State of Marketplace
Image Privacy 2026
We audited public product listings across six major resale marketplaces — Poshmark, Depop, Grailed, Mercari, Vinted, and Rebag. The findings: sellers routinely expose GPS coordinates pinpointing residential addresses, camera serial fingerprints, and bloated files that inflate CDN costs.
By the numbers
Cross-marketplace aggregate across all audited listings.
GPS leak rate by marketplace
Percentage of sampled listings with GPS coordinates present in EXIF metadata. A 0% rate indicates the marketplace strips EXIF server-side — the right behavior.
Per-marketplace breakdown
All figures are percentages of sampled listings. "Compression headroom" is the average file size reduction achievable by converting to WebP at quality 85 — a direct proxy for how much CDN bandwidth is wasted per image.
| Marketplace | Sampled | % GPS leak | % Suburb-precision | % Camera fingerprint | Avg compression headroom |
|---|---|---|---|---|---|
|
Mercari
|
12 | 100.0% | 33.3% | 100.0% | 71% |
Redacted GPS examples
One anonymised GPS coordinate per marketplace where exposure was detected. Coordinates are rounded to a ~1km grid. Usernames, listing URLs, and exact addresses have been removed. Precision classification: exact = street-level (≥4 decimal places), suburb = neighbourhood-level (2–3 decimal places).
Methodology
What we checked
For each marketplace we collected a set of public, recently-listed product URLs from browse and search pages. No authentication was required. For each listing we:
- Fetched the primary product image (og:image / twitter:image)
- Extracted raw EXIF metadata using Sharp's metadata() API
- Parsed GPS IFD tags from the TIFF header using a custom EXIF walker
- Classified GPS precision by decimal-place count (exact ≥4dp, suburb 2–3dp, city <2dp)
- Recorded camera make, model, and software tags
- Measured compression headroom by converting to WebP at quality 85
What we did NOT do
We did not attempt to geolocate sellers, cross-reference listings against other data sources, or retain any identifying information. All GPS coordinates in this report are rounded to a ~1km grid. No listing URLs, usernames, or item IDs are published.
Sample size and date
Data collected May 27, 2026. Sample: up to 40 public listings per marketplace (actual audited count shown in the table above). Listings were selected from each platform's public browse/featured pages without authentication.
Limitations
Not all listing pages serve original uploaded images — some marketplaces re-compress server-side before delivery, stripping EXIF in the process. A 0% GPS rate may indicate server-side stripping rather than seller behaviour. Where EXIF is present in served images, the marketplace is not stripping metadata.
Per-marketplace detail pages
Deep-dive data for each platform — GPS examples, compression benchmarks, and what one API call would change.
What to do about it
If you're a seller, you can audit your own listings for free. If you're building a marketplace, one API call fixes this for every image you accept.
Audit your own listings →
Paste any Poshmark, Depop, Mercari, Grailed, Vinted, or eBay listing URL. Instant GPS check, camera fingerprint, and compliance scan — no signup needed.
Get the full dataset →
Building a marketplace and want the raw audit data for your platform? We'll send you the full CSV — no charge, in exchange for a conversation about what Filtrate can automate for you at scale.
Fix it for every image →
One POST /v1/process call strips EXIF, compresses to WebP,
and returns a compliance verdict. $0.002/image. No infrastructure needed.