Gravy Analytics is once again facing a lawsuit over its handling of personal data, with the latest complaint filed in Northern California. This suit follows multiple legal actions against the company since January 2025, after it was revealed that hackers had stolen approximately 17 TB of sensitive data, including the geo-locations of millions of smartphones. The data was allegedly collected from various apps used by individuals, such as Tinder, Grindr, and MyFitnessPal. This data breach, discovered in January, led to a non-compliance report filed with the Norwegian Data Protection Authority, further escalating concerns about the security of Gravy’s data stores.
The new lawsuit claims that Gravy, now a subsidiary of Unacast, failed to adequately protect this data, despite its responsibility to do so.
The complaint includes allegations of negligence, breach of implied contract, and unjust enrichment. It argues that Gravy’s failure to secure such sensitive information, including the locations of mobile devices in the US, Russia, and Europe, exposes users to risks like identity theft. The company had previously been banned by the FTC from selling location data related to sensitive consumer activities, such as visits to places of worship and medical-related events, in response to its controversial practices.
Gravy Analytics has denied directly collecting location data from apps, stating that it purchases data from third-party brokers who collect it from users with consent. The company asserts that it does not track smartphone users or collect location data through apps directly. However, this claim has not deterred the growing legal scrutiny surrounding the company’s data collection and storage practices. The company’s insistence that the data is obtained commercially raises additional concerns about privacy and the risks associated with licensing such information.
Despite its defense, Gravy Analytics faces significant backlash, with lawsuits highlighting the potential dangers posed by the mishandling of personal data. The case underscores the lack of comprehensive federal privacy laws in the US and highlights the challenges of ensuring adequate protection for individuals’ sensitive information. The growing legal actions and the FTC’s involvement suggest an ongoing issue with how Gravy manages the vast amounts of personal data it acquires through third-party sources.
