Pokémon Go, 30 billion images and delivery robots: anatomy of an invisible consent
Pokémon Go: 30 billion images of players are now used to train delivery robots. It was all in the terms of service. But was the consent truly informed?

You probably came across the news this week. Niantic Spatial, the artificial intelligence arm spun out of the studio that created Pokémon Go, announced a strategic partnership with Coco Robotics, a startup deploying autonomous delivery robots on the sidewalks of Los Angeles, Chicago, Miami, Jersey City and Helsinki. The purpose of the partnership: to embed Niantic's Visual Positioning System in these robots, a geospatial model trained on more than 30 billion images collected from players of Pokémon Go, Ingress and Pikmin Bloom over the past decade.
And immediately, the wave of viral posts followed. The dominant narrative, relayed on X, Reddit and LinkedIn, boils down to a single sentence: "Pokémon Go players mapped the world without knowing it, and their data is now being used to train robots."
The problem is that this sentence is both true and deeply misleading. And it is precisely in that gap that a far more interesting question plays out than the surrounding sensationalism.

What Niantic actually built
To understand what is happening, we have to go back to what the Visual Positioning System actually does. GPS, in a dense urban environment, is notoriously imprecise. Signals bounce between buildings, degrade under bridges, drift by dozens of meters in the areas engineers call "urban canyons." Brian McClendon, CTO of Niantic Spatial and former head of Google Maps, sums up the problem with a telling image: that blue dot on your phone that sometimes places you on the wrong sidewalk, facing the wrong way, 50 meters from your actual position.
The VPS solves this problem differently. Instead of relying on satellites, it compares what a device's cameras see (a phone, a robot, tomorrow AR glasses) with a massive database of geolocated images of the real world. By cross-referencing angles, visual landmarks, buildings and textures, the system computes a position accurate to the centimeter. It is the same technical principle that let a virtual Pikachu "run" realistically along a sidewalk in Pokémon Go. Except that today it is a delivery robot loaded with eight extra-large pizzas that needs it to navigate without running anyone over.
The underlying model, which Niantic calls its Large Geospatial Model, was trained on 30 billion images collected from hundreds of millions of players since Pokémon Go launched in July 2016. For each of the more than one million referenced points of interest, Niantic holds thousands of images taken from different angles, at different times of day, in different weather conditions. It is this density of coverage that makes the system robust in the face of real-world variation: a construction site that appears, lighting that shifts, a café terrace that gets set up.

The question of consent: more subtle than it looks
This is where the debate deserves to be framed honestly, without falling into either reflexive outrage or corporate defensiveness. And this, above all, is where a reading through the human factor becomes essential. Because the question is not technical, nor even legal. It is cognitive. It falls under what cyberpsychology calls the gap between formal consent and informed consent: the moment a user ticks "I accept" without their brain having actually processed what they are committing to.
The viral narrative says: "without knowing it." Niantic's response, and that of some analysts, says: "it was all transparent since 2016." The reality lies between the two, and it is this gray zone that is instructive.
Let us start with what is beyond dispute. As early as 2016, Pokémon Go's terms of service granted Niantic a perpetual, worldwide, royalty-free and irrevocable license on the content submitted by players: photos, videos, sensor data. The app explicitly requested access to the camera for the augmented reality experience. John Hanke, Niantic's founder and former head of Google Earth, never made any secret of his ambition to build a 3D map of the real world from player data. In 2020, the "Scan a PokéStop" feature (later renamed AR Mapping) was rolled out as an explicitly opt-in mechanism: the player had to voluntarily agree to film a real location in exchange for in-game rewards. The scans were automatically anonymized (faces and license plates blurred) and not tied to individual accounts.
On the formal legal level, there is nothing hidden. Everything is written down. Everything is documented. Everything is opt-in for the scanning part.
But let us look at what "transparent" means in practice for a 14-year-old who opens the app to catch a Pidgey outside their house in 2016. This is where the human factor comes into play, and where things need to be named. The privacy policy runs to several thousand words. The perpetual and irrevocable license on submitted content is buried in a document that fewer than 1% of users read, and that figure is not hyperbole, it is a constant documented in every study of terms of service for the past twenty years. This phenomenon has a name in cognitive psychology: consent fatigue. From clicking "I accept" ten times a day on documents no one can reasonably read, the human brain automates the gesture. Consent becomes a motor reflex, not an act of understanding. Niantic's founder had a clear strategic vision from day one, but that vision was never communicated within the game's interface itself. The opt-in for PokéStop scans, introduced in 2020, was certainly voluntary, but incentivized by in-game rewards. In cyberpsychology, this is a textbook case of what is called the variable-reward nudge: the player does not scan because they have understood and accepted the geospatial purpose of the act, they scan because their brain anticipates a virtual candy. The line between "free choice" and "structural incentive" becomes considerably blurrier when dopamine gets involved.
And above all: at the moment players scanned their PokéStops in 2020 or 2021, none of them could reasonably anticipate that their images would be used, five years later, to train autonomous delivery robots as part of a partnership with a Silicon Valley startup. The purpose drifted. Not illegally (the license permitted it), but in a way the initial consent could not cover in an informed manner.
This is exactly the definition of the anticipatory consent problem in the data economy: you agree to a use at time T, and the data is used for a radically different purpose at T+5, without anyone coming back to ask you.

