On March 10, 2025, the California Attorney General’s Office announced an ongoing investigative sweep into the location data practices of advertising networks, mobile app providers, and data brokers for compliance with the California Consumer Privacy Act.

Sweeps have become established practice in California: the AG’s Office announced inquiries into large employers, loyalty programs, and streaming services, and the California Privacy Protection Agency into connected vehicles and data brokers.

For years, the Federal Trade Commission has treated location data as sensitive, settling with data brokers and mobile apps (see previous blog). However, new FTC Chair Andrew Ferguson has expressed doubts about his predecessor’s approach to businesses that collect and sell consumers’ location data, arguing that the FTC Act does not prohibit drawing conclusions from lawfully obtained data, regardless of its sensitivity.

Any uncertainty about whether location data would stay in focus did not linger for long. When asked about potential enforcement priorities at the California Lawyer’s Association’s Privacy Law Summit in February, Supervising Deputy Attorney General Stacey Schesser identified the risk posed by location data practices as a key focus for her office. Only weeks later, those warnings have become reality.

California’s announcement draws from the FTC’s work under the previous administration. It warns of the sensitive characteristics location data can reveal related to immigration, abortion, and gender-affirming care and reminds businesses to honor opt outs and requests to limit the use and disclosure of sensitive personal information. Significantly, the Attorney General’s Office highlights consumers’ ability to limit what is shared about them through their mobile operating systems.

The FTC’s settlements with X-Mode Social, Inc. (2024) and InMobi Pte Ltd. (2016) established a precedent requiring businesses to honor a consumer’s mobile OS privacy preferences. The California Attorney General’s Office builds on this work by instructing consumers on configuring app permissions, disabling mobile advertising identifiers, and using Wi-Fi and Bluetooth in a privacy-protective manner. Beyond use for consumers, the press release acts as guidance for businesses by providing specific areas to check for compliance.

Some states, most visibly Texas, have already begun scrutinizing location data practices. Others, like Virginia, have made efforts met with significant industry resistance. In the vacuum created by the FTC, states will ensure location data remains in the spotlight.