On January 14, 2025, the Federal Trade Commission issued a final consent order prohibiting Gravy Analytics, Inc. and its wholly-owned subsidiary Venntel, Inc. from selling sensitive location data. The 5-0 vote marked the fourth FTC action that year targeting the location data broker industry. Gravy and Venntel were banned specifically from selling data that tracked consumers to churches, medical facilities, domestic abuse shelters, political rallies, and military installations. The companies claimed to collect seventeen billion signals daily from approximately one billion mobile devices. The FTC called it a landmark moment. Commissioner Alvaro M. Bedoya, joined by Chair Lina M. Khan and Commissioner Rebecca Kelly Slaughter, offered the的一句: "Where we go is who we are."
They were not wrong. But the order tells only part of the story.
The order prohibits Gravy Analytics and Venntel from selling sensitive location data. It does not prohibit the Real-Time Bidding infrastructure that delivered that data. It does not prohibit the hundreds of other companies that continue to collect, package, and sell the same signals through the same pipes. And it does not prohibit the government customers who were buying this data — including the agency that was Gravy/Venntel's most sensitive client.
This is the liminal state of American location data enforcement: a company falls, and the architecture stands.
Gravy Analytics and Venntel operated at the intersection of the RTB auction and government intelligence. Venntel marketed itself explicitly to law enforcement and intelligence agencies, offering what its materials called "patterns-of-life" analysis — ninety-day tracking of individual devices to identify home locations, work locations, and visits to government buildings. In one case study, Venntel demonstrated tracking a single "VIP Device" for ninety days and producing a complete movement profile.
The data came from the RTB ecosystem. Venntel's own marketing materials acknowledged using "RTB Data: Real-Time Bidding for Intelligence Operations." The company purchased location signals from the continuous auctions that run behind nearly every mobile app and website — bidstream data that the RTB system broadcasts to thousands of participants simultaneously. Gravy Analytics then processed these signals, associating Mobile Advertising IDs with inferred audience segments: people who visit reproductive health clinics, people who attend religious services, people who appear at political campaign offices.
"Surreptitious surveillance by data brokers undermines our civil liberties and puts servicemembers, union workers, religious minorities, and others at risk. This is the FTC's fourth action taken this year challenging the sale of sensitive location data, and it's past time for the industry to get serious about protecting Americans' privacy."
— Samuel Levine, Director, FTC Bureau of Consumer Protection
The FTC complaint described this as an unfair practice under Section 5 of the FTC Act. The companies collected and sold sensitive location inferences — religious views, health conditions, political activities, union membership — without obtaining verifiable consent. The order required deletion of all historic data and establishment of a Sensitive Location Data Program within ninety days. It required a Supplier Assessment Program to verify that upstream data sources had obtained proper consent.
It did not require shutting down the RTB pipes.
Google's RTB system, which processes auctions for approximately 1.3 million publishers, settled a class action in March 2026 revealing that bidstream data — including precise location, device IDs, and IP addresses — continues to be shared with thousands of participating companies. The Electronic Frontier Foundation noted that the settlement created an optional opt-in control, but "the vast majority of users" would remain on the default tracking setting. Professor Wilson's analysis found that fifty-two different companies observe at least ninety-one percent of average bid requests. The infrastructure was not dismantled. It was left running, and one participant was told to leave the room.
Six weeks before the FTC announced the Gravy/Venntel action, the agency banned Mobilewalla from collecting consumer data from online advertising auctions. Mobilewalla had allegedly collected data on more than five hundred million unique advertising IDs paired with precise location information over an eighteen-month period. The same mechanism. The same RTB broadcast. A different company.
Separately, ICE had been purchasing location data through Venntel — until a 2023 investigation by the DHS Inspector General, prompted by Senator Ron Wyden, found those purchases were illegal. ICE's program was shut down. The agency then issued a no-bid contract to Penlink in September 2025 for over five million dollars, including access to a product called Webloc, which provides location tracking derived from mobile apps. Webloc was developed by Cobwebs Technologies — the same company Meta had banned from its platforms in 2021 for targeting activists in Hong Kong and Mexico. Penlink merged with Cobwebs in 2023.
Senator Wyden wrote: "Location data is extremely sensitive, and can reveal someone's religion, their political views, medical conditions." Seventy Democratic lawmakers called for a DHS Inspector General investigation in March 2026. ICE cancelled a scheduled briefing with Wyden's office one day before it was set to occur.
The FTC banned Gravy Analytics from selling sensitive location data to anyone. The government found another vendor. The same data type. A different invoice.
The FTC's enforcement theory rests on the premise that precise location data linked to sensitive locations constitutes an unfair practice without consent. But this framing contains a structural assumption: that the location data in question was genuinely anonymized, or at least not easily re-identifiable. Research suggests this assumption is false at scale.
Yves-Alexandre de Montjoye and colleagues at Imperial College London demonstrated in 2013 that four spatio-temporal points uniquely identify ninety-five percent of individuals in mobility datasets. A 2022 follow-up study found that ninety-three percent of people in a dataset of sixty million could be re-identified using just four auxiliary points. The French data protection authority CNIL conducted a practical experiment in 2022-2023: researchers obtained a supposedly anonymized location database from a commercial broker and successfully identified seven out of twenty randomly sampled individuals within a single day using publicly available information.
