Both operating systems display a list of apps and indicate whether they have access always, never, only when the app is in use, or whether permission is requested every time. Both also allow users to choose whether the app sees precise locations up to several meters away or just a coarse-grained location.
For most users, allowing a photo, public transit, or mapping app to access a user's exact location is useful. For other types of apps, for example those for internet jukeboxes in bars and restaurants, having an approximate location can be useful, but giving precise, fine-grained access is probably overkill. And for other apps, there's no reason why they would ever know the device's location. With a few exceptions, there's little reason why apps should always have location access.
Not surprisingly, Android users who want to block intrusive location collection need to change more settings than iOS users. The first thing you should do is open Settings > Security & Privacy > Ads and choose 'Remove Ad ID'. Then immediately ignore the long, scary warning that Google gives and press the button to confirm the decision at the bottom. If you don't see that setting, good for you. It means you have already deleted it. Google provides documentation here.
By default, iOS doesn't give apps access to “Identifier for Advertisers,” Apple's version of the unique tracking number assigned to iPhones, iPads, and AppleTVs. However, apps may display a window asking you to enable the setting, so it's useful to check. iPhone users can do this via Settings > Privacy & Security > Tracking. All apps with permission to access the unique ID will appear. While there, users should also disable the “Allow apps to request tracking” button. In iOS Privacy & Security, users should navigate to Apple Advertising and ensure that personalized ads are turned off.
Additional coverage of Location X from Haaretz and NOTUS is here and here. The New York Times, the other publication that accessed the data, had not yet published an article at the time this Ars post went live.
