On June 22, 2016, the FTC entered into a consent decree with InMobi, a Singaporebased mobile advertising company. InMobi offers a software development kit (SDK) that allows app developers to integrate thirdparty advertising into their applications. Through its SDK, InMobi collects app users’ personal and unique information, including precise geolocation, in order to serve targeted advertising. The proposed Complaint alleges that
InMobi violated Section 5 of the FTC Act by making deceptive statements about its use of geolocation in ad serving, and violated the Children’s Online Privacy Protection Act (COPPA) by using geotracking in apps known to target children. The Proposed Stipulated Order mandates a permanent injunction and a civil penalty judgment of $4 million (suspended to $950,000 based on the company’s financial situation) due to the COPPA violation.
InMobi’s alleged wrongful conduct included collecting geolocation data from app users who had opted out of permitting app(s) to access location information on their mobile device. The company developed an alternative to GPS by creating a builtin mechanism that could determine location through WiFi networks. Using data collected from users who purportedly consented to geotracking, InMobi developed a database that mapped Wi Fi networks’ latitude/longitude coordinates, which it then used to infer the location of optout users. As a result, its SDK was able to target any user—even those who had opted out—with geolocationbased ads.
This method is not new: ad networks have been creating “lookalike” models for a variety of characteristics, taking known traits and inferring others, then extrapolating from this information certain characteristics that can be used for targeted advertising. But the InMobi consent decree clarifies what has been implicit in previous FTC statements: precise geolocation data is different from other characteristics, and as a result it should be subject to enhanced privacy protections. If a user did not opt in to allowing the app to collect precise geolocation, that information should not be inferred.
The FTC applied a relatively novel approach to an unfair or deceptive trade practice: with InMobi, the FTC has posited that deceptive statements to another company violate Section 5 of the FTC Act. Because InMobi’s app developer clients had “no reason to know that [it] tracked the consumer’s location and served geotargeted ads regardless of the consumer’s location settings,” the app developers may have unwittingly made inaccurate privacy statements to the public. Deception under Section 5 typically requires a statement or omission to a consumer on which the consumer relies. Here, however, the FTC alleged that InMobi’s misrepresentations to
its app developer clients constitute deception because the enduser (the consumer) in turn would rely on the app developers’ unintentionally inaccurate statements.
The consent decree requires that InMobi confirm that its app developer clients have obtained from the consumer express affirmative consent before InMobi may collect or infer user location information. Interestingly, only the app developer is obligated to obtain this consent; InMobi has no such obligation. The omission is noteworthy given the proposed Complaint’s detailing of InMobi’s deception against its app developer clients. This may reflect the FTC’s assessment that there is a limit to the number of disclosures regarding consumers’ geolocation settings that can be realistically presented to consumers. Still more notably, the InMobi consent decree is inconsistent with the Goldenshores consent decree, which required the Brightest Flashlight app to disclose (1) how geolocation may be used; (2) why the application is accessing geolocation; and (3) the identity or specific categories of third parties that receive geolocation directly or indirectly from the application.
The FTC’s use of COPPA in order to garner fines is also illustrative. InMobi had asked its app developer clients whether the application was a service directed towards children, but then failed to implement correspondingly necessary privacy controls on the collection and use of known and inferred geolocation information. As a result, InMobi ended up using geolocation information to engage in interestbased advertising despite having actual knowledge that the users were children under 13. Asking about childdirected status but doing nothing to change business practices is a straightforward violation of COPPA.
In addition to the fine and the injunction, InMobi must undertake several steps that are usually required in FTC consent decrees. Within 180 days of the Order, it must submit a compliance report that, among other things, demonstrates its compliance with the Order, provides copies of all modified privacy notices, and justifies the necessity for collecting information. It must also delete all information collected from children and all location information collected from other app users who had not consented. Finally, it must implement a comprehensive privacy program that will be independently audited every two years for the next 20 years.