FTC Finalizes Order Banning Data Broker Mobilewalla From Selling Sensitive Location Data
The Federal Trade Commission has finalized one of its most aggressive data privacy enforcement actions to date, banning the data broker Mobilewalla, Inc. from selling consumers' sensitive location data. The agency announced the final order on January 14, 2025, closing out a case it first brought in December 2024.
The order settles allegations that the Georgia-based broker tracked hundreds of millions of consumers and sold precise location histories, including data that could reveal visits to health clinics and places of worship, without taking reasonable steps to verify that consumers had consented.
Information last verified on June 20, 2026.
What the FTC Alleged
The case centers on how location data moves through the digital advertising ecosystem. According to the FTC's complaint, Mobilewalla collected data from real-time bidding exchanges and from third-party data aggregators. Many consumers had no idea the company had obtained their data at all.
Real-time bidding, or RTB, is the automated auction that decides which ad you see in the split second a web page or app loads. When a company bids to place an ad, it receives a bid request that can include a device identifier and precise location. The FTC alleged that when Mobilewalla bid on these auctions, it collected and retained the information in the bid request even when it did not win the auction.
The scale was large. The complaint alleged that from January 2018 to June 2020, Mobilewalla collected more than 500 million unique consumer advertising identifiers paired with precise location data. The agency said the raw location data was not anonymized and that the company had no policies to strip out sensitive locations, meaning the data could be used to identify individual devices and the sensitive places they visited.
The FTC also pointed to specific uses it found troubling. It said Mobilewalla collected location data from women who visited pregnancy centers and used it to build audience segments targeting pregnant women. The agency further alleged the company used location data to create a June 2020 report analyzing people who protested the death of George Floyd, including assessments of the protesters' racial backgrounds.
The Legal Theory: Section 5 and a New Unfairness Claim
The FTC brought the case under Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices. The agency alleged that Mobilewalla violated the Act by selling sensitive location data, selling audience segments built on sensitive characteristics like medical conditions and religious beliefs, collecting and retaining sensitive data from advertising exchanges, collecting and using data without taking reasonable steps to verify consent, and retaining raw location information indefinitely.
The most novel piece is the auction theory. The agency said this was the first time it alleged that collecting and retaining consumer data from online advertising auctions, for any purpose other than participating in the auction, was itself an unfair practice. That framing reaches a routine data flow that powers much of the open advertising web, not just an isolated bad actor.
This kind of case sits at the intersection of advertising technology and consumer privacy, an area where the rules are still being drawn. The relationship between automated data collection and consent is also central to debates over AI and data privacy, where systems ingest large volumes of personal information that consumers never knowingly handed over.
What the Final Order Requires
The finalized order is a settlement, so Mobilewalla did not admit wrongdoing, but it is now bound by the order's terms going forward.
The order prohibits Mobilewalla from misrepresenting how it collects, maintains, uses, deletes, or discloses consumers' personal information, and how far it deidentifies location data. It bars the company from using, transferring, selling, or disclosing location data from the listed sensitive locations.
The order also imposes affirmative obligations. Mobilewalla is prohibited from collecting or retaining consumer data while participating in online advertising auctions for any purpose other than the auction itself. It must build a sensitive location data program that develops a comprehensive list of sensitive places and is designed to prevent their use, sale, or disclosure. It must let consumers request deletion of their location data and must delete the historic location data it already collected, along with any products derived from that data.
Three more programs round out the order. A mandated privacy program must protect consumers' personal information, be assessed annually, and include training for employees and contractors with access to sensitive data. A supplier assessment program must confirm that consumers actually consented to the collection and use of their location data, and the company is barred from using location data when it cannot show records of consent. Finally, the company must give consumers a way to withdraw consent, after which it must stop collecting and delete that data.
The Commission voted 4 to 1 to finalize the order, with Commissioner Melissa Holyoak dissenting. Because a finalized FTC consent order carries the force of law as to future conduct, each violation can trigger a civil penalty of up to $53,088 under the agency's current inflation-adjusted maximum.
Part of a Broader Crackdown
The Mobilewalla order did not arrive in isolation. The FTC described it as its most recent action challenging the unfair handling of consumers' sensitive location data by data aggregators. The agency has brought or settled similar matters, including a case against Kochava over data tracking people to reproductive health clinics, and settlements with X-Mode over selling raw location data and InMarket over selling precise user location data.
Location tracking is not the only frontier. Regulators and legislatures have also focused on biometric identifiers like faceprints and fingerprints, the subject of Illinois' landmark statute explained in our BIPA overview. And because so much sensitive data is generated in the course of employment, employee data privacy has become its own fast-moving area as workplace monitoring expands.
