The FTC sent a loud signal, in the form of a $925,000 settlement with mobile ad network InMobi, that the Commission’s focus on ad tech data privacy is not limited to app developers and websites, but extends to third party ad platforms as well. I briefly discuss below 1) the allegations against InMobi and 2) takeaways and lessons learned from the FTC’s action.
The Allegations Against InMobi
Collection of Location and Device Data
InMobi is a mobile ad targeting platform that works directly with app developers to create audience segments based on precise location data and makes those audiences available to advertisers. InMobi creates these segments not only from GPS-level data tied to IDFAs and Android Ad IDs, but from WiFi data tied to BSSID access point identifiers. The FTC took issue with how InMobi collected and used the WiFi data set, and that InMobi allegedly failed to disclose this data collection to developers.
The FTC alleged that by using WiFi and BSSID data to create audience segments, InMobi effectively bypassed the location permissions that the iOS and Android platforms have in place. Location permissions are designed to give users the choice to allow or deny permission as to the collection of precise location data, both through dialog boxes upon install and through device settings. The FTC specifically alleged that until December 2015, InMobi:
- Collected and created audience segments from WiFi data in instances where the platform location API was inaccessible, i.e., the app developer hadn’t included location permissions or the consumer had restricted the app’s access to the location API, and
- Where the location API was accessible, InMobi collected lat/long coordinates alongside the BSSID and WiFi data, correlating that information together, yet
- Made representations to developers and in marketing materials that contradicted the above by saying that its geolocation segments were created from “user opt-in lat/long signals” and making similar statements in SDK documentation.
The Complaint also alleges that InMobi knowingly collected this data from apps it knew were directed to children, collecting location data and device identifiers even where app developers had indicated – in response to forms provided by InMobi during app registration – that an app was “directed to children under 13 years of age.”
Takeaways and Lessons Learned
- The FTC is actively investigating whether third-party ad platforms respect app permissions and COPPA flagging – notwithstanding the focus of some prior settlements on first parties (e.g., its settlement with The “Brightest Flashlight Free” app) and the COPPA rule placing primary compliance obligations on first parties.
- A consistent priority for the FTC is consumer choice. Regardless of the type of data you collect and work with (mobile, geolocation, offline, etc.) you should provide an opt-out and honor integrated opt-outs.
- Words matter and words can hurt (you)! The FTC has often telegraphed its big picture concerns about the online ad ecosystem through workshops, reports, and blog posts. But when bringing cases, the FTC often relies on actual statements in privacy policies or other marketing materials and documentation. So if you are going to engage in edge practices regarding data collection, and you are scrutinized for that, the FTC (and state attorney generals) will strictly construe what you’ve said in those policies and use omissions against you. (This was the FTC’s tactic in addressing disfavored practices concerning flash cookies and history sniffing.)
- The FTC is moving these investigations relatively quickly. The allegations against InMobi appear to be related to activities arising in late 2015.
- As to COPPA, it is important to pay particular attention to COPPA flagging. If you are on the supply side of the ad ecosystem, implement any flagging program with great care, because the FTC will place burdens on you regarding its administration. Equally important, if you are on the demand side, pay close attention to supply-side COPPA flagging signals, such as integers sent through the OpenRTB Specification. Notwithstanding potential defenses you may have, the FTC and State AGs may regard such flags as creating “actual knowledge,” which triggers COPPA compliance, particularly when coupled with other warnings, contracts, or documentation.