Yes—the Federal Trade Commission (FTC) took enforcement action against Gravy Analytics Inc. and its subsidiary Venntel Inc. for unlawfully collecting and selling precise, non-anonymized location data extracted from gaming apps, weather apps, and other mobile applications to federal government agencies. On December 3, 2024, the FTC issued its decision and order against the companies, with the order finalized in January 2025. This wasn’t a traditional lawsuit filed by consumers or private parties—it was a federal enforcement action based on the finding that Venntel’s data collection and sales practices violated the FTC Act by deceiving consumers and failing to obtain proper consent for tracking sensitive location information.
The scope of Venntel’s data collection was staggering. The company claimed to collect, process, and curate more than 17 billion signals from around 1 billion mobile devices daily. Location data from these apps was sold to federal law enforcement and government agencies including the IRS, Department of Homeland Security (DHS), ICE, Customs and Border Protection (CBP), DEA, and FBI. The critical problem: the data sold to these agencies was not anonymized, meaning law enforcement could identify and track specific individuals. This article explains how Venntel operated, which government agencies purchased the data, what privacy violations the FTC found, and what the enforcement order now requires.
Table of Contents
- How Venntel Extracted Location Data From Gaming and Weather Apps
- Government Agencies Purchasing Venntel’s Non-Anonymized Location Data
- Venntel and Gravy Analytics’ Sensitive Data Products
- The FTC’s Enforcement Action and Legal Violations
- Non-Anonymized Data and Individual Tracking Implications
- The FTC’s Final Order: Prohibitions and Data Deletion
- Broader Implications for the Location Data Industry
How Venntel Extracted Location Data From Gaming and Weather Apps
Venntel’s business model relied on harvesting precise location data from consumer mobile applications without meaningful consumer awareness or consent. The company sourced location signals from a variety of apps including gaming apps and weather applications—the types of everyday tools millions of people use casually without realizing they’re broadcasting their real-time location to data brokers. With 17 billion daily signals flowing from approximately 1 billion mobile devices, Venntel wasn’t tracking a small subset of users; it was operating at massive scale, capturing a comprehensive picture of movement patterns across the United States.
The company then processed this raw location data into curated products sold to government buyers. However, Venntel’s collection methods failed to obtain proper consumer consent. The FTC found that while some apps may have disclosed location data collection in their privacy policies, Venntel’s acquisition and resale of this data—particularly in aggregated, trackable form—violated consumer protection standards. Unlike anonymized data (which can be useful for research without privacy risks), Venntel’s location signals remained precise enough to identify and follow specific individuals.
Government Agencies Purchasing Venntel’s Non-Anonymized Location Data
Federal law enforcement and government agencies became Venntel’s largest customers. The IRS, Department of Homeland Security, Immigration and Customs Enforcement, Customs and Border Protection, DEA, and fbi all purchased access to Venntel’s location data. The IRS, for example, acquired access to mass location data from Venntel in 2017 and 2018—purchases that later became part of regulatory scrutiny of government surveillance practices.
The availability of this data to law enforcement raised fundamental questions about due process and privacy rights. Traditional law enforcement location surveillance requires a warrant based on probable cause of criminal activity. With access to Venntel’s data, government agencies could conduct mass tracking of millions of people without individualized suspicion or judicial oversight. The IRS using location data in 2017-2018 is particularly notable because the IRS is a tax and regulatory agency, not a criminal investigation body—yet it had access to precise individual tracking data with minimal limitations.
Venntel and Gravy Analytics’ Sensitive Data Products
Beyond selling raw location data, Gravy Analytics (Venntel’s parent company) used location signals to create targeted products based on highly sensitive information. The company created products that identified consumers based on their political affiliation by tracking attendance at political rallies and campaign events. Similar targeting was built around religious worship attendance, allowing buyers to identify people based on which churches, mosques, synagogues, or temples they visited. The company also created products targeting consumers based on family composition (identifying homes with children) and inferred medical conditions by tracking visits to clinics, hospitals, and specialists.
