How Apps Track Your Location Even When You Say No

Denying an app's location request blocks the GPS API. It doesn't block IP geolocation, Wi-Fi positioning, or the third-party SDK sitting inside the app collecting data you never directly agreed to share.

Published Jul 2, 2026
Updated Jul 2, 2026
12 min read
Share
Illustration of a phone surrounded by GPS, Wi-Fi, cell tower, and IP location signals

Tap "Don't Allow" on a location permission prompt and it feels like the conversation is over. For the GPS-specific request, it is. For everything else an app and the code bundled inside it can still infer about where you are, it usually isn't.

This covers how location tracking actually works, the several ways it happens without a GPS permission ever being granted, and what a settlement finalized in May 2026 revealed about just how large the market for that data had become.

How location tracking normally works

"Location" isn't one technology, it's several, and apps typically combine them for the best available accuracy at any given moment.

Method Typical accuracy Needs GPS permission?
GPS Within a few meters, outdoors Yes
Wi-Fi positioning Often within tens of meters, especially indoors where GPS struggles Usually, but not always (see below)
Cell tower triangulation Hundreds of meters to a few kilometers Yes, on modern OS versions
IP geolocation City to metro-area level, occasionally more precise No

IP geolocation is the one worth sitting with, since it needs nothing from you at all beyond an active internet connection. Every request your device makes carries its IP address, which maps to a general location through public geolocation databases with no permission dialog involved anywhere in the process. It's covered in more depth in our piece on what your browser sends to every site you visit. A VPN changes the IP address this method sees, though it does nothing about the other methods covered below.

The permission model, briefly

Both major mobile platforms settled on roughly the same three-tier structure for GPS-based location specifically.

Never / Deny
The GPS-based location API is fully blocked for that app. Other methods described below are unaffected.
While Using the App
Location is available only while the app is open and active on screen.
Always
Location is available in the background too, including while the app is closed. Genuinely needed by a small minority of apps.

Precise vs approximate location

A more recent addition, on iOS since version 14 and Android since version 12, lets you grant location access without handing over your exact coordinates. Approximate location gives an app a rough area, typically a kilometer or more across, instead of a specific address or building. It's a genuinely useful middle setting: enough for a weather app, a local news feed, or a store-finder to work correctly, without revealing exactly which building you're standing in. It's worth checking per app, since many default to precise and simply never prompt you to reconsider.

How apps get location without ever asking for GPS

This is where most explanations of location privacy stop short. Denying the GPS permission closes one specific door. A few others are still open by default.

IP-based geolocation requires no permission dialog at all, as covered above. Coarser than GPS, but often good enough for advertising and analytics purposes that just need a city or region.

Wi-Fi network scanning is subtler. Nearby Wi-Fi network names and hardware addresses (BSSIDs) get logged in large, crowdsourced "wardriving" databases like WiGLE, built by volunteers physically driving around and recording which networks appear where. Once a network's BSSID is in one of these databases, seeing that same BSSID from any device instantly reveals a fairly precise location, sometimes down to a specific building, without touching GPS at all. This is genuinely how Wi-Fi-based positioning systems work at the technical level, including the legitimate ones built into your phone's OS.

System-level Wi-Fi and Bluetooth scanning is the part almost nobody checks. Android specifically has settings, separate from your actual Wi-Fi and Bluetooth toggles, called Wi-Fi scanning and Bluetooth scanning, that keep the radios passively listening for nearby networks and devices to improve location accuracy platform-wide, on top of and independent from any individual app's GPS permission. Turning off Wi-Fi and Bluetooth in your quick settings doesn't necessarily turn this off, because it lives in a separate menu most people never open.

Where the data actually goes: the SDK pipeline

Most location tracking that ends up in a commercial data feed doesn't come from an app developer deliberately building a surveillance tool. It comes from a third-party SDK, a bundled piece of code from an ad network, analytics provider, or "audience insights" company, embedded inside an otherwise ordinary app for weather, games, or coupons. The app developer requests location permission for a legitimate in-app reason. The SDK, running with the same permission inside the same app, quietly collects and forwards that location data to its own servers too, often with the app developer only loosely aware of exactly what data the SDK is collecting or where it ultimately goes.

That data then frequently gets aggregated, tied to an advertising identifier rather than a name, and sold onward through a chain of data brokers, sometimes for uses well outside what any individual app's own privacy policy describes.

The FTC crackdown on location data brokers

This isn't a hypothetical pipeline. It was, for years, an openly advertised commercial product, and the case that made that fact impossible to ignore just concluded.

