On June 22, 2016, mobile advertising company InMobi Private Ltd. settled Federal Trade Commission (“FTC” or “Commission”) claims of violations of Section 5 of the FTC Act, and the Children’s Online Privacy Protection Act and Rule (COPPA), for $4 million. The violations of COPPA supported the monetary penalty since, unlike Section 5, COPPA provides for civil penalties. However, there are lessons here for the mobile app industry beyond that geolocation services for children require verified parental consent. In addition, this action reinforces the FTC’s position that device location information is sensitive and thus justifies heightened consumer notice and choice, and that providing notice of an opt-out method that is not completely effective could be a deceptive practice if the limitations are not clearly explained — a common mistake we see clients making.
The Commission’s Allegations and the InMobi’s Settlement
InMobi is ranked among the top 10 mobile advertising companies in the world, said to reach over one billion unique mobile devices, of which 19 percent are located in North America. InMobi’s advertising platform allows app developers/publishers to serve third party ads within their apps. The ads can be customized for app users based on physical location as determined by checking device geolocation, including based on location history over up to a two month period.
The settlement agreement requires InMobi to destroy any device location information collected or inferred prior to the settlement agreement and not to disclose, use or benefit from such location information. InMobi is also enjoined from collecting or inferring location information without confirming that:
- the consumer provided affirmative express consent for the collection of location to the service integrating InMobi’s software;
- the consumer did not express through any operating system, device, app, permission or setting that the consumer does not consent to, or revokes consent to the collection of location information; and
- the consumer has not expressed that the consumer’s consent to the collection of location information is limited to a level of accuracy that is less precise than the location information that is to be collected or inferred by InMobi.
InMobi also agreed to institute a comprehensive privacy program subject to regular third-party assessments, of which the initial assessment must subsequently be produced to the Commission for review. All of these corrective actions can be seen as best practices for the mobile app industry, even though they are “fencing in” agreements that go beyond what the baseline of U.S. law requires. Of the $4 million civil penalty assessment, only $950,000 will be payable due to InMobi’s financial conditions.
Developers/Publishers at Risk – Looking Beyond InMobi
Although the Commission only acted on InMobi’s violations, app and site publishers are ultimately responsible for the information collected by or in connection with their apps or sites, including ad server tracking and targeting activities. Publishers are strictly liable for COPPA violations of third-party vendors. Vendors may provide a variety of services to publishers, such as data analytics or ad services. Even if a vendor provides assurances of COPPA compliance, as InMobi is said to have provided, developers/publishers should conduct proper due diligence and push for contractual representations and warranties and indemnification provisions.
For more information on this case or mobile privacy issues generally, contact the authors. Copies of the complaint and the consent order are available here and here, respectively.