Your Location Data Is Worth More Than You Think
Picture this: you’re standing in line at security, scrolling through your phone to check your boarding pass one more time. What you don’t realize is that three different apps are quietly recording your exact location, storing your device’s unique identifiers, and preparing to sell that information to data brokers you’ve never heard of. This permission allows the extraction of various user identifiers, such as the International Mobile Equipment Identity (IMEI), the International Mobile Subscriber Identity (IMSI), the phone number, the device serial number, and the unique identifier for the SIM card. That convenience you love so much comes with a price tag most travelers never see coming. In 2025, the regulatory landscape has shifted dramatically, with five new privacy laws taking effect, and three more will take effect later in the year, adding to the growing complexity of compliance for businesses navigating an increasingly fragmented landscape of state regulations. The apps in your travel folder might be breaking more laws than you realize, and the fines are getting bigger by the day.
Booking.com Collects More Than Your Reservation Details
Booking.com isn’t just tracking where you sleep at night – it’s building a comprehensive profile of your travel patterns, financial capacity, and personal preferences. Booking.com declares on the Play Store that it collects audio-related data. However, we could not find permission to access the microphone when we tested the app. This discrepancy between what they claim to collect and what permissions they actually request creates a gray area that privacy regulators are increasingly scrutinizing. Under the GDPR, fines can be up to EUR 20 million or four percent of global annual revenue for the preceding financial year, whichever is higher. The platform processes massive amounts of location data from EU residents without always meeting the strict consent requirements that came into force with recent privacy updates. Your booking history reveals intimate details about your lifestyle, relationships, and spending habits that go far beyond simple accommodation preferences.
MakeMyTrip’s Secret Audio Recording Capabilities
India’s popular travel platform MakeMyTrip has been caught with concerning permissions that most users never agreed to knowingly. Three out of twenty-two tested travel apps – Hotwire, Trip.com, and MakeMyTrip – have permission to access the device’s microphone and record audio input. In contrast, MakeMyTrip and Hotwire do not disclose the collection of audio-related data, but permission to access the microphone is built into their apps. While the company’s spokesperson claims these permissions are only used for specific features like verification documents, if exploited, the “record audio” permission might lead to unauthorized surveillance, capturing sensitive conversations and personal information. This violation becomes even more problematic when you consider that many travelers use the app in airports, hotels, and other public spaces where sensitive conversations occur regularly. The lack of proper disclosure violates multiple international privacy frameworks that require explicit consent for audio recording capabilities.
Trip.com’s Data Collection Goes Beyond Borders
Trip.com operates in multiple jurisdictions, which creates a complex web of privacy law compliance issues that the company seems to struggle with. Trip.com disclosed on the Play Store that it collects voice and sound recordings. But what’s more concerning is their access to messaging and calling functions. Three travel apps – MakeMyTrip, Hilton Honors, and Trip.com – had permission to access messages and calls on users’ devices without disclosure. Apps with this permission can send text messages and make calls on behalf of the user. Access to the calling functionality can lead to privacy breaches and fraudulent spamming communications if exploited. This means the app could potentially rack up charges on your phone bill or send messages you never authorized. The company’s global reach means they’re subject to privacy laws in Europe, Asia, and North America simultaneously, creating a compliance nightmare that often results in data handling practices that violate at least one jurisdiction’s requirements.
Hilton Honors Hides Behind Hotel Industry Standards
Even established hotel chains aren’t immune to privacy violations, and Hilton’s loyalty app demonstrates how traditional hospitality companies struggle with digital privacy compliance. Three travel apps – MakeMyTrip, Hilton Honors, and Trip.com – had permission to access messages and calls on users’ devices without disclosure. The hotel industry has historically operated under different privacy expectations, but mobile apps have changed the game entirely. Hilton Honors collects location data that can reveal sensitive information about business travelers, including meeting locations, client visits, and confidential travel patterns. The relationship between e-commerce and cybersecurity is viewed with great concern by OTAs, hotels, smart cities, and users in security, privacy, and economic terms. When this data is combined with credit card information, meal preferences, and room service orders, it creates a detailed profile that could be exploited by competitors or malicious actors.
Hotwire’s Hidden Microphone Access Problem
Hotwire markets itself as a discount travel platform, but what users don’t realize is they might be paying with their privacy rather than their wallets. MakeMyTrip and Hotwire do not disclose the collection of audio-related data, but permission to access the microphone is built into their apps. This hidden audio access capability puts the app in direct violation of transparency requirements under GDPR and similar privacy laws. The company’s “opaque booking” model, where you don’t know exactly which hotel you’re getting until after you pay, extends to their data practices – users don’t know exactly what data is being collected until it’s too late. The FTC has stepped up enforcement of mobile data privacy violations, and Hotwire’s lack of disclosure puts them directly in the crosshairs of regulators looking to make examples of companies that prioritize convenience over consent.
