Written by Privacy & Data Security Team
The Federal Trade Commission (“FTC”) announced that InMobi, a Singapore-based mobile advertising company whose products are used by many Android and iOS app makers to deliver advertisements to consumers, will pay $950,000 in civil penalties and implement a comprehensive privacy program to settle FTC charges for deceptively tracking the locations of hundreds of millions of consumers, including children, without their knowledge or consent to serve them geo-targeted advertising.
The FTC alleges that InMobi represented that its advertising software would only collect consumer’s geo-location data when consumers provided opt-in consent, and that such collection would be completed in a manner consistent with consumer’s device’s privacy settings. However, according to the FTC complaint, InMobi’s software was actually tracking consumer’s locations irrespective of whether opt-in consent was given, and even when consumers denied permission to access their geo-location data. The complaint alleges that InMobi’s software used nearby WiFi signals to infer locations even when permission was not given, and that InMobi then archived the location data and used it to push targeted advertisements to consumers. According to the complaint, such collection occurred even when consumers had turned off location collection on their device. Specifically, the complaint states, “[e]ven if the consumer had restricted an application’s access to the location API, [InMobi] still tracked the consumer’s location and, in many instances, served geo-targeted ads, by collecting information about the WiFi networks that the consumer’s device connected to or that were in-range of the consumer’s device.”
The complaint also alleges that InMobi violated the Children’s Online Privacy Protection Act (“COPPA”) by collecting geo-location data from mobile applications that were directed towards children. Under COPPA, an operator of a commercial website or online service that is directed towards children must obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children under the age of 13. The FTC alleges that InMobi disseminated or caused to be disseminated statements stating that it “will continue to only use any data in the manner that COPPA prescribes” and that they had “identified all existing publisher sites and apps directed to children to ensure [they] are in full compliance with the . . . COPPA rules.” However, according to the complaint, InMobi did not comply with COPPA as its software tracked the geo-location in thousands of child-directed applications without receiving the requisite consent. The complaint states that InMobi “knowingly collected and used information . . . from thousands of applications that had indicated . . . that they were directed to children.”
As we have noted in other blog posts regarding FTC enforcement, the FTC has not been shy in regulating issues related to data security and privacy. In this InMobi case, the FTC settlement terms are rather extensive. The FTC leveled a $4 million civil penalty, but suspended such penalty to $950,000. InMobi will be prohibited from collecting consumer’s geo-location data without their affirmative consent, and will be required to honor a consumer’s location privacy settings. InMobi must delete the geo-location data that it collected without consumers’ consent, and must also delete all information collected from children. Finally, InMobi must institute a comprehensive privacy program that will be independently audited every two (2) years for the next twenty (20) years.