Gravy Analytics faces another lawsuit over a data breach that allegedly exposed millions of mobile phone coordinates, reigniting concerns over location tracking and consumer privacy.
What happened
Gravy Analytics has been sued again over allegations that it failed to protect personal data, including the precise locations of millions of smartphone users. A complaint filed in a federal court in Northern California claims that 17 terabytes of location data were stolen from Gravy’s AWS S3 storage and later surfaced on a Russian cybercrime forum. At least four lawsuits have now been filed against the data broker since January, following previous cases in New Jersey and Virginia.
Gravy Analytics confirmed a security breach occurred on January 4, 2025, in a non-compliance report submitted to the Norwegian Data Protection Authority. The breach reportedly exposed detailed geo-location data collected from various popular mobile applications.
Going deeper
The lawsuit alleges that Gravy Analytics’ data archive contains highly sensitive location data collected from users of widely used apps, including MyFitnessPal, Microsoft 365, Yahoo Mail, some dating apps, and even religious and medical-focused applications. The data, obtained through partnerships with third-party data brokers, includes mobile phone coordinates from devices across the U.S., Russia, and Europe.
Gravy Analytics and its subsidiary, Venntel, have been under regulatory scrutiny for some time. In December 2024, the Federal Trade Commission (FTC) banned the companies from selling sensitive location data as part of a settlement order finalized in January 2025. The FTC had accused the firms of using geofencing to identify and sell consumer data linked to religious sites and medical facilities, practices that raised serious privacy concerns.
What was said
The lawsuit accuses Gravy Analytics of failing to protect consumer data, violating California’s Unfair Competition Law, and engaging in negligence, breach of contract, and unjust enrichment. Plaintiffs argue that the breach poses severe risks, including identity theft, given the sensitive nature of the stolen information.
Despite these legal challenges, Gravy Analytics maintains that it does not directly collect location data from users but instead licenses it from third-party providers who claim to have obtained user consent. However, privacy advocates argue that such arrangements lack meaningful transparency and user control.
The big picture
Lawsuits like this one are part of a larger fight over data privacy and corporate accountability. The location tracking industry thrives on collecting and selling personal data, often without users fully understanding how their information is used. As legal challenges mount, the outcome could determine whether data brokers face consequences for data collection or continue to operate with minimal oversight.
FAQs
What does Gravy Analytics do with location data?
The company aggregates and sells location data to advertisers, businesses, and government agencies for purposes like targeted marketing and analytics.
Why is location data so sensitive?
Location data can reveal personal habits, workplace locations, medical visits, and even religious affiliations, making it highly valuable and potentially dangerous if misused.
How can users protect themselves from location tracking?
Users can limit tracking by disabling location services for non-essential apps, reviewing app permissions, and using privacy-focused tools like VPNs or tracking blockers.
Could this lawsuit impact how location data is handled in the future?
If successful, legal actions like this could push for stronger regulations, greater transparency, and stricter penalties for companies that mishandle consumer data.
Farah Amod
