On June 22, the Federal Trade Commission ("FTC") announced that it would settle its first-ever enforcement action against a mobile advertising company, InMobi. InMobi agreed, subject to court approval of the settlement, to pay a $950,000 fine and revise its data collection practices to settle charges that it collected geolocation data from millions of consumers, including children, without their consent. The settlement resolves FTC allegations that InMobi engaged in unfair and deceptive trade practices and violated the requirements of the Children's Online Privacy Protection Act ("COPPA").
The InMobi enforcement action
InMobi provides a popular advertising platform used by third-party mobile iOS and Android app developers and advertisers to reach millions of US consumers' mobile devices. App developers integrate InMobi's technology into their apps, enabling them to display ads served by InMobi. The FTC alleged that:
- InMobi deceptively tracked location data from consumers using apps, to serve them "geo-targeted" ads—ads based on their current or recently-visited locations. InMobi obtained this geolocation data without first obtaining many consumers' consent. That is, InMobi used geolocation data from consumers who consented to share it to develop a database of WiFi networks' locations. Then, when other consumers set their device settings to opt out of sharing geolocation data, InMobi used its database to infer these consumers' locations based on their devices' proximity to nearby WiFi networks and used the inferred location data to serve them geo-targeted ads.
- Despite these practices, InMobi told app developers that it collected geolocation data only when app developers allowed InMobi to access this data and consumers consented to its use. As a result, app developers inaccurately told consumers that they could control the collection and use of their geolocation data, unaware that InMobi would collect and use that data regardless of the consumers' privacy settings.
In a complaint filed simultaneously on June 22 with the parties' proposed settlement, the FTC charged that InMobi's alleged conduct violated the prohibition on deceptive acts and practices in Section 5 of the Federal Trade Commission Act, 15 USC § 45(a), and the COPPA Rule, 16 CFR part 312. The COPPA Rule requires companies collecting personal information from users of online services directed to children under 13 to provide notice to, and obtain consent from, parents before collecting, using, or disclosing their children's personal information. It also requires such companies to post privacy policies on their websites that disclose their data collection practices directed to children under 13.
To settle the FTC charges, InMobi agreed to a $4 million civil penalty. Based on InMobi's financial circumstances, the FTC suspended all but $950,000 of the penalty, which is to be paid over three installments over the next year. If InMobi is found to have misrepresented its financial circumstances, it will be required to pay the remainder of the penalty immediately. InMobi also agreed to follow certain privacy and data collection practices, including:
- Collecting or inferring consumers' geolocation information only with their express consent;
- Honoring consumers' location privacy settings;
- Deleting consumers' geolocation information previously collected without consent;
- Accurately describing InMobi's privacy practices;
- Deleting all information previously collected from children under 13;
- Complying with the COPPA Rule; and
- Implementing a comprehensive privacy program subject to periodic independent audits for the next 20 years.
The InMobi settlement reflects the FTC's continued focus on mobile technology. Importantly, while the FTC ordinarily brings enforcement actions against companies for their misleading statements to consumers, the InMobi settlement also demonstrates that the FTC will also seek to hold companies liable for deceptive statements made to other companies that rely on such statements in their own representations to consumers, and which, in the FTC's view, lead to consumer harm.
To reduce the risk of an FTC enforcement action, companies should ensure that descriptions of their data security practices provided to consumers and to business partners are accurate, including those made in marketing materials. Companies should periodically review posted descriptions of their privacy and data security practices, and particularly their privacy policies, to ensure that they remain up to date. Moreover, companies collecting data from apps and websites directed to children under 13 should ensure their compliance with the COPPA Rule's notice and consent provisions.