"This type of data — records of a person's precise physical locations — is inherently intrusive and revealing of people's most private affairs. The sale of such revealing information that can be linked directly to an individual consumer poses an obvious risk of substantial injury to that consumer."
— Commissioner Andrew N. Ferguson, concurring
Location data is not meaningfully anonymized in most commercial contexts. It is identifier-stripped at the surface level and re-identifiable through trivial inference. The FTC's order requires Gravy Analytics to delete historic data and verify supplier consent — actions that address the formal compliance question but not the underlying re-identification risk that makes the data valuable and dangerous in equal measure.
The consent framework the FTC is relying on — upstream verification that data suppliers obtained proper authorization — also assumes the RTB supply chain is a consent-capable system. Belgium's data protection authority found in ongoing RTB investigations that the auction's collection of personal data without user consent is a core structural violation, not a company-specific one. The IAB's Transparency and Consent Framework, the industry's primary consent mechanism for RTB, was ruled by the Court of Justice of the EU in March 2024 to qualify TC Strings as personal data and to make IAB Europe a joint controller for TCF processing. A Belgian court upheld a two hundred fifty thousand euro fine against IAB Europe in May 2025.
The consent infrastructure underpinning RTB is itself under regulatory review in Europe. In the United States, it remains the assumed foundation.
What the FTC accomplished with Gravy Analytics is real. The company is prohibited from selling sensitive location data. Historic data must be deleted. The company's government intelligence product — the patterns-of-life tracking sold to law enforcement — is now restricted to national security and law enforcement purposes under the terms of the order.
But seventeen billion daily signals continued flowing through RTB the day after the ban took effect. The fifty-two companies watching average bid requests did not reduce their observation. The government customers who found Venntel's product useful did not lose access to location intelligence — they redirected procurement to firms like Penlink, whose Webloc product derives from the same app-level data streams.
This is the operational meaning of targeting a company rather than a practice. Gravy Analytics was a large-scale commercial location data broker. Its removal from the market created a procurement opportunity for smaller, newer, or government-focused vendors who operate below the enforcement threshold or outside its geographic scope. The demand for precise location intelligence — the kind that reveals patterns-of-life, that identifies which devices appear at sensitive locations, that tracks individuals over ninety-day periods — did not decrease. It migrated.
The FTC has now taken four location data enforcement actions. Each has followed the same model: identify a company, document the sensitive location data sales, require deletion, prohibit future sales. Each action has addressed the supply side of a specific company. None has addressed the infrastructure question.
Real-Time Bidding remains the dominant mechanism for moving consumer data through the advertising ecosystem. Bid requests continue broadcasting device identifiers, IP addresses, and precise location to thousands of participants per auction. The data broker ecosystem continues operating, with companies differentiating on data freshness, segment specificity, and government-ready delivery mechanisms rather than on consent compliance.
The "Fourth Amendment Is Not For Sale Act" passed the House in April 2024 and stalled in the Senate. The American Privacy Rights Act was introduced in April 2024 and did not advance. State laws in Oregon, Maryland, Virginia, California, and Washington now restrict precise location data sales — but state-level enforcement against RTB participants remains fragmented, and the interstate nature of the digital ad ecosystem creates structural evasion opportunities.
What the FTC accomplished with Gravy Analytics was a prohibition on one company. What the FTC did not accomplish was an answer to the question the case inevitably raises: if this company's data practices were unfair, and the RTB infrastructure that supplied those practices remains intact, what exactly has changed for the consumer whose location signals are still being auctioned to dozens of companies per webpage visit?
The order took effect. The infrastructure breathed. A vendor was replaced. The seventeen billion daily signals became someone else's inventory.
References
Federal Trade Commission, "FTC Finalizes Order Prohibiting Gravy Analytics and Venntel from Selling Sensitive Location Data," January 14, 2025. FTC Matter/File No. 212-3035.
Federal Trade Commission, "FTC Action Leads to Ban on Mobilewalla from Collecting and Selling Consumer Data from Online Advertising Auctions," December 3, 2024.
de Montjoye, Yves-Alexandre, et al. "Unique in the Crowd: The privacy bounds of human mobility." Scientific Reports, 2013.
de Montjoye, Yves-Alexandre, et al. "The risk of re-identification remains high even in country-scale location datasets." Cell Patterns, 2022.
CNIL, "WhereUAt Project — Practical Re-identification Experiment," 2022-2023.
Court of Justice of the EU, Case C-604/22 (IAB Europe), March 7, 2024.
Brussels Market Court, IAB Europe ruling, May 14, 2025.
Senator Ron Wyden, letter to DHS Inspector General, 2023.
U.S. House of Representatives, "Fourth Amendment Is Not For Sale Act," H.R. 4639, vote April 17-18, 2024.
California AB 45, signed September 26, 2025.
ICE contract with Penlink, September 2025.