The creation of these sensitive targeting products was particularly troubling because it meant Venntel wasn’t simply providing neutral location data—it was explicitly translating movement patterns into invasive personal classifications. Someone visiting a specific medical clinic multiple times could be categorized as having that condition. Someone attending a particular house of worship could be identified by faith tradition. This transformed raw location data into profiles that revealed the most intimate aspects of people’s lives—their health concerns, religious beliefs, political views, and family situations.
The FTC’s Enforcement Action and Legal Violations
The FTC’s enforcement action against Gravy Analytics and Venntel was based on violations of Section 5 of the FTC Act, which prohibits unfair and deceptive practices affecting commerce. The FTC determined that Venntel engaged in deceptive practices by failing to clearly disclose to consumers that their location data was being collected from their apps and sold to government agencies. The company also engaged in unfair practices by collecting sensitive location data from consumers without obtaining adequate consent and without implementing reasonable safeguards.
The December 2024 decision and January 2025 final order represent a significant regulatory shift in how the FTC views location data sales. Rather than allowing the market to self-regulate or relying on app privacy disclosures, the FTC took the position that selling precise, non-anonymized location data—particularly to government agencies that can use it for mass surveillance—is inherently problematic regardless of what privacy policies state. This reflects growing recognition that consumer consent is insufficient when the power imbalance between individuals and both corporations and government is so extreme.
Non-Anonymized Data and Individual Tracking Implications
The most critical technical detail in the FTC’s case was that Venntel’s location data was not anonymized. Anonymization is a specific privacy technique that removes identifying information and aggregates data in ways that prevent re-identification of individuals. Venntel’s data, by contrast, remained precise enough to track specific mobile devices and, through device IDs, link to specific individuals. This distinction meant the data could be used to follow someone’s movements in real-time or reconstruct their entire location history.
For law enforcement agencies like ICE and CBP, non-anonymized location data enabled use cases that would be impossible with truly anonymized information. An immigration agent could identify an individual’s home address, workplace, places of worship, medical appointments, and regular routines—without ever obtaining a warrant. CBP could track border communities, identifying which people regularly cross between the US and Mexico. The DEA could identify who visits known drug-related locations. This is precisely why the distinction between anonymized and non-anonymized data is so legally and ethically crucial.
The FTC’s Final Order: Prohibitions and Data Deletion
Under the FTC’s final order issued in January 2025, Gravy Analytics and Venntel face sweeping restrictions. The companies are prohibited from selling, licensing, transferring, sharing, disclosing, or using sensitive location data in any way—except in limited circumstances involving national security or law enforcement that meet specific conditions and oversight requirements. Additionally, the order requires the companies to delete all historic location data they possess and any data products derived from location information.
This represents a permanent end to Venntel’s core business model as it previously operated. The company cannot simply continue selling location data with new privacy disclosures; it is categorically banned from the practice. The deletion requirement means the data collected from billions of tracking instances cannot be warehoused for future sale or government requests. However, the order does include narrow exceptions for legitimate national security purposes, reflecting the reality that government surveillance for specific intelligence threats involves different legal and policy considerations than commercial surveillance.
Broader Implications for the Location Data Industry
The Venntel enforcement action signals a watershed moment for the entire location data industry. For years, data brokers and app developers operated in a gray zone where location collection was technically disclosed (buried in lengthy privacy policies) but not meaningfully transparent to consumers. The FTC’s action against Venntel suggests this gray zone is closing.
Regulators are now examining whether any degree of consumer consent is sufficient when data is sold to government agencies capable of mass surveillance. The case also highlights how the surveillance ecosystem depends on partnerships between private companies and government. Venntel wasn’t a government agency itself—it was a private company built on consumer data. The fact that government agencies became the primary customers for location data suggests future regulatory attention will focus not just on corporate data collection, but on government procurement practices and the conditions under which agencies can purchase private surveillance data.