California-based online advertising platform OpenX Technologies, Inc. will be required to pay $2 million to settle Federal Trade Commission allegations that the company collected personal information from children under 13 without parental consent, a direct violation of a federal children’s privacy protection law. The FTC also alleged that despite offering an opt-out option, OpenX collected geolocation information from users who specifically asked not to be tracked.
In a complaint filed by the Department of Justice on behalf of the FTC, the Commission alleged that OpenX, which operates a real-time bidding platform that monetizes websites and mobile apps by selling ad space, failed to comply with the FTC’s Children’s Online Privacy Protection Act Rule (COPPA Rule), which requires that websites, apps, and online services that are child-directed or knowingly collect personal information from children notify parents and get their consent before collecting, using or disclosing personal information from children under 13.
“OpenX secretly collected location data and opened the door to privacy violations on a massive scale, including against children,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Digital advertising gatekeepers may operate behind the scenes, but they are not above the law.”
The FTC’s investigation found that OpenX reviewed hundreds of child-directed apps with terms that identified the intended audience as “for toddlers,” “for kids,” “kids games,” or “preschool learning,” and included age ratings for the apps indicating they were directed to children under 13. These apps and their data were not flagged as child-directed and participated in the OpenX ad exchange, according to the FTC. Because OpenX had knowledge that apps in the ad exchange were child-directed and that the company was collecting personal information from children under 13, the FTC alleged that it had violated the COPPA Rule. OpenX passed this personal data to third parties that used it to target ads to users of the child-directed apps.
In addition to violating the FTC’s COPPA Rule, OpenX violated the FTC Act by falsely claiming that the company did not collect geolocation from users who opted out of such data collection, according to the complaint. In fact, the FTC alleged, OpenX did continue to collect geolocation data from some Android mobile phone users even after they specifically chose not to have such location tracking data collected.
In addition to the $2 million settlement, the order requires OpenX to delete all ad request data it collected to serve targeted ads and implement a comprehensive privacy program to ensure it complies with COPPA and stops collection and retention of personal data of children under 13. This includes requiring the company to re-review apps on a periodic basis to identify additional child-directed apps and ban them from the company’s ad exchange. It also requires the company to keep track of which apps and websites have been banned or removed from its exchange.
The Commission vote to authorize the staff to refer the complaint to the DOJ and to approve the stipulated final order was 4-0. Commissioner Noah Joshua Phillips issued a separate statement. The DOJ filed the complaint and final order on behalf of the Commission in the U.S. District Court for the Central District of California, Western Division.
NOTE: The Commission files a complaint when it has “reason to believe” that the named defendants are violating or are about to violate the law and it appears to the Commission that a proceeding is in the public interest. Stipulated final orders have the force of law when approved and signed by the District Court judge.
The Federal Trade Commission works to promote competition and protect and educate consumers. Learn more about consumer topics at consumer.ftc.gov, or report fraud, scams, and bad business practices at ReportFraud.ftc.gov. Follow the FTC on social media, read consumer alerts and the business blog, and sign up to get the latest FTC news and alerts.