OpenX, the internet ad exchange, agreed to pay $2 million after the Federal Trade Commission said it “secretly” collected data, including children’s personal information, in a case that serves as an example of how U.S. regulators are looking more closely at online ad markets.
On Wednesday, the FTC announced the settlement with OpenX, which is one of the few independent exchanges, serving ads for more than 1,200 publishers and 50,000 mobile apps, according to the complaint.
OpenX was accused of scooping geolocation data from mobile devices, even when consumers had opted out of sharing location information. On Wednesday, OpenX’s leadership said in a blog post that it “inadvertently” collected the data.
In 2018, Google, which operates Android devices, informed OpenX that its ad software was collecting a unique identifier from phones—a code that could be used to decipher people’s locations. OpenX’s blog post said it never used the data to derive locations. The FTC complaint, however, alleged that as part of running real-time bidding ad auctions, OpenX shared the data with location data brokers, advertisers, ad agencies and other ad networks.
The misstep led the FTC to further investigate OpenX’s data and privacy policies, which uncovered cases where OpenX’s ad exchange served ads and collected data from children’s apps, violating the Children’s Online Privacy Protection Act, according to regulators.
“OpenX has received millions, if not billions, of ad requests directly or indirectly from child-directed Apps,” according to the complaint released on Wednesday. “And transmitted millions, if not billions, of bid requests containing personal information of children to OpenX’s demand-side partners. These requests included location information and persistent identifiers used for online behavioral advertising.”
“To put it plainly, it was a mistake,” OpenX said in its blog post. “OpenX has strict rules and processes in place to ensure that we comply with COPPA. In this situation, an unintentional error was made.”
OpenX’s settlement is another sign that U.S. regulators are taking more action against internet ad companies and investigating privacy breaches in online auctions. There also has been extra scrutiny on how children are targeted by ads online. Last week, Instagram CEO Adam Mosseri testified before Congress about teens on social media, and lawmakers were interested