Home Home About Us Practice Areas Our Attorneys Press & Publications Events Diversity Pro-Bono Careers

Advertising, Marketing & Promotions Alert >> FTC’s First COPPA Action Against Mobile Ad Network Highlights Risks for Operators As Well

July 11, 2016

The Federal Trade Commission (FTC) announced its first action against a mobile ad network, InMobi, for violations of the Children’s Online Privacy Protection Act (COPPA), claiming that the provider collected geolocation data from millions of consumers, including children, without their consent. Under the settlement, InMobi will pay the FTC $950,000 in civil penalties (reduced from $4 million, the largest COPPA penalty to date), delete all inappropriately collected data and implement a comprehensive privacy program.

First COPPA Action Against Mobile Ad Network
In 2013, the FTC announced a number of updates to COPPA (“new COPPA”) (to read a previous D&G Alert on this topic, please click here), including an expansion of the definition of “personal information” to cover: (1) geolocation data that identifies a child’s city and street; (2) photos, videos and audio files that contain a child’s image or voice; and (3) persistent identifiers, such as tracking cookies used to recognize a child across different websites and online services. The FTC also revised the rule to ensure that ad networks, such as InMobi, could not avoid COPPA liability when they had “actual knowledge” that they were collecting personal information from children without verifiable parental consent.

The FTC charged InMobi with violating new COPPA, claiming that it collected geolocation data and persistent identifiers from apps that were clearly directed at children without the consent of their parents. According to the FTC, InMobi had “actual knowledge” that it was collecting personal information from thousands of child-directed apps because during the registration process, thousands of app developers had affirmatively checked a box indicating that their apps were specifically directed to children under 13 years of age.

The FTC also charged InMobi with violating Section 5(a) of the Federal Trade Commission Act (FTC Act) by collecting location data from millions of consumers without their consent, despite representations that such data would only be collected on an opt-in basis. In its complaint, the FTC alleged that the mobile ad network used millions of consumers’ locations to serve geo-targeted ads, regardless of app developers’ intent to include such ads in the app, and regardless of the consumers’ location settings.

Settlement Agreement Highlights Risks
The FTC levied a $4-million civil penalty against InMobi, although this amount was suspended to $950,000 based on the company’s financial condition. The InMobi penalty is notable because it could indicate more substantial COPPA penalties in the future. Beyond the monetary penalty, the settlement will also prohibit InMobi from collecting consumers’ location information without first acquiring their affirmative express consent. Not surprisingly, InMobi must delete all personal information it improperly collected from children. Last, InMobi must institute a comprehensive privacy program that will be independently audited every two years for the next 20 years.

Both operators and ad networks should take note that it will not be enough to simulate compliance with COPPA in their privacy policies, as InMobi’s privacy policy seemingly complied with COPPA, while in reality its practices violated the law.

The Bottom Line

During the past few years, the FTC has been stressing that its enforcement priorities would include mobile devices, children’s information, and new technologies and tracking practices. The FTC’s action against InMobi brings these priorities to life.

Overall, the action serves as a reminder that companies – both operators and ad networks themselves – need to respect the data collection preferences expressed by consumers and adhere to representations in their privacy policies, as it is not enough to profess COPPA compliance in a privacy policy – companies must be COPPA compliant. Companies should implement procedures and controls to ensure that all representations made to consumers, and the consumers’ expressed preferences, are honored.