The real issue: purpose creep as a business model
What makes the Niantic/Pokémon Go case particularly interesting is not that it is scandalous (it is not, in the legal sense of the term). It is that it illustrates with rare clarity a mechanism that has become structural in the digital economy: the collection of data for a stated use, followed by commercial reuse under an entirely different purpose, made possible by contractual clauses broad enough to cover just about anything.
Niantic did not trap its players. But Niantic designed a system in which the game is the interface, entertainment is the incentive, and geospatial data is the product. The player is both the customer and the sensor. And when the studio was sold to Scopely (owned by the Saudi sovereign wealth fund's Savvy Games Group) in 2025 for 3.5 billion dollars, while the AI arm was carved out and kept by the original investors, you understand that the value never lay in the Pikachu.
It is telling, in fact, that MIT Technology Review quotes McClendon explaining that Niantic Spatial wants to build a "living map" of the real world, one that continuously updates itself thanks to data fed back by the robots themselves and by every device using the system. The circle closes: players fed the initial model, robots will feed the next model, and the final product, a planet-scale visual positioning infrastructure, will be licensed to whoever is willing to pay.
Let us add a point almost no one mentions in the media coverage: once the images are anonymized and built into the model, players have no right to withdraw the data already processed. Opting out only affects future contributions. The model itself is irreversible. This is a technical fact, not a moral criticism, but it is a fact worth keeping in mind when we talk about transparency.
What I take away for 2026
This story is neither a scandal nor a non-event. It is a revealer. And what it reveals is not a legal loophole or a technical failure. It is the fundamental blind spot in our entire approach to digital consent: we design data protection systems as if the humans using them were attentive readers, rational decision-makers, fully informed agents. They are not. They never have been. And building consent architectures on that fiction is building a house on sand while congratulating yourself on the solidity of the roof.
This is exactly why I argue, in my work as in my talks, for an approach to cybersecurity and data governance that starts from the human factor, not from documentary compliance. GDPR imposes the principle of purpose limitation. Fine. But when contractual clauses are drafted broadly enough to cover uses that do not yet exist, and the user accepts them in a state of chronic consent fatigue, the principle protects the text, not the person.
And that is something I discuss in my book Être en cybersécurité, published last year.

The real question for organizations in 2026 is not "do our terms of service cover this use?" It is: "do our users genuinely understand what they are taking part in, at the moment they take part in it?" And if the answer is no, then legal compliance only protects you before a court. Not before public opinion. Not before the loss of trust. Not before the moment your users discover, five years later, that their playful gestures feed a commercial infrastructure they had never imagined.
Niantic did nothing illegal. But the gap between the legality of a data use and its legitimacy as perceived by users is a risk that neither lawyers nor engineers know how to measure. Only an approach that builds cognitive psychology into data governance can begin to close it.
The final word
In 2016, five hundred million people installed Pokémon Go in sixty days. They were looking for a Pikachu. Ten years later, the Pikachu is still there, but behind it stands a 3D mapping infrastructure of the real world, trained on 30 billion images, sold to makers of autonomous robots.
No one was robbed. But the question worth asking is not "was it legal?" (the answer is yes). The question is: at what point does consent given to catch a cartoon character stop covering the training of autonomous machines that roam the sidewalks your children walk on?
Sources
- MIT Technology Review, 10 mars 2026, « How Pokémon Go is giving delivery robots an inch-perfect view of the world »
- Niantic Spatial, 10 mars 2026, annonce officielle du partenariat avec Coco Robotics
- PetaPixel, 16 mars 2026, « Pokémon GO Players Helped Build a 30 Billion AR Image Map of the World »
- Hackaday, 12 mars 2026, « Pokemon Go Had Players Capturing More Than They Realized »
- Pokémon GO, annonce officielle « PokéStop Scanning » (2020)
- Niantic Labs, Privacy Policy (version en vigueur)
Questions fréquentes
Did Niantic act illegally by reusing players' images?
No. As early as 2016, the terms of service granted Niantic a perpetual and irrevocable license on submitted content, and the 2020 PokéStop scans were opt-in and anonymized. It was all legally covered.
Why talk about "invisible" consent if it was all written down?
Because formal legality does not guarantee informed consent. The terms of service run to several thousand words that fewer than 1% of users read, and "consent fatigue" turns the "I accept" click into a reflex rather than an act of understanding.
What is purpose creep in this particular case?
Players agreed to a recreational use of their images in 2016 or scanned them in 2020-2021. Five years later, that data trains autonomous delivery robots, a radically different use that the initial consent could not anticipate.
Can a player have their images removed from the model?
No. Once the images are anonymized and built into the model, there is no right to withdraw the data already processed. Opting out only applies to future contributions; the model itself is irreversible.
What lesson is there for organizations in 2026?
The legal compliance of terms of service is not enough. The real question is whether users genuinely understand what they are taking part in at the moment they do it; otherwise, the law protects the text, not the person or the trust.
Sources & méthodologie
- MIT Technology Review, 10 mars 2026, « How Pokémon Go is giving delivery robots an inch-perfect view of the world »
- Niantic Spatial, 10 mars 2026, annonce officielle du partenariat avec Coco Robotics
- PetaPixel, 16 mars 2026, « Pokémon GO Players Helped Build a 30 Billion AR Image Map of the World »
- Hackaday, 12 mars 2026, « Pokemon Go Had Players Capturing More Than They Realized »
- Pokémon GO, annonce officielle « PokéStop Scanning » (2020)
- Niantic Labs, Privacy Policy (version en vigueur)

Être en cybersécurité
Une feuille de route cyber en clair, pour tout le monde, pas seulement les experts.
