Data Tracking – A recent US decision has wide implications for advertisers and those who collect geolocation data
The InMobi decision
A recent decision of the US District Court in California sends a clear message around the world about the ability of companies to track customers without their consent. In the decision the mobile advertising network InMobi settled charges brought against it by the Federal Trade Commission (FTC), the US equivalent of our ACCC, that it had tracked hundreds of millions of consumers' locations without their permission. This included tracking children in circumstances where the US has explicit legislation requiring the verified the consent of children in online dealings.
The Misleading and Deceptive Claim
The action taken by the FTC was that InMobi's advertising was misleading and deceptive and that it misrepresented the tracking that its advertising software would make of consumers locations. In fact, InMobi actually tracked consumers' locations whether or not the apps using InMobi software asked for consumers' permission to do so and even when consumers had denied permission to access their location information.
The facts of this case also raised the issue of consents and settings on devices in relation to location tracking which were specifically overridden by InMobi. The company in question, InMobi, was a Singapore based company with a US subsidiary and the action taken by the US Department of Justice was upheld in the US Court and will have ramifications for InMobi's global operations.
The settlement and the court order documenting that settlement find that InMobi participated in deceptive acts or practices in violation of US law and that this included the collection and use of location information and personal information. In relation to personal information, it was defined as being "geo-location information sufficient to identify street name and name of a city or town".
What sanctions does the Order impose?
It was suggested that once InMobi had collected certain location information about individuals then based on knowledge it had of their devices and the location of transmission towers it could then infer locations at particular times to determine location and advertising. The order approved by the Court involved injunctions concerning collection of information from children, in particular, where the US has specific rules but it also contains a number of additional requirements that will be a significant burden to InMobi in conducting its future business and provides a lesson for other businesses that collect information without clear and specific consent. The order included a monetary judgement with a civil penalty of $4 million dollars to be paid in instalments having regard to InMobi's financial positon. The order also noted that if at any point the Court found that InMobi had failed to disclose any material asset or materially misstated the value of any asset in its financial representations then the full amount would become payable immediately.
In addition to the fine the more worrying provisions are the requirements to undertake a comprehensive privacy program, to have it independently audited and monitored, and to report on it for a period of 20 years. This requirement is in order to implement the injunctions which prevent InMobi from misrepresenting in any manner the extent to which it maintains the privacy, confidentiality, security and integrity of its practices in relation to personal information collected from children and other consumers and to ensure it obtains consumers' consents.
The implementation of a comprehensive privacy program is set out in detail in the order and includes designating an employee or employees to be responsible for the program and that the program specifically include both employee training and management, and product design and development. Further, it requires regular testing or monitoring of the effectiveness of the controls and procedures and the development of a vendor management program to ensure that service providers to InMobi are contractually bound to maintain appropriate privacy policies.
InMobi is then required to have an initial and then biennial assessments from a qualified objective and independent third party professional who has been approved by the FTC and who will report on compliance with the program including explaining how the privacy controls that have been implemented meet or exceed the requirements of the order and certify that the program is operating with sufficient effectiveness. This is a significant obligation, and it continues for 20 years.
In addition, InMobi must provide a copy of the order to all its principals, officers, directors and managers of its subsidiaries and divisions in the United States and all employees having responsibilities relating to the collection, retention, storage or security of the relevant information. Each individual must provide a signed and dated acknowledgement receipt of the order.
InMobi is also required 180 days after the order to submit an initial compliance report identifying the steps it has taken to comply with the provisions of the order in further detail.
What does this Order signal?
The order will impose significant ongoing regulatory costs to InMobi that could easily have been avoided by implementing robust privacy provisions in the first instance. As a commercial matter many organisations are talking about privacy as trust and privacy as a way to differentiate themselves in the market. It is easy to see from this decision, which could easily be replicated in similar circumstances under the Australian Consumer Law, that a relatively modest investment in ensuring upfront compliance would be a worthwhile one in comparison to the likely down-side of such a complaint and regulatory action by the regulator.
We assist a number of organisations to undertake formal and informal privacy impact assessments and to design systems to seek to ensure compliance. If you consider your organisation may be at risk we invite you to contact us.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.