Analysis: Why This Matters
The following analysis reflects the views of the Recording Law Editorial Team.
The headline of this case is the sale ban, but the more consequential move is the auction theory. By alleging that simply hoarding the data inside an ad bid request is an unfair practice, the FTC took aim at a mechanism that quietly feeds much of the data broker economy. If that theory holds in future matters, it pressures every company that touches real-time bidding to treat bid-stream data as something it cannot keep and repurpose at will.
The sensitive-location framing is also notable for being concrete rather than abstract. The order names health clinics, places of worship, correctional facilities, union halls, LGBTQ+ locations, political gatherings, and military sites. That list reflects a recognition that the harm from location data is not about where someone shops, but about what a precise trail can reveal regarding health, faith, politics, and safety. The cited examples, from pregnancy-center visitors to protest attendees, make the stakes tangible.
There are real limits worth keeping in mind. This is a settlement, so it produced no court ruling and no binding precedent that other companies must follow. It is also an enforcement action under a general unfairness statute, not a comprehensive privacy law, which means its reach depends on the agency continuing to bring cases and on courts agreeing with the theory if one is ever litigated. Enforcement priorities can also shift with changes in the Commission's composition.
For consumers, the practical lesson is that much of this data changes hands in places they never see, through ad auctions and broker resales rather than through any form they filled out. That is exactly why the consent-verification and deletion requirements in the order matter, and why the broader fight over location and biometric data is likely to keep moving from enforcement actions toward written law.
None of this is legal advice. Anyone with questions about their rights under federal or state privacy law should consult a licensed attorney about their specific situation.
Frequently Asked Questions
What did the FTC's Mobilewalla order do?
On January 14, 2025, the FTC finalized an order banning the data broker Mobilewalla, Inc. from selling, transferring, or disclosing consumers' sensitive location data. The order also requires the company to delete historic location data, verify consumer consent through a supplier program, and build privacy and sensitive-location data programs.
What is real-time bidding and why did it matter in this case?
Real-time bidding is the automated auction that selects which ad a user sees as a page or app loads. The bid request can include a device identifier and precise location. The FTC alleged Mobilewalla collected and kept this data from bid requests even when it lost the auction, and said collecting auction data for any purpose other than bidding was an unfair practice.
What counts as a sensitive location under the order?
The order lists health clinics, religious organizations, correctional facilities, labor union offices, LGBTQ+-related locations, political gatherings, and military installations. Mobilewalla is barred from using, transferring, selling, or disclosing location data tied to these places.
Did Mobilewalla admit it broke the law?
No. The matter resolved through a consent order, which is a settlement. The company did not admit wrongdoing, but it is bound by the order's terms going forward, and each future violation can carry a civil penalty of up to $53,088 under the FTC's current inflation-adjusted cap.
What law did the FTC use to bring the case?
The FTC relied on Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices. The agency alleged Mobilewalla's collection, retention, and sale of sensitive location data without verified consent was unfair, and that retaining auction bid-stream data for non-auction purposes was itself an unfair practice.
How does this case fit with other privacy enforcement?
The FTC described it as its most recent action against data aggregators' unfair handling of location data, following matters involving Kochava, X-Mode, and InMarket. It reflects a broader regulatory focus that also includes biometric data and workplace privacy.
Sources and References
- FTC, 'FTC Finalizes Order Banning Mobilewalla from Selling Sensitive Location Data' (Jan. 14, 2025) - final order announcement(ftc.gov).gov
- FTC, 'FTC Takes Action Against Mobilewalla for Collecting and Selling Sensitive Location Data' (Dec. 3, 2024) - complaint, allegations, and proposed order terms(ftc.gov).gov
- Mobilewalla, Inc.; Analysis of Proposed Consent Order To Aid Public Comment, 89 Fed. Reg. (Dec. 6, 2024), FTC File No. 202-3196(federalregister.gov).gov
- FTC Legal Library, 'Mobilewalla, Inc.; Analysis of Proposed Consent Order to Aid Public Comment' (FTC File No. 202-3196)(ftc.gov).gov
- FTC, 'Mobilewalla, Inc., In the Matter of' (FTC File No. 202-3196) - case docket, complaint, and final Decision and Order(ftc.gov).gov
- FTC, 'FTC Publishes Inflation-Adjusted Civil Penalty Amounts for 2025' (effective Jan. 17, 2025) - per-violation Section 5 maximum raised to $53,088(ftc.gov).gov