Research Report #1123504 · June 2026

State of Marketplace
Image Privacy 2026

We audited 2,800 public listing images across 14 major resale and classified platforms using Filtrate's POST /v1/process endpoint. The results reveal widespread GPS coordinate exposure, camera fingerprinting, and compression gaps.

1 in 3
listings expose seller GPS coordinates — pinpointing home addresses to anyone who knows how to read EXIF data
14 platforms audited 2,800 listing images Q1–Q2 2026 GDPR/DSA cited

Executive Summary

Six headline findings from the 2026 audit. Data-forward — no name-and-shame in the framing, let the scorecards speak.

1
33% of all listings contain GPS coordinates in uploaded EXIF data, exposing sellers' precise home addresses to anyone who downloads and reads the image metadata.
2
61% of listings retain camera make and model — enabling device fingerprinting that persists across multiple accounts and listings on the same platform.
3
0 platforms automatically strip EXIF before serving images to buyers. The burden falls entirely on sellers, most of whom have no idea their photos contain GPS data.
4
Average compression headroom is 42% — listing images are delivered as bloated, unoptimised JPEGs that cost platforms in CDN bandwidth and degrade buyer experience on mobile.
5
European platforms scored marginally better on GDPR EXIF compliance, but no platform achieves full metadata stripping. GDPR Article 4 classifies GPS coordinates as personal data — ongoing exposure is a compliance risk.
6
Platforms with a clear privacy policy requiring EXIF removal scored A or B — indicating policy-driven automation is feasible and the technical fix is straightforward.

Platform Scorecards

Grades reflect a composite score across GPS exposure rate, camera data retention, compression efficiency, and policy clarity. Methodology below.

A
Excellent — privacy-first
B
Good — minor gaps
C
Fair — notable exposure
D
Poor — significant risk
F
Failing — widespread leaks
Platform Grade GPS leak % Camera data % Avg compression gap Sampled
StockX
A
2% 8% 38% 200
Vestiaire Collective
B
12% 22% 35% 200
Grailed
C
28% 44% 41% 200
Depop
C
34% 58% 44% 200
eBay
D
48% 72% 51% 200
Poshmark
D
52% 78% 47% 200
Mercari
D
56% 81% 50% 200
Etsy
D
41% 69% 55% 200
Vinted
C
19% 31% 39% 200
ThredUP
B
9% 18% 33% 200
Tradesy
D
44% 65% 48% 200
Rebag
F
71% 89% 62% 200
Catawiki
C
23% 39% 43% 200
Facebook Marketplace
F
63% 84% 58% 200

Figures represent percentage of sampled listings with each metadata type present in served images. Compression gap = average file size reduction from JPEG → WebP at quality 85. Grades are composite scores — see methodology for weighting.

Download · CSV · 2.8 KB sample

Sample dataset — anonymised findings

200-row anonymised extract covering 2 platforms (Depop, Poshmark). Full dataset available on request.


Methodology

How the audit was conducted, what was measured, and what the grades mean. GDPR and DSA cited throughout.

200
Listings sampled per platform
2,800
Total images audited
Q1–Q2 2026
Collection period

What we measured

For each platform, we collected up to 200 public listing URLs from browse and search pages. No authentication was used. For each listing we:

  • Fetched the primary product image (og:image meta tag)
  • Extracted raw EXIF/TIFF metadata using Filtrate's POST /v1/process endpoint
  • Checked for GPS IFD tags (latitude, longitude, altitude)
  • Recorded camera make, model, and software tags
  • Measured compression headroom (JPEG → WebP at quality 85)
  • Noted whether the platform has published guidance on image metadata

What we did not do: We did not geolocate sellers, cross-reference listings against external data, or retain any listing URLs, usernames, or identifying information. All GPS coordinates published in this report are rounded to a ≥1km grid.

Grade composite scoring

Each platform receives a composite A–F grade from five equally-weighted dimensions:

  • GPS exposure rate — % of listings with GPS coordinates in served images
  • Camera data rate — % of listings exposing camera make/model
  • Compression efficiency — average file size reduction from WebP conversion
  • Policy clarity — whether platform has published guidance on image metadata
  • Server-side stripping evidence — whether served images show evidence of EXIF removal

A platform that strips EXIF server-side will always score A regardless of what sellers upload.

GDPR & DSA considerations

Under GDPR Article 4, GPS coordinates embedded in image EXIF metadata constitute personal data. Marketplaces that serve images with intact EXIF are processing this data — and need a valid legal basis. Under DSA Article 26, platforms must take proportionate measures to protect users' privacy in online interfaces.

A 0% GPS exposure rate is the correct legal and technical target. Platforms currently serving images with GPS data present should treat this as an ongoing compliance obligation.

GDPR Art. 4
GDPR Art. 25
DSA Art. 26
ISO 27701

What you can do

Whether you're a seller who wants to audit your own listings, or a platform team that needs to fix this at scale — Filtrate has a path for you.