Mobile Advertising Company InMobi to Pay Nearly $1 Million Civil Penalty to Settle FTC Charges Over Deceptive Location Tracking Practices
The Federal Trade Commission (FTC) announced on June 22, 2016 that Singapore-based mobile advertising company InMobi will pay $950,000 in civil penalties and implement a comprehensive data security program to settle the FTC’s first-ever enforcement action against a mobile advertising company.
The large financial penalty is rare since the FTC does not have the authority to fine companies for first-time offenses under its power to regulate “unfair and deceptive” trade practices. However, in addition to resolving claims that InMobi deceived consumers, InMobi settles claims that it wrongly collected information about children in violation of the Children’s Online Privacy and Protection Act (COPPA), which contains rigid penalties.
InMobi offers an advertising platform for mobile application developers and advertisers. App developers incorporate InMobi’s software-development kit (InMobi SDK) in their mobile applications. InMobi then sells geo-targeting products through which advertisers can target consumers based on location, and InMobi sends targeted advertisements to app users based on data collected about the users.
The FTC alleged that InMobi circumvented consumers’ privacy restrictions, and tracked consumers’ locations and served geo-targeted advertisements by collecting information about the WiFi networks connected to or in-range of consumers’ devices. Specifically, InMobi SDK collected service set identifiers (SSID), latitude and longitude coordinates, and other WiFi network information. With this information, InMobi created a geocoder database through which it matched specific WiFi networks to specific locations. If a consumer’s geolocation API was inaccessible, InMobi still collected WiFi network information and used its geocoder database to infer the consumer’s location.
InMobi assured app developers that it collected geolocation data only when app developers allowed InMobi to do so, and when consumers consented to its use. Consequently, app developers inaccurately assured consumers that they could control the collection and use of their location information through their privacy settings.
The settlement includes a $4,000,000 civil penalty which, according to the FTC Press Release, is to be suspended upon InMobi’s payment of $950,000 “based on the company’s financial condition.” InMobi will be subject to the total $4 million penalty if it does not comply with the Order’s terms. In addition, the Stipulated Order for Permanent Injunction and Civil Penalty Judgment requires InMobil to:
- Destroy personal information collected from children that is in its possession;
- Destroy location information that was collected or inferred prior to the entry of the Order;
- Not collect or infer location information without confirming the consumer has provided affirmative express consent for the collection of location information and the consumer has not expressed through any operating system, device, or application setting that the consumer does not consent to the collection of location information;
- Establish a comprehensive privacy program, including designating an employee responsible for the program;
- Obtain biennial privacy program assessments from an independent third-party professional for a period of 20 years.
While the FTC typically brings enforcement actions against consumers for misleading consumers, in this case, the FTC shows it will hold companies liable for deceptive statements made to other companies which, in the FTC’s view, lead to consumer harm. In particular, the FTC is actively investigating whether third-party advertising platforms defer to individual mobile app permissions.
The FTC also enforces its extension of COPPA requirements to operators of ad networks or other downloadable plug-ins as “co-operators” if they have actual knowledge that they are collecting personal information through a site directed to children. The FTC updated the COPPA Rule in 2013 to require “first parties” – or those parties supplying information to an advertising network – to signal whether an app or website is child-directed, and if so, the ad network is deemed to have “actual knowledge” that it collected personal information from an online service directed to children. As a result, advertising networks with “actual knowledge” are held strictly liable under the COPPA Rule.
Finally, this enforcement action highlights the FTC’s unrelenting assertion that consumers be presented with an informed choice about the collection and sharing of their data, including geolocation data, and companies must respect consumers’ choices or else face investigation and burdensome penalties.