On June 22, 2016, the FTC entered into a consent decree with  InMobi, a Singapore­based mobile advertising company.  InMobi offers a software development kit (SDK) that allows app developers to integrate third­party advertising into their applications.  Through its SDK, InMobi collects app users’ personal and unique information, including precise geolocation, in order to serve targeted advertising.  The proposed Complaint alleges that

InMobi violated Section 5 of the FTC Act by making deceptive statements about its use of geolocation in ad serving, and violated the Children’s Online Privacy Protection Act (COPPA) by using geo­tracking in apps known to target children.  The Proposed Stipulated Order mandates a permanent injunction and a civil penalty judgment of $4 million (suspended to $950,000 based on the company’s financial situation) due to the COPPA violation.

InMobi’s alleged wrongful conduct included collecting geolocation data from app users who had opted out of permitting app(s) to access location information on their mobile device.  The company developed an alternative to GPS by creating a built­in mechanism that could determine location through Wi­Fi networks.  Using data collected from users who purportedly consented to geo­tracking, InMobi developed a database that mapped Wi­ Fi networks’ latitude/longitude coordinates, which it then used to infer the location of opt­out users.  As a result, its SDK was able to target any user—even those who had opted out—with geolocation­based ads.

This method is not new: ad networks have been creating “look­alike” models for a variety of characteristics, taking known traits and inferring others, then extrapolating from this information certain characteristics that can be used for targeted advertising.  But the InMobi consent decree clarifies what has been implicit in previous FTC statements: precise geolocation data is different from other characteristics, and as a result it should be subject to enhanced privacy protections.  If a user did not opt in to allowing the app to collect precise geolocation, that information should not be inferred.

The FTC applied a relatively novel approach to an unfair or deceptive trade practice: with InMobi, the FTC has posited that deceptive statements to another company violate Section 5 of the FTC Act.  Because InMobi’s app developer clients had “no reason to know that [it] tracked the consumer’s location and served geo­targeted ads regardless of the consumer’s location settings,” the app developers may have unwittingly made inaccurate privacy statements to the public.  Deception under Section 5 typically requires a statement or omission to a consumer on which the consumer relies.  Here, however, the FTC alleged that InMobi’s misrepresentations to

its app developer clients constitute deception because the end­user (the consumer) in turn would rely on the app developers’ unintentionally inaccurate statements.

The consent decree requires that InMobi confirm that its app developer clients have obtained from the consumer express affirmative consent before InMobi may collect or infer user location information.  Interestingly, only the app developer is obligated to obtain this consent; InMobi has no such obligation.  The omission is noteworthy given the proposed Complaint’s detailing of InMobi’s deception against its app developer clients.  This may reflect the FTC’s assessment that there is a limit to the number of disclosures regarding consumers’ geolocation settings that can be realistically presented to consumers.  Still more notably, the InMobi consent decree is inconsistent with the Goldenshores consent decree, which required the Brightest Flashlight app to disclose (1) how geolocation may be used; (2) why the application is accessing geolocation; and (3) the identity or specific categories of third parties that receive geolocation directly or indirectly from the application.

The FTC’s use of COPPA in order to garner fines is also illustrative.  InMobi had asked its app developer clients whether the application was a service directed towards children, but then failed to implement correspondingly necessary privacy controls on the collection and use of known and inferred geolocation information.  As a result, InMobi ended up using geolocation information to engage in interest­based advertising despite having actual knowledge that the users were children under 13.  Asking about child­directed status but doing nothing to change business practices is a straightforward violation of COPPA.

In addition to the fine and the injunction, InMobi must undertake several steps that are usually required in FTC consent decrees.  Within 180 days of the Order, it must submit a compliance report that, among other things, demonstrates its compliance with the Order, provides copies of all modified privacy notices, and justifies the necessity for collecting information.  It must also delete all information collected from children and all location information collected from other app users who had not consented.  Finally, it must implement a comprehensive privacy program that will be independently audited every two years for the next 20 years.

InMobi establishes important standards on the collection and use of geolocation.  First, mobile device settings are important, and if the user turns off location services, that choice must be honored.  Second, the FTC seems to be loosening what type of notice and choice would be required when precise geolocation is shared with third parties for ad serving purposes.  Finally, as with the consent decree with HTC, the FTC identified allegedly deceptive statements outside of the privacy policy.  Companies should review the whole scope of their marketing and public materials if they believe the materials could be deceptive.

Ariel Dobkin