On June 22, 2016, mobile advertising company InMobi Private Ltd. settled Federal Trade Commission ("FTC" or "Commission") claims of violations of Section 5 of the FTC Act, and the Children's Online Privacy Protection Act and Rule (COPPA), for $4 million. The violations of COPPA supported the monetary penalty since, unlike Section 5, COPPA provides for civil penalties. However, there are lessons here for the mobile app industry beyond that geolocation services for children require verified parental consent. In addition, this action reinforces the FTC's position that device location information is sensitive and thus justifies heightened consumer notice and choice, and that providing notice of an opt-out method that is not completely effective could be a deceptive practice if the limitations are not clearly explained — a common mistake we see clients making.

The Commission's Allegations and the InMobi's Settlement

InMobi is ranked among the top 10 mobile advertising companies in the world, said to reach over one billion unique mobile devices, of which 19 percent are located in North America. InMobi's advertising platform allows app developers/publishers to serve third party ads within their apps. The ads can be customized for app users based on physical location as determined by checking device geolocation, including based on location history over up to a two month period.

The Commission's complaint alleges that despite representing to app developers/publishers and advertisers that app users could control location tracking by denying permission for tracking at the app level or at the device level, InMobi continued to track locations of consumers even if the consumer restricted permissions at the device level because InMobi continued tracking device users through information from Wi-Fi networks in proximity to the device, or connected to the device, regardless of device location services opt-outs. The Commission further alleges that InMobi's Privacy Policy informed mobile app developers/publishers and advertisers that InMobi was "compliant with COPPA" even though use of InMobi's geo-location tracking features, and/or the serving of interest-based ads, would require verified parental consent under COPPA if used in connection with an app directed to children, or knowingly with an app user under the age of 13. Additionally, the Commission alleges that InMobi provided an option at registration for app developers/publishers to register apps as specifically directed to children under 13 years of age, suggesting the platform would not include the features that required parental consent for those apps, but that it did not alter InMobi's data collection and ad practices for those identified children's apps. As a result, location-based tracking and location-targeted ads were served to children on apps directed to children, which could only be done with verified parental consent. No notice to, or consent from, parents was undertaken. As a result, the FTC contends, InMobi violated COPPA by knowingly collecting and using personal information from thousands of child-directed applications. Although no app developers/publishers were named, InMobi caused the affected developers/publishers to also be in violation of COPPA.

The settlement agreement requires InMobi to destroy any device location information collected or inferred prior to the settlement agreement and not to disclose, use or benefit from such location information. InMobi is also enjoined from collecting or inferring location information without confirming that:

  • the consumer provided affirmative express consent for the collection of location to the service integrating InMobi's software;
  • the consumer did not express through any operating system, device, app, permission or setting that the consumer does not consent to, or revokes consent to the collection of location information; and
  • the consumer has not expressed that the consumer's consent to the collection of location information is limited to a level of accuracy that is less precise than the location information that is to be collected or inferred by InMobi.

InMobi also agreed to institute a comprehensive privacy program subject to regular third-party assessments, of which the initial assessment must subsequently be produced to the Commission for review. All of these corrective actions can be seen as best practices for the mobile app industry, even though they are "fencing in" agreements that go beyond what the baseline of U.S. law requires. Of the $4 million civil penalty assessment, only $950,000 will be payable due to InMobi's financial conditions.

Developers/Publishers at Risk – Looking Beyond InMobi

Although the Commission only acted on InMobi's violations, app and site publishers are ultimately responsible for the information collected by or in connection with their apps or sites, including ad server tracking and targeting activities. Publishers are strictly liable for COPPA violations of third-party vendors. Vendors may provide a variety of services to publishers, such as data analytics or ad services. Even if a vendor provides assurances of COPPA compliance, as InMobi is said to have provided, developers/publishers should conduct proper due diligence and push for contractual representations and warranties and indemnification provisions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.