Updated January 2026 · 7 min read

Is Tracking a Phone Number Legal? The Honest Answer

Short answer: it depends entirely on consent. Tracking a phone number with the explicit permission of the person using the phone is legal in virtually every jurisdiction in the world. Tracking someone's phone without their knowledge or consent is usually a serious legal offence. Let's unpack both sides.

This article is educational, not legal advice. Laws vary by jurisdiction. If you're uncertain about a specific situation, speak to a lawyer.

The legal principle: consent is everything

Most privacy laws around the world treat location data the same way they treat medical records or financial information: it's personal, sensitive, and protected. Tracking someone's phone without consent generally counts as unauthorised processing of personal data and/or covert surveillance, both of which carry serious penalties.

The moment the tracked person opts in, those rules no longer apply. Consent transforms an otherwise illegal act into a lawful one — which is why consent-based tracking services like Tracify are legal worldwide.

Legal: consent-based tracking

Examples of consent-based tracking that are legal in most countries:

  • You send a friend an SMS asking them to share their live location. They tap accept.
  • A parent and a teenager both agree to keep Family Sharing enabled.
  • An employer asks delivery drivers to install a dispatch app that tracks them during shifts, with written consent.
  • A user sends a Tracify consent SMS to a phone number; the recipient taps the link to approve.

In all of these cases, the person being tracked is actively aware and actively agreeing.

Illegal: tracking without consent

Examples that are usually illegal:

  • Installing spyware on someone's phone without telling them.
  • Paying a data broker to pull a phone's location from carrier data without the subject's permission.
  • Impersonating a carrier or law-enforcement officer to trick someone into revealing their location.
  • Tracking a former partner or ex-spouse — this is a textbook example of stalkerware and can carry criminal penalties.

How the major privacy regimes handle it

GDPR (European Union)

Location data is explicitly classified as personal data under GDPR. Processing is only lawful if you have a legal basis — most commonly, explicit consent. Without consent, tracking someone's location can result in fines of up to €20 million or 4% of global revenue.

CCPA (California)

Location is a "personal information" category. You must give users the right to know, delete, and opt out. Consent-based tracking meets all these obligations because the user opted in at the start.

UK Data Protection Act 2018 & PECR

PECR specifically addresses communications metadata (including location). Consent is required.

US state laws

California, Virginia, Colorado, Connecticut, and Utah have all passed privacy laws requiring opt-in for sensitive data — which usually includes location. More states are following in 2026.

Bottom line for consumers: if you're using a service like Tracify that requires active consent from the person being tracked, you are on the right side of every major privacy law.

What about tracking your own child's phone?

Most jurisdictions allow parents to track their minor children's devices. Best practice is still to be transparent — tell your kids the phone is tracked, show them the app, and discuss why. Covert tracking of children can erode trust and, in older teens, even raise legal questions.

What about employer tracking?

Employers can track company-owned devices during work hours with written consent in the employment contract or an acceptable-use policy. Tracking an employee's personal device without consent is almost always illegal.

Why Tracify is legal everywhere it operates

Tracify is built around a single principle: no consent, no location. The recipient of every Tracify SMS must actively tap a link and approve the request before any GPS data is shared. That single design decision keeps Tracify compliant with GDPR, CCPA, PECR, LGPD, POPIA, and the dozens of other data-protection regimes we've reviewed.

What about the recipient's right to refuse?

Every Tracify request can be declined. If someone ignores the SMS or actively rejects it, no location is shared and they can report the request to us — we'll blacklist the sender if there's a pattern of harassment. Consent is not a one-off either: the recipient can refuse future requests at any time.

A simple test: would you be comfortable telling them?

A useful ethical check: would you be comfortable sending a message like, "Hey, I'm using Tracify to ask for your location — is that okay?" If yes, you're in safe territory. If you'd rather hide the request, you probably shouldn't be making it in the first place.

Legal, ethical, and simple

Tracify's consent-first design keeps you on the right side of the law. Start the $0.50 trial — try it with your own phone to see how the consent flow works.

Try Tracify