On June 22, the Federal Trade Commission (FTC) entered into a settlementincluding a $950,000 fine – with InMobi, a mobile advertising network that had mishandled consumer data  They had improperly tracked children’s personal information in violation of COPPA (the Children’s Online Privacy Protection Act) and they had gathered geolocation data about people who had not consented to be tracked.

This is a perfect example of a company putting out statements – including in its privacy policy and its communications to application developers – about its data usage practices, but then in fact doing something quite different:  InMobi asked about Children’s data, but then ignored what they learned, and InMobi stated that consent was required to provide geo-targeted advertising, when in fact it was not. Read more>

And the FTC was all the more interested because the information mishandled by InMobi includes Children’s PII, where the relevant statutes and FTC regulations are quite clear regarding what sort of data use is – and is not – permitted, and geolocation data, which has emerged as a highly sensitive area for regulators.

InMobi failed to live up to the maxim “say what you do and do what you say”, and must now pay a very steep price for noncompliance.

Some Background:

Children’s Data. 

The rules regarding collecting children’s data are clear.  InMobi had a privacy policy and a COPPA policy which included typical language stating that they did not collect personal information from children under the age of 13 or from websites directed at children under the age of 13.

However, starting in 2013 developers for websites that sought to work with InMobi’s technologies were invited to check a box next to a sentence stating: “My property is specifically directed to children under 13 years of age and/or I have actual knowledge that it has users known to be under 13 years of age.”

The FTC alleged that “thousands” of developers checked this box – so that InMobi in fact was collecting data from thousands of websites directed at children.  And InMobi apparently had no internal processes to segregate – or disregard – the information obtained from sites where this box had been checked.

Furthermore, under COPPA, anonymous identifiers – like IP addresses and MAC IDs – used for targeted advertising are expressly considered to be personal information (PII), and may be collected and shared only with express parental consent.

As a result, the FTC alleged that InMobi was acting in violation of COPPA – and in violation of InMobi’s own privacy and COPPA policies.

There is a strong consensus at the FTC to protect children’s privacy, and it is no surprise that the FTC acted aggressively.

Geolocation Data. 

The FTC has been increasingly concerned about how geolocation data is obtained and tracked from cell phones, and has consistently encouraged companies to obtain express user consent from to track this sort of information.

In fact, InMobi’s system included the typical sorts of consents companies use to obtain geolocation data from a cell phone, and InMobi told its advertising customers that it only served geo-targeted advertising to individuals who permitted their phone to communicate the location to InMobi.

However, InMobi also independently calculated the phone’s location – whether or not the individual had provided express consent – by monitoring the location and identifying data of the WiFi network the phone was connected to.

In this way, InMobi tracked geolocation and served geo-targeted ads whether or not the site or app owner enabled the geo-tracking feature and without regard to the consumer’s location permission settings.

Notably, the FTC relied on the misleading disclosures InMobi made in its communications to application developers about the need for user consent – not on errors in the privacy policy – in finding liability.

What You Should Do:

InMobi got caught violating COPPA and disregarding the express wishes of consumers regarding geolocation information.  These are areas the FTC cares deeply about, and the magnitude of the fine, even after a reduction (the base fine was $4 million reduced to $985,000 in light of InMobi’s financial situation) emphasizes their significance.

All participants in the ad tech ecosystem should be mindful of the following lessons:  Don’t collect children’s data in violation of COPPA. If you have children’s data, institute practices to assure COPPA compliance.  If consumers have opted not to share geo-location data, don’t triangulate that data from other sources and use it for advertising purposes.  And anything you say about your use of data – whether in a privacy policy, in communications with consumers, or in communications with developers or other business customers – can be the basis of FTC or other liability.   

In other words, know what you do, say what you do, and do what you say.