Airbnb’s Camera Permission Controversy
Airbnb’s app requests camera access for legitimate reasons like property verification, but the implementation raises serious privacy concerns that violate local laws in multiple jurisdictions. Ten apps failed to disclose the collection of camera-related data on the Google Play Store. The company collects photos not just of properties, but potentially of users themselves during the verification process. As one of the most popular apps, Airbnb also tops the charts in possible privacy concerns. What makes this particularly problematic is that Airbnb operates in cities and countries with vastly different privacy laws, and their one-size-fits-all approach to data collection often runs afoul of local regulations. Airbnb has agreed to pay €576 million ($621 million) to Italian authorities, putting an end to a drawn-out tax dispute. While this fine was for tax compliance, it demonstrates how the company’s global operations create massive regulatory liabilities when they fail to adapt their practices to local laws.
Google Maps and Location Privacy Violations
Google Maps might seem like an obvious choice for navigation, but its data collection practices violate privacy laws in multiple European countries and several U.S. states. Most map apps save your location information, search queries, and sometimes even your travel history. The app creates what privacy experts call “digital footprints” that can reveal intimate details about your daily routines, relationships, and personal life. In January 2022, the Austrian Data Protection Authority (DSB) delivered a landmark decision, declaring Google Analytics in violation of the Schrems II ruling. While Google attempted to anonymize IP addresses, the DSB deemed this effort inadequate. Google’s location data collection through Maps extends beyond simple navigation – it powers advertising networks, location-based marketing, and behavioral profiling that operates across multiple Google services without clear consent boundaries.
Uber’s Data Sharing With Third Parties
Uber doesn’t just know where you’re going – they know where you’ve been, who you’ve been with, and they’re sharing that information with partners in ways that violate emerging privacy laws. The app collects precise location data before, during, and after rides, creating detailed movement patterns that can reveal sensitive information about medical appointments, romantic relationships, and business meetings. From cookies tracking user behavior to ecommerce purchases, to supplying apps with sensitive data like health information or financial details. Misuse of this information can have huge negative consequences for people, including identity theft and fraud. Uber’s surge pricing algorithm uses location data to determine when and where people are most desperate for transportation, which some privacy advocates argue constitutes unfair profiling under GDPR. The company’s data sharing agreements with mapping services, payment processors, and advertising networks create a web of third-party access that often lacks the explicit consent required by modern privacy laws.
WhatsApp’s Travel Group Chat Privacy Issues
WhatsApp might not be a travel app per se, but it’s become essential for coordinating group trips, sharing itineraries, and staying connected while traveling. However, its data practices create privacy violations that most travelers don’t consider. Ireland’s Data Protection Commission fined WhatsApp for unclear privacy policies and a lack of transparency in how it was using user data. The app collects location data when users share their whereabouts with travel companions, but this data is then processed and stored in ways that violate local privacy laws in multiple jurisdictions. Meta’s recent privacy policy changes have made WhatsApp’s data sharing with Facebook and Instagram more extensive, meaning your travel conversations and location shares are being used to build advertising profiles across multiple platforms without clear consent for this secondary use.
TripAdvisor’s Review Data Mining Operation
TripAdvisor markets itself as a review platform, but behind the scenes, it’s running a sophisticated data mining operation that violates privacy laws in multiple ways. The app doesn’t just collect your reviews – it analyzes your browsing patterns, tracks which listings you view but don’t book, and builds psychological profiles based on your travel preferences and spending patterns. These requests come from a myriad of service providers, such as airline companies, hotels, travel agencies, mobile app developers, location-based services (LBS), online review platforms, social networking sites, and others. Some of these providers are local to the destination (e.g., destination apps), thus are not familiar to the travelers, and some are connected to each other (e.g., hotels partnering with online travel agencies and tour operators), thus might share a certain amount of customer data with each other. The company’s business model depends on selling user data to hotels and restaurants, but their consent mechanisms often fail to meet the explicit, informed consent standards required by GDPR and similar laws. TripAdvisor’s location tracking continues even when you’re not actively using the app, building detailed movement profiles that reveal personal information about your travel habits, income level, and lifestyle choices.
The Real Cost of Convenience
These privacy violations aren’t just technical infractions – they represent a fundamental shift in how our personal information is being weaponized for profit. For example, in December 2024, the FTC settled with two data brokers over allegations that the companies collected, retained, and sold consumers’ precise location data associated with “sensitive” locations without adequately verifying consumers’ consent. When you consider that Gartner has predicted that 75% of the world’s population will have data privacy protections by the end of 2024, these apps are increasingly operating outside the law. The convenience of having everything at your fingertips comes with a hidden price tag that includes your location history, personal conversations, financial data, and intimate details about your relationships and lifestyle. As privacy laws tighten around the world, travelers need to make conscious choices about which apps they’re willing to trust with their most sensitive information – because the apps themselves clearly can’t be trusted to follow the rules.
What surprised you most about these hidden privacy violations – the audio recording or the data selling?
