FTC Settles Complaint against Mobile Ad Network InMobi over Location-Data Collection & COPPA Violations

The FTC announced today that it reached a settlement with mobile ad network InMobi. InMobi offers a software-development kit (SDK) that its third-party app-developer customers can integrate into their mobile applications. The SDK allows InMobi to target advertisements to app users based on data collected and allows the app developer to thereby better monetize its advertising inventory. The FTC alleged that – after representing to its developer customers that it would collect location information only after an app user opted into such collection – InMobi broadly collected location data from all app users, even those who denied an app's request to collect such data.  Notably, the FTC did not allege that InMobi simply ignored a user’s decision and accessed device location data anyway.  Instead, the FTC alleged that InMobi built a mechanism whereby it could effectively sidestep the consumer’s choice and determine his or her location through means other than direct access to device location data.

InMobi’s SDK was configured to collect SSID information about nearby WiFi networks from any app into which the SDK was incorporated (provided the app operator had enabled certain functions).  The FTC’s complaint alleges that InMobi used that information to create a database of WiFi networks.  It then used information provided by those app users who had opted into the collection of device location information to determine the location of nearby WiFi networks.  Armed with that database, InMobi inferred the location of users who had not opted into the collection of device location information, based on their proximity to a particular WiFi network (and then used the location inference to geotarget ads to those users).  The FTC claimed that this end-run around the consumer’s decision, coupled with InMobi’s representations to its app-developer customers that it would collect location data only with consent, violated the FTC Act.

The FTC also alleged that InMobi violated the Children’s Online Privacy Protection Act by collecting location data and other personal information from the users of apps that had been identified to InMobi as being child-directed and using that information to target ads.  In 2013 (just before the new COPPA rule took effect), InMobi set up a mechanism whereby app operators signing up to use its service could designate whether their property was directed to children.  InMobi represented in its Privacy Policy that it would not collect personal information for behavioral-advertising purposes from apps that identified themselves as child-directed.  According to the FTC’s complaint, notwithstanding this process, InMobi ignored the child-directed designation and continued to collect personal information from those apps until October 2015.

The settlement includes a $4,000,000 fine against InMobi, though it was suspended to $950,000 “based on the company’s financial condition.” The settlement also requires InMobi to delete all information collected from children and all location information collected from other app users without their consent. In addition, InMobi is required to implement a comprehensive privacy program that must be independently audited every two years for the next twenty years.

_______

Additional Documents:

Complaint

Stipulated Order for Permanent Injunction and Civil Penalty Judgment

FTC Press Release

FTC Blog Post