In early January, 404 Media broke the news that hackers claimed to have accessed cellphone location data records from data broker Gravy Analytics, dating back to 2018. In screenshots obtained by journalists and published to 404 Media, the hackers claimed that “personal data of millions is affected,” and threatened to begin publishing information Subsequent reporting confirmed the data includes location information taken from users of apps including Tinder, Grindr, My Period Tracker and Calendar, and Microsoft Outlook, among thousands of others. (You can check to see if any apps you use are implicated by searching this spreadsheet compiled by journalists with access to the hacked data.) 

Gravy Analytics is one of hundreds of companies that profit from selling the sensitive personal information of hundreds of millions of unsuspecting cellphone and internet users. In late 2024, the Federal Trade Commission capped off a multi-year investigation into location data brokers by proposing an order to ban the company from selling location data pertaining to visits to sensitive sites like religious institutions, military facilities, and health care buildings. According to the FTC complaint, Gravy Analytics and its subsidiary Venntel Inc. continued to sell consumer location data after learning that the data subjects did not provide informed consent for the sale of their information.  

We all deserve location privacy. After all, location data reveals the most sensitive and intimate things about each of us – where we live, work, seek health care, worship, and more. That’s why the ACLU of Massachusetts launched a campaign with a coalition including reproductive rights, LGBTQ, religious, and labor groups to stop the sale of cellphone location data in our state.  

According to a 2023 poll, 92 percent of Massachusetts likely voters support such legislation. But the companies that profit from the sale and trade of our most sensitive personal information do not.  

Among those companies is Gravy Analytics, whose CEO submitted testimony to a Massachusetts legislative commission opposing the legislation in July 2023. Company founder and CEO Jeffrey White implored lawmakers not to pass legislation banning the sale of cellphone location information, asserting that “[l]ocation data in and of itself is not dangerous to consumers.”  

In his July 2023 letter to lawmakers, White claimed that the industry “has already developed technical controls limiting access to data from sensitive locations.” But according to the FTC in December 2024, the company “unfairly sold sensitive characteristics, like health or medical decisions, political activities and religious viewpoints, derived from consumers’ location data.”  

“Gravy Analytics used geofencing, which creates a virtual geographical boundary, to identify and sell lists of consumers who attended certain events related to medical conditions and places of worship and sold additional lists that associate individual consumers to other sensitive characteristics,” the FTC wrote.  

In his 2023 legislative testimony, Gravy Analytics founder and CEO White claimed that a ban on the sale of cellphone location data would hurt consumers because such a law “would give large technology platforms a monopoly on location data.” Indeed, the legislation would, if enacted, allow companies like Uber, Lyft, and Google to continue to collect, with user consent, precise geolocation data, and use that information to provide consumers with requested services.  

But here’s the thing: Consumers know – and choose – to download and use apps. If any of these consumer-facing apps or technologies were hacked and their location databases exposed, individual cellphone users – upon learning of the hack – could reevaluate their decision to use those apps based on the company’s failure to keep their data safe. 

To the contrary, no one knows whether their data was hacked by the people who compromised Gravy’s database, because consumers do not knowingly enter into any kind of relationship with Gravy or other data brokers.  

And therein lies a fundamental problem with the location data broker industry: Those of us who use cellphone apps cannot and do not know which of the hundreds of data brokers is buying and trading in our personal information, and we have very little choice in the matter. That’s one of many reasons it’s imperative that lawmakers pull the plug on this dangerous industry and restore our location privacy: each of us deserves the power to determine which companies can collect and use our location data, and in what manner, and the location data broker industry makes that impossible.  

For our privacy, for our safety, and for our personal freedom, join us as we call on Massachusetts lawmakers to end this practice once and for all.