As a certain elusive children’s videogame character will attest, precise geolocation can be highly sensitive information. According to a settlement the FTC just announced with OpenX Technologies, Inc. – a real-time bidding platform that enables targeted advertising on websites and apps – OpenX deceived people about their right to opt out of the collection of precise location data. What’s more, OpenX collected personal information from kids under 13, in violation of the Children’s Online Privacy Protection Rule. To settle the case, OpenX will pay $2 million in civil penalties and make substantial changes to how they do business. What can your company learn from the latest settlement?
California-based OpenX operates a programmatic advertising exchange – a real-time bidding platform that conducts auctions for ad space. Among the ways that companies can facilitate the publication of ads in their apps is by integrating OpenX’s software development kit (SDK). That code allows OpenX to collect data from consumers’ devices, which in turn allows OpenX to serve up ads within those apps.
Programmatic advertising lets advertisers select among various criteria to deliver targeted ads to their preferred audiences. OpenX manages the competing bids and facilitates the display of ads from the winning bidder. It may sound like a niche market, but it’s not. OpenX describes itself as the largest independent advertising exchange, with over 1,200 premium publishers, at least 50,000 apps, and tens of thousands of participating partners – advertisers, ad agencies, and ad networks.
Opting Out for Location Data: You may opt out of our collection, use, and transfer of precise location data by using the location services controls in your mobile device’s settings.
Despite that claim, the FTC says that OpenX accessed precise geolocation data from Android users even after those consumers chose not to have their data collected. The complaint alleges that OpenX used a pathway that ignored the permissions-based model incorporated within consumers’ apps, rendering its representations false or misleading under Section 5 of the FTC Act.
But despite what OpenX said, hundreds of child-directed apps that OpenX reviewed weren’t banned from the OpenX Ad Exchange or flagged as child-directed. Many of these apps included terms that identified the intended audience as “toddlers,” “for kids,” “kids games,” or “preschool learning,” and included age ratings indicating they were directed to children under 13. The upshot: Kids who used those child-directed apps were targeted with advertising that used their personal information, including their precise geolocation, in violation of the COPPA Rule and in contravention of OpenX’s own privacy promises.
In addition to the $2 million civil penalty, the settlement requires OpenX to delete any data it collected to serve targeted ads and to put in place a comprehensive privacy program to ensure COPPA compliance. That includes a periodic re-review to identify additional child-directed apps and ban them from the company’s ad exchange.
What can other companies take from the OpenX settlement?
The case sends a loud-and-clear “listen up” message to the ad tech industry. All companies – especially members of the ubiquitous (but often invisible) ad tech industry – should pay attention to the information they’re collecting. Gathering massive amounts of data “just because” is an unwise approach that sensible businesses abandoned in the last century.
Do you have permission to collect what you do? Pay attention to the data you gather and make sure you have appropriate permissions governing that data. You must respect consumers’ stated choices.
“Set it and forget it” may work for crockpots, but not for the collection of consumer information. Collecting certain data at one point in time doesn’t mean it’s OK forever and ever. Wise companies build periodic compliance checks into their procedures. Take a fresh look at what you’re collecting, whether it’s still permissible for you to gather that data, and whether your business reasons still hold up in light of changes in technology and the nature of your company.
Companies that aren’t consumer-facing may still have obligations under COPPA. Most businesses know that under the COPPA Rule, sites and apps “directed to children” are covered. But the Rule also spells out that a site or online service – including an app – will be considered “directed to children when it has actual knowledge that it is collecting personal information directly from users of another Web site or online service directed to children.” Does that definition apply to you?
Looking for resources to streamline your COPPA compliance ? Visit the FTC’s Children’s Privacy page.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.