On June 22, the Federal Trade Commission (FTC) entered into a settlement – including a $950,000 fine – with InMobi, a mobile advertising network that had mishandled consumer data. They had improperly tracked children’s personal information in violation of COPPA (the Children’s Online Privacy Protection Act) and they had gathered geolocation data about people who had not consented to be tracked.
And the FTC was all the more interested because the information mishandled by InMobi includes Children’s PII, where the relevant statutes and FTC regulations are quite clear regarding what sort of data use is – and is not – permitted, and geolocation data, which has emerged as a highly sensitive area for regulators.
InMobi failed to live up to the maxim “say what you do and do what you say”, and must now pay a very steep price for noncompliance.
However, starting in 2013 developers for websites that sought to work with InMobi’s technologies were invited to check a box next to a sentence stating: “My property is specifically directed to children under 13 years of age and/or I have actual knowledge that it has users known to be under 13 years of age.”
The FTC alleged that “thousands” of developers checked this box – so that InMobi in fact was collecting data from thousands of websites directed at children. And InMobi apparently had no internal processes to segregate – or disregard – the information obtained from sites where this box had been checked.
Furthermore, under COPPA, anonymous identifiers – like IP addresses and MAC IDs – used for targeted advertising are expressly considered to be personal information (PII), and may be collected and shared only with express parental consent.
As a result, the FTC alleged that InMobi was acting in violation of COPPA – and in violation of InMobi’s own privacy and COPPA policies.
There is a strong consensus at the FTC to protect children’s privacy, and it is no surprise that the FTC acted aggressively.
The FTC has been increasingly concerned about how geolocation data is obtained and tracked from cell phones, and has consistently encouraged companies to obtain express user consent from to track this sort of information.
In fact, InMobi’s system included the typical sorts of consents companies use to obtain geolocation data from a cell phone, and InMobi told its advertising customers that it only served geo-targeted advertising to individuals who permitted their phone to communicate the location to InMobi.
However, InMobi also independently calculated the phone’s location – whether or not the individual had provided express consent – by monitoring the location and identifying data of the WiFi network the phone was connected to.
In this way, InMobi tracked geolocation and served geo-targeted ads whether or not the site or app owner enabled the geo-tracking feature and without regard to the consumer’s location permission settings.
What You Should Do:
InMobi got caught violating COPPA and disregarding the express wishes of consumers regarding geolocation information. These are areas the FTC cares deeply about, and the magnitude of the fine, even after a reduction (the base fine was $4 million reduced to $985,000 in light of InMobi’s financial situation) emphasizes their significance.
In other words, know what you do, say what you do, and do what you say.