InMobi, the mobile ad platform that Fast Company recently ranked as 15th among The World’s Most Innovative Companies, has a new trophy – an FTC Consent decree and a $4 million civil penalty (all but $950,000 was suspended).
According to the Federal Trade Commission complaint, even if a consumer had denied access to the location API on their device, InMobi still tracked the person’s location and, in many instances, served geo-targeted ads. The company collected information about the WiFi networks the device was connected to or that were nearby and worked backwards to determine the consumer’s location.
While InMobi is not consumer facing, the FTC explained in a blog post:
While the FTC primarily sues businesses for misleading claims made to consumers, the case against InMobi demonstrates that companies also can be held liable for deceptive statements made to other businesses when those misrepresentations ultimately affect consumers. In this case, the deceptive statements were in InMobi’s guide for app developers. InMobi said it tracked a consumer’s location and served geo-targeted ads only if the app developer provided access to the location API and the consumer gave opt-in consent. But using the WiFi method we just described, InMobi also secretly tracked location without permission. Since InMobi wasn’t honest about how its software worked, app developers weren’t able to give consumers accurate information about whether and how they would be tracked. Consumers, in turn, didn’t have facts that would have been material to their decision of whether to install or use an app.
In addition, InMobi touched the third-rail of privacy offenses – the Chidren’s Online Privacy Protection Act.
Following the 2013 COPPA amendments, InMobi introduced an option in its registration process where app developers could check a box to indicate the app was kid-directed: “My property is specifically directed to children under 13 years of age and/or I have actual knowledge that it has users known to be under 13 years of age.” Since then, thousands of app developers who use the InMobi SDK have checked that box.
The problem is that for kids’ apps, InMobi used the same surreptitious method for determining geolocation that it used in other apps. Not only that, but the company also collected location information directly from the location API when available. InMobi then combined all that location information with the device’s unique identifier, and served behavioral advertising within these kid-directed apps – all without parental consent. The upshot? Hundreds of millions of consumers downloaded thousands of kid-directed apps from which InMobi collected and used personal information, in violation of COPPA. According to the FTC, InMobi collected the data every time an app made a request to its network – typically every 30 seconds when an app was in use.