The FTC announced a settlement on Wednesday with mobile advertising company, InMobi Pte Ltd., concerning allegations that the company deceptively tracked the geolocation of hundreds of millions of unknowing consumers, including children, to serve them geo-targeted advertising. As part of the settlement, InMobi will pay $950,000 in civil penalties relating to violations of the Children’s Online Privacy Protection Act (COPPA), and agreed to implement a comprehensive privacy program.
InMobi provides an advertising platform for app developers and advertisers. App developers can integrate the InMobi software development kit (SDK) for its Android and iOS apps, allowing them to monetize their applications by allowing third party advertisers to advertise to consumers through various ad formats (e.g., banner ads, interstitial ads, native ads). Advertisers, in turn, can target consumers across all of the mobile apps that have integrated the InMobi SDK.
InMobi also offers several geo-targeting products, which allow advertisers to target consumers based on specific location information. For instance, advertisers could target consumers based on their device’s current or previous location, or if the consumer visits a certain location at a particular time of day or on multiple occasions.
The FTC alleges that InMobi mispresented that its advertising software would track consumers’ locations and serve geo-targeted ads only if the consumer provided opt-in consent, and only when it was done in a manner consistent with their device’s privacy settings. According to the complaint, InMobi was actually tracking consumers’ locations whether or not the apps with InMobi SDKs requested consumers’ permission to do so, and even when consumers had denied permission to access their geolocation.
Even when users had denied the app permission to access geolocation, InMobi was collecting information about the WiFi networks that the consumer’s device connected to or that were in-range of the consumer’s device, feeding this information into its geocoder database, and using this information to infer the consumer’s longitude and latitude. The FTC claims that this process allowed InMobi to track the consumer’s location and serve geo-targeted ads, regardless of the app developer’s intent to include geo-targeted ads in the app, and regardless of the consumer’s privacy preferences or device settings. As a result of these practices, app developers could not provide accurate information to consumers regarding their apps’ privacy practices. The FTC concluded that InMobi’s misrepresentations regarding its data collection and use practices were deceptive in violation of Section 5 of the FTC Act.
In addition, the complaint alleges that InMobi violated COPPA by knowingly collecting personal information from children under the age of 13, despite representations to the contrary. The FTC claims that InMobi did not have adequate controls in place to ensure COPPA-compliance and did not test any controls it implemented to ensure they functioned as intended. As a result, InMobi collected personal information (including unique device identifiers and geolocation information) in thousands of apps that developers had expressly indicated to InMobi were child-directed, and used this information to serve interest-based, behavioral advertising in violation of COPPA.
Per the stipulated order, the company is prohibited from collecting consumers’ location information without their affirmative express consent and will be required to honor consumers’ location privacy settings. The company is further prohibited from violating COPPA and from misrepresenting its privacy practices. The order also requires the company to delete all information it collected from children, delete the location information collected from consumers without their consent, and establish a comprehensive privacy program. The comprehensive privacy program is typical of what we see in other FTC privacy settlements. It has provisions governing the designation of a responsible employee to oversee privacy compliance, requiring ongoing assessment of risks that could result in unauthorized collection of information, mandating implementation of reasonable privacy controls, requiring regular testing and evaluation of such controls, and addressing service provider oversight. Under the terms of the settlement, InMobi is subject to a $4 million civil penalty, which was suspended to $950,000 based on the company’s financial condition.
Mobile technology practices continue to be a focus of the FTC’s consumer protection efforts. Companies collecting personal and geolocation information from consumers should understand precisely what information will be collected from or about a user, clearly and accurately communicate its data practices, and respect any representations that are made. Particular care should be taken when collecting information through child directed apps and websites. Taking these simple steps can help avoid FTC scrutiny with respect to a company’s privacy practices and related representations.