The Non-Financial Ledger: What Was Stolen Had No Price Tag

Imagine waking up one morning and discovering that for an unknown stretch of time, a company you have never heard of has been recording everywhere you go. Every morning commute. Every 2 a.m. drive. Every appointment at your therapist’s office. Every time you walked through the doors of a Planned Parenthood. Every time you attended a protest. Every time you went home.

You never gave this company your name. You never signed a contract with them. But because you downloaded an app, any app, that quietly embedded their code, your phone’s GPS became their instrument. Your movements became their inventory. Your daily life became a product line.

For millions of people in the United States, this is not a hypothetical. This is what X-Mode Social and Outlogic did. The FTC’s own findings describe data capable of identifying not just where a consumer goes, but where they live, where they worship, what medical conditions they may have, whether they are undocumented, whether they have left an abusive partner, and whether they hold political views that powerful actors might want to know about.

The harm here is not abstract. A domestic violence survivor whose location is tracked to a shelter has had their safety stripped from them. An undocumented person whose movement near an immigration services office is recorded and sold has been handed to whoever wants to buy that information. A patient walking into a mental health facility whose coordinates are logged has been outed in a way they did not choose and cannot undo. The FTC’s order confirms that these locations, these precise categories, were exactly the type of data this company was collecting and selling.

The damage cannot be measured in a settlement check. You cannot un-sell someone’s location history. Once a data buyer has those coordinates, the company that collected them has no guaranteed way to retrieve and destroy copies at every point downstream. The consent order acknowledges this by requiring Outlogic to notify customers who received historic location data within the prior three years and instruct those customers to delete it. A notification requirement is not a recall. It is a memo. Whether those buyers actually destroyed what they bought is, under this framework, largely taken on faith.

There are people whose daily routines, whose medical choices, whose political associations, and whose physical addresses were traded as commercial data points. They were never asked. They were never told. They were never compensated. This order does not compensate them either.

Legal Receipts: What the FTC’s Order Admits in Plain English

These are direct quotes from the FTC’s Decision and Order in Docket No. C-4802. Each quote is followed by a breakdown of what it proves about how this operation worked.

“Respondents must establish and implement, and thereafter maintain, a Sensitive Location Data Program… within 180 days of the issuance of this Order.”

Societal Impact Mapping: Who Gets Hurt When Location Data Gets Sold

The FTC’s order maps the categories of harm precisely through the definitions it chooses. Each prohibited use reflects a documented vulnerability that this data pipeline was capable of exploiting.

Public Health

The ability to track individuals to and from specific medical facilities transforms healthcare access into a surveillance event.

• The order explicitly names family planning centers, mental health facilities, substance abuse treatment centers, and psychiatric hospitals as sensitive locations where tracking must be prohibited. Each of these represents a category of patient who already faces stigma and whose location data, if disclosed, could cause direct harm.
• People seeking abortion services, addiction treatment, or mental health care are not visiting those locations voluntarily in any trivial sense. They are going because they need help. Their GPS coordinates at those addresses, sold to data brokers or downstream buyers, can expose their conditions to employers, insurers, abusive partners, or state actors in jurisdictions where those conditions are criminalized.
• The order defines Location Data broadly to include not just GPS coordinates but cell tower data, WiFi SSID data, Bluetooth receiver data, and mobile advertising identifiers. This means tracking precision was high enough to distinguish between, for example, a general hospital and a mental health ward within the same building, if the geometry was close enough.
• The prohibition on using location data to determine a person’s home address is especially significant for domestic violence survivors. For someone who has left an abusive household and relocated, having their new address reconstructed from overnight GPS patterns is a life-threatening exposure. The FTC’s order confirms this capability was present in the product.

Economic Inequality

Mass location surveillance is a tax on vulnerability. The people whose data is most dangerous to expose are disproportionately the people with the least power to protect it.

• Undocumented immigrants and refugees are explicitly protected under the Sensitive Locations definition: organizations providing services to refugees and immigrants are listed as places where location tracking must be blocked. The fact that this prohibition had to be written means the data was being collected and sold without those protections in place.
• Homeless individuals who rely on temporary shelters are named in the Sensitive Locations definition. Their location at a shelter can be used to identify them as unhoused, a data point that feeds discriminatory profiling systems in commercial, law enforcement, and insurance contexts.
• Labor union offices are included in the Sensitive Locations list. Workers who attend union meetings, organizing sessions, or labor actions could have had those affiliations tracked and sold to employers or labor relations consulting firms, which are often hired specifically to suppress union activity.
• The order’s structure assumes consumers have smartphones, consistent internet access, and the technical literacy to navigate privacy settings, consent withdrawal mechanisms, and deletion request forms. People who have the least digital literacy are the people most likely to have never known this tracking was happening and the least equipped to use the opt-out tools the order now requires.
• Racial and ethnic community organizations are listed as Sensitive Locations. Tracking individuals at venues associated with specific ethnic identities enables race-based profiling and targeting by commercial entities, law enforcement, or political actors.

