Tap "Don't Allow" on a location permission prompt and it feels like the conversation is over.
For the GPS-specific request, it is. For everything else an app and the code bundled inside it
can still infer about where you are, it usually isn't.
This covers how location tracking actually works, the several ways it happens without a GPS
permission ever being granted, and what a settlement finalized in May 2026 revealed about just
how large the market for that data had become.
How location tracking normally works
"Location" isn't one technology, it's several, and apps typically combine them for the best available accuracy at any given moment.
| Method | Typical accuracy | Needs GPS permission? |
|---|---|---|
| GPS | Within a few meters, outdoors | Yes |
| Wi-Fi positioning | Often within tens of meters, especially indoors where GPS struggles | Usually, but not always (see below) |
| Cell tower triangulation | Hundreds of meters to a few kilometers | Yes, on modern OS versions |
| IP geolocation | City to metro-area level, occasionally more precise | No |
IP geolocation is the one worth sitting with, since it needs nothing from you at all beyond an active internet connection. Every request your device makes carries its IP address, which maps to a general location through public geolocation databases with no permission dialog involved anywhere in the process. It's covered in more depth in our piece on what your browser sends to every site you visit. A VPN changes the IP address this method sees, though it does nothing about the other methods covered below.
The permission model, briefly
Both major mobile platforms settled on roughly the same three-tier structure for GPS-based location specifically.
Precise vs approximate location
A more recent addition, on iOS since version 14 and Android since version 12, lets you grant location access without handing over your exact coordinates. Approximate location gives an app a rough area, typically a kilometer or more across, instead of a specific address or building. It's a genuinely useful middle setting: enough for a weather app, a local news feed, or a store-finder to work correctly, without revealing exactly which building you're standing in. It's worth checking per app, since many default to precise and simply never prompt you to reconsider.
How apps get location without ever asking for GPS
This is where most explanations of location privacy stop short. Denying the GPS permission closes one specific door. A few others are still open by default.
IP-based geolocation requires no permission dialog at all, as covered above. Coarser than GPS, but often good enough for advertising and analytics purposes that just need a city or region.
Wi-Fi network scanning is subtler. Nearby Wi-Fi network names and hardware addresses (BSSIDs) get logged in large, crowdsourced "wardriving" databases like WiGLE, built by volunteers physically driving around and recording which networks appear where. Once a network's BSSID is in one of these databases, seeing that same BSSID from any device instantly reveals a fairly precise location, sometimes down to a specific building, without touching GPS at all. This is genuinely how Wi-Fi-based positioning systems work at the technical level, including the legitimate ones built into your phone's OS.
System-level Wi-Fi and Bluetooth scanning is the part almost nobody checks. Android specifically has settings, separate from your actual Wi-Fi and Bluetooth toggles, called Wi-Fi scanning and Bluetooth scanning, that keep the radios passively listening for nearby networks and devices to improve location accuracy platform-wide, on top of and independent from any individual app's GPS permission. Turning off Wi-Fi and Bluetooth in your quick settings doesn't necessarily turn this off, because it lives in a separate menu most people never open.
Where the data actually goes: the SDK pipeline
Most location tracking that ends up in a commercial data feed doesn't come from an app developer deliberately building a surveillance tool. It comes from a third-party SDK, a bundled piece of code from an ad network, analytics provider, or "audience insights" company, embedded inside an otherwise ordinary app for weather, games, or coupons. The app developer requests location permission for a legitimate in-app reason. The SDK, running with the same permission inside the same app, quietly collects and forwards that location data to its own servers too, often with the app developer only loosely aware of exactly what data the SDK is collecting or where it ultimately goes.
That data then frequently gets aggregated, tied to an advertising identifier rather than a name, and sold onward through a chain of data brokers, sometimes for uses well outside what any individual app's own privacy policy describes.
The FTC crackdown on location data brokers
This isn't a hypothetical pipeline. It was, for years, an openly advertised commercial product, and the case that made that fact impossible to ignore just concluded.
The FTC sued data broker Kochava in August 2022, alleging its geolocation feed was precise enough (reportedly around 10 meters, tied to a persistent device identifier) to track visits to reproductive health clinics, places of worship, addiction recovery centers, and domestic violence shelters, sold with no meaningful consumer consent. At its peak, the underlying dataset reportedly processed billions of location pings a month from well over a hundred million devices. The case was dismissed in 2023 for insufficient injury allegations, refiled with stronger claims, and survived a second dismissal attempt in 2025. The settlement, announced May 4, 2026, permanently bans Kochava and its subsidiary from selling sensitive location data without affirmative, standalone consumer consent, and requires an ongoing program to identify and geofence sensitive locations before any data involving them can be sold.
Kochava wasn't an isolated case. The FTC reached similar settlements with X-Mode Social (rebranded Outlogic), InMarket Media, Gravy Analytics, and Mobilewalla, all location data brokers, across 2024 and 2025, each banned from selling sensitive location data without consent. Together they represent the clearest signal yet that regulators have caught up, at least partially, to a data economy that had been operating in the open for the better part of a decade. Several US states have gone further still, banning the outright sale of precise location data with narrow exceptions, and California's Delete Act now gives residents a single portal to request deletion across every registered data broker at once, rather than contacting each one individually.