The mobile advertising firm InMobi has agreed to pay the Federal Trade Commission $950,000 to settle allegations that it tracked hundreds of millions of consumers' locations without their knowledge or consent in order to serve targeted ads to their phones and violated recently-updated child privacy protection rules.
The settlement says InMobi is subject to a $4 million penalty but was allowed to pay less because of its financial condition, according to the FTC.
The settlement marks the first FTC action against a mobile ad network as well as the first Children's Online Privacy Protection Act case against an ad network under rules revised in 2013.
Many of the third party mobile ad targeting and measurement services available today rely on device location tracking to aim geo-targeted ads to people. Several popular mobile apps require people to allow the apps to trace their device locations, asking expressly for consent for location tracking to enable the app download.
The FTC's complaint alleges that InMobi followed device locations even when people, sometimes children using apps geared towards kids, disabled tracking or never consented via a particular app in the first place.
"It didn't matter if someone consented or not, InMobi would still be tracking either way so they weren't respecting the choice," said Nithan Sannappa, senior attorney with the FTC's division of privacy and identity protection.
The FTC said InMobi used consumers who opted in to determine the location of various WiFi networks, then inferred the location of other consumers based on the WiFi networks they were near.
While some third-party mobile ad technologies rely on similar location inference, the alleged violation of FTC regulations occurred when InMobi did it to people who never consented or disabled location tracking.
"In certain instances, InMobi has inferred user location through the Wifi identifier as part of the SDK integration with publisher apps without express election by a user," the company said in a statement sent via email to Ad Age. "While InMobi was not fined by the FTC for this practice, to implement best practices, going forward InMobi will only use WiFi information when serving location based targeted advertising campaigns when an app user has authorized the app to collect and transmit the same."
The commission also alleged that inMobi violated the Children's Online Privacy Protection Act by tracking device IDs, considered to be personal information according to a 2013 COPPA rule update.
"Ad networks and other third parties can be held liable for violating COPPA if they have actual knowledge that they are collecting personal information from apps that are child-directed," said Mr. Sannappa.
InMobi said the violation occurred as a result of technical error and that it has been fully compliant with COPPA regulations since the fourth quarter of last year. According to the company statement:
"With best intentions to adhere to COPPA requirements, InMobi implemented a process to exclude any publisher's site or app identified as a COPPA app from interest-based, behavioral advertising. During the investigation by FTC, InMobi discovered that there was a technical error at InMobi's end that led to the process not being correctly implemented in all cases. As a result, some COPPA sites were served with interest-based campaigns on the InMobi Network. InMobi promptly notified the FTC of this issue as soon as it was discovered and has made it clear from the outset that this was by no way means deliberate. Any family safe ads that may have formed part of targeted campaigns would have been undertaken to target the adult owner of the device."
Under the terms of the settlement, InMobi is barred from collecting location information without consumers' "affirmative express consent" and must their honor location privacy settings, the FTC said. The company must also follow a privacy program that will be audited every two years for the next 20 years.