The “Cost of a Life” Metric: What Accountability Was Worth

The FTC’s enforcement action against a company that collected and sold the location data of millions of Americans produced one financial consequence.

A company can track where you sleep, where you pray, where you seek help for addiction, and where you go to protest. If the FTC catches them, they pay nothing. They sign a form. They keep operating.

For context on what this data was worth: X-Mode’s core commercial product was selling location data feeds and audience segments to buyers that included government and defense contractors. The company operated across years and attracted sufficient customer volume to justify the FTC dedicating a full enforcement action with 19 provisions and a 20-year compliance tail. The revenue generated from that operation was not forfeited under this order.

The Machinery of Consent: How the Process Should Have Worked

The FTC’s order mandates consent, deletion, and oversight processes that were either absent or insufficient before the action. This visual shows the gap between required procedure and documented practice.

What Now: Who to Hold Accountable and How to Push Back

This case is not closed just because the FTC signed a consent order. Here is who is watching, who is still operating, and what you can do.

The Entities Still Operating

• Outlogic, LLC (successor to X-Mode Social, Inc.) is a Virginia limited liability company with its principal office at 150 Granby St, Norfolk, VA 23510. It remains in operation under the terms of this 20-year consent order. No executive is named in the FTC’s order text, and the source document does not list individual officers by name. Corporate accountability here runs through the entity, not named individuals.
• X-Mode Social, Inc. is a Virginia corporation with its principal office at 938 Park Ave, Herndon, VA 20170. The order binds both entities and their successors and assigns, meaning a name change or corporate restructuring does not dissolve the obligations.
• The order requires Outlogic to notify every customer that received Historic Location Data within three years prior to April 11, 2024, about the FTC’s deletion requirement. Those customers, unnamed in the order, are downstream holders of this data and remain outside the FTC’s direct enforcement in this action.

Watchlist: Regulatory Bodies With Jurisdiction

• Federal Trade Commission (FTC): The primary enforcement body for this order. Compliance reports are due annually under penalty of perjury. File consumer complaints at ftc.gov/complaint. The FTC must be notified of any corporate restructuring within 14 days.
• FTC Bureau of Consumer Protection (BCP): The division that prepared the draft complaint and negotiated the consent order. BCP enforces Section 5 of the FTC Act, which governs unfair or deceptive acts and practices.
• State Attorneys General: Several states, including California (CCPA), Virginia (CDPA), and others with data privacy laws on the books, retain independent authority to investigate and prosecute location data violations. Virginia is where both entities are registered.
• Congress (Senate Commerce Committee, House Energy and Commerce Committee): The United States still has no comprehensive federal privacy law. These committees hold jurisdiction over data privacy legislation. The absence of a financial penalty in this case is a direct argument for statutory minimum fines in any future privacy legislation.
• DOJ and ODNI: The order contains a “National Security” exception permitting certain government uses of location data. The scope and oversight of those government-facing data relationships is a matter for intelligence oversight bodies.

What You Can Do Right Now

• Audit your app permissions today. On both iOS and Android, go to privacy settings and review which apps have access to your precise location. Revoke access for any app that does not require it for a core function you actively use. Set all non-essential apps to “Never” or “Ask Next Time” for location.
• Disable your advertising identifier. On iOS, go to Settings > Privacy & Security > Tracking and disable “Allow Apps to Request to Track.” On Android, go to Settings > Privacy > Ads and opt out of ads personalization or reset your advertising ID. This limits the persistent identifier that connects your movements across data broker systems.
• Submit a data deletion request to Outlogic. The FTC’s order requires Outlogic to maintain a simple, accessible means for consumers to request deletion of their location data from Outlogic’s systems. Use it. Companies are required to comply within 30 days.
• File a complaint with the FTC. Visit ftc.gov/complaint. Document what apps you have on your device, whether you ever consented to location tracking by a data broker, and reference FTC File No. 212-3038. Volume of complaints matters to enforcement prioritization.
• Contact local mutual aid and immigrant rights organizations. If you are connected to communities that are specifically endangered by this type of tracking, specifically undocumented people, domestic violence survivors, and people accessing reproductive care, share this information. Help people audit their devices. Offer to walk through privacy settings with community members who may not know how.
• Demand a federal privacy law with teeth. Write or call your U.S. Representative and both Senators. Tell them you want a federal data privacy law that prohibits the collection and sale of sensitive location data, requires opt-in consent (not opt-out), and imposes meaningful financial penalties. The fact that this case ended with a $0 fine is the argument. Use it.
• Support organizations building legal and technical resistance. The Electronic Frontier Foundation (EFF), EPIC (Electronic Privacy Information Center), and the ACLU all work on data broker accountability. Your membership dollars and volunteer hours fund the legal infrastructure that makes cases like this possible.