014 U.S. adults found that 71% don't understand what data digital marketers collect about them. Eighty percent believe they cannot control what marketers learn about them. Sixty percent say they do not understand how digital marketers learn about them at all. These are not people who failed to read a privacy policy. These are people who correctly assessed that reading it would not change what happens.
The consent ledger, in other words, does not fail because people opt out. It fails because people cannot opt out in any meaningful sense, and the system is not designed for them to try.
A 2020 study of the GDPR's cookie consent interfaces — examining 680 UK websites — found that only 11.8% met minimal legal requirements. Research published at WWW 2023 found that 72.8% of GDPR-compliant websites used "legitimate interest" as a legal basis to collect data from users who had explicitly refused cookies. The consent interface was technically present. The consent was not.
Mobilewalla did not invent this system. It optimized for it.
The final consent order, issued January 14, 2025, runs for 20 years. It prohibits Mobilewalla from selling location data that reveals visits to medical facilities, places of worship, LGBTQ+ service locations, political gatherings, military installations, correctional facilities, labor union offices, and private residences. It requires a Supplier Assessment Program requiring affirmative express consent verification before collecting location data. It requires deletion of historic location data and unhashed phone numbers within 90 days. It requires a comprehensive privacy program.
It does not fine the company. The FTC's unfair practices authority allows injunctive relief and structural requirements, but civil penalties require a separate court action. Mobilewalla's data products — built from years of unconsented location histories — must be deleted within 120 days. Customers who received that data within three years prior to the order must be notified and required to delete it.
The order resolves the FTC's complaint. It does not resolve the structural question.
Because the three-to-five app audit was not a Mobilewalla innovation. It was a point solution on top of a system that requires no meaningful consent verification at all. The IAB's Transparency and Consent Framework — the industry's main technical Consent infrastructure for GDPR compliance — was found by the Belgian Data Protection Authority in 2022 to be incompatible with GDPR requirements. A 2023 study found that even websites that properly stored consent choices had data collection continuing via legitimate interest workarounds. The framework produces a consent string. It does not produce consent.
The FTC's simultaneous action against Gravy Analytics and Venntel — the subsidiary that sold location data to government clients including ICE — used identical legal theories and identical order structures. Two companies. One outcome. The supply chain was not disrupted. The apps that fed data into the system were not required to change their disclosures. The consumers whose movements were tracked were not made parties to the proceeding.
What the order does is assign liability upward in the chain. Data brokers are now on notice that vague contractual assurances are not consent verification. The three-to-five app audit is not due diligence. Collecting data from bid streams you lose is not a legitimate business purpose.
Whether the suppliers downstream change their practices in response is a separate ledger.
Mobilewalla's internal email about Hindu temples is included in the public complaint. An employee wrote, per paragraph 45: "Hindu temples indicate you are highly likely to be Hindu/Indian, African-American churches indicate you are likely black etc."
This was not hidden in a footnote. It was not redacted. It is paragraph 45 of a federal administrative complaint, filed with a 4–1 FTC vote on December 3, 2024,, and finalized January 14, 2025.
The email is there because it is evidence of intent. The inference was not incidental to the product. The ability to infer religious identity, racial identity, political affiliation, and health status from location patterns was a feature, not a bug, of the data being sold.
The complaint calls this an "unfair" practice: selling audience segments based on sensitive inferred characteristics without consent. That is the legal theory. The email is the factual basis for it.
What the email also reveals is that the people building this infrastructure understood exactly what they were inferring. They were not naive about the data's meaning. The "consent" — the vague contractual assurances from suppliers, the three-app check, the annual certifications nobody verified — was the covering structure for a system whose operation was fully understood.
The ledger balanced. Until it did not.