Location data is the record of where a device has been over time, captured by GPS, cell-tower triangulation, Wi-Fi positioning, Bluetooth beacons, and IP geolocation. Generated by phone operating systems (iOS Significant Locations, Android Location History), by app SDKs (most major apps embed at least one location-collecting library), by carrier records (cell-site location data, kept for varying retention periods), and by ambient infrastructure (license plate readers, public Wi-Fi captive portals, retail beacons).
What it means in practice
The accumulated location data on a typical adult’s phone is more revealing than nearly any other category of personal data. Patterns emerge: where you sleep (the cluster between midnight and 6am), where you work (the cluster during business hours), the schools your kids attend, the medical clinics you visit, the houses of worship, the bars, the gyms, the homes of friends and lovers. The 2018 Strava heatmap incident exposed US military forward operating base layouts because aggregated workout data revealed running tracks inside otherwise unmapped facilities. The 2022 Roe v. Wade decision triggered a wave of attention to abortion-clinic location data; the data has been there for years, the threat model just changed visibility. The structural defense is reducing what gets captured (per-app permissions, location services off when not needed) and reducing what gets retained (turn off Significant Locations, Location History, app-side history retention).
Where it shows up
Captured by: phone OS (iOS Settings, Privacy and Security, Location Services, System Services, Significant Locations; Android Settings, Location, Google Location History), every app with location permission (most apps ask, most users grant), carriers (cell-site records, retained 12 to 60 months depending on carrier and country), public Wi-Fi networks (you joined this network at this time from this device), license plate readers (Flock Safety, ALPR networks), home assistants and smart speakers (timestamped voice command logs imply presence). Producible to: law enforcement on warrant or subpoena, civil litigation discovery, insurance underwriters with consent, advertising networks that buy location data from app SDKs, data brokers that aggregate and resell.
What you can change today
Three settings on every device. iPhone: Settings, Privacy and Security, Location Services, walk through every app and set to “Never” or “Ask Next Time” rather than “Always” or “While Using.” Then Settings, Privacy, Location Services, System Services, turn off Significant Locations after clearing the existing history. Android: Settings, Location, App Permission, set most to “Don’t allow” or “Only while using.” Then Google Account, Data and Privacy, Web and App Activity, Location History, turn off and delete prior history. Carrier: most carriers cannot be opted out of CDR retention by individual users, but you can refuse “supplemental location services” features that consolidate carrier-side location for advertising purposes. The structural improvement: leave the phone home for sensitive meetings, always.