FTC v. Kochava, settled May 2026

The FTC sued data broker Kochava in August 2022, alleging its geolocation feed was precise enough (reportedly around 10 meters, tied to a persistent device identifier) to track visits to reproductive health clinics, places of worship, addiction recovery centers, and domestic violence shelters, sold with no meaningful consumer consent. At its peak, the underlying dataset reportedly processed billions of location pings a month from well over a hundred million devices. The case was dismissed in 2023 for insufficient injury allegations, refiled with stronger claims, and survived a second dismissal attempt in 2025. The settlement, announced May 4, 2026, permanently bans Kochava and its subsidiary from selling sensitive location data without affirmative, standalone consumer consent, and requires an ongoing program to identify and geofence sensitive locations before any data involving them can be sold.

Kochava wasn't an isolated case. The FTC reached similar settlements with X-Mode Social (rebranded Outlogic), InMarket Media, Gravy Analytics, and Mobilewalla, all location data brokers, across 2024 and 2025, each banned from selling sensitive location data without consent. Together they represent the clearest signal yet that regulators have caught up, at least partially, to a data economy that had been operating in the open for the better part of a decade. Several US states have gone further still, banning the outright sale of precise location data with narrow exceptions, and California's Delete Act now gives residents a single portal to request deletion across every registered data broker at once, rather than contacting each one individually.

How to actually lock this down

01
Audit location permissions per app, not just once
iOS's App Privacy Report and Android's Privacy Dashboard both show which apps have actually accessed location recently, not just which ones have permission. Check for anything surprising.
02
Default to "While Using" over "Always"
Reserve "Always" for the small handful of apps that genuinely need background location, like navigation or transit apps you actively rely on.
03
Switch to approximate location where precision isn't needed
Weather, news, and most "nearby" features work fine with approximate location. Reserve precise location for apps like maps and delivery tracking where it's actually the point.
04
Check the Wi-Fi and Bluetooth scanning settings specifically
On Android, these live under Settings → Location → Wi-Fi scanning / Bluetooth scanning, separate from your regular connectivity toggles. Turn them off if platform-wide location accuracy isn't worth the trade-off to you.
05
Enable automatic permission reset for unused apps
Both major platforms now offer this: permissions for apps you haven't opened in months get automatically revoked, closing the gap on apps you forgot were still granted access.

Frequently Asked Questions

Often, yes, just less precisely. Denying location permission blocks the app's access to the GPS-based location API specifically. It doesn't block IP-based geolocation, which needs no permission at all and works for any app with basic internet access, typically accurate to a city or metro area. It's a real reduction in precision, from a specific address down to a general area, but "no permission" doesn't mean "no idea."

"While Using the App" (iOS) or "Allow only while using the app" (Android) means the app can access your location only when it's open and visible on screen. "Always" lets the app request your location in the background, even when closed, which is genuinely necessary for things like turn-by-turn navigation or a package-delivery ETA, and genuinely unnecessary for the large majority of apps that request it anyway. If an app you rarely leave running asks for "Always," that's worth a second look before approving it.

It caps the precision an app receives, typically to an area of around a kilometer or more across, rather than blocking location access outright. That's usually enough for an app that genuinely needs your city or general region (weather, local news, nearby-store finders) without handing over your exact address or which specific building you're in. It's a meaningful middle ground for apps you don't fully trust but still want to use, though it doesn't help against IP-based or Wi-Fi-based inference methods that don't ask permission in the first place.

Because Android and iOS both have a system-level setting, separate from your Wi-Fi toggle, that keeps scanning for nearby Wi-Fi networks and Bluetooth devices specifically to improve location accuracy, even while Wi-Fi and Bluetooth themselves appear off. On Android it's typically labeled "Wi-Fi scanning" and "Bluetooth scanning" under location settings; it exists because nearby network names can pinpoint a location faster and more precisely than GPS alone, especially indoors. It's a genuinely useful accuracy feature and a genuinely easy thing to leave on by accident, since it lives in a separate settings menu from the toggle most people assume controls it.

Kochava was a data broker selling a feed of precise geolocation pings, sourced largely from location data that mobile apps had collected through embedded SDKs, tied to advertising identifiers. The FTC sued in August 2022, arguing the feed was specific enough to reveal visits to sensitive locations like reproductive health clinics and domestic violence shelters, and that consumers had no meaningful way to know or consent to it. The case was dismissed in 2023 for insufficient injury allegations, refiled, and survived a second dismissal attempt in 2025. A settlement was announced in May 2026, permanently banning Kochava and its subsidiary from selling sensitive location data without a consumer's affirmative, standalone consent. Full details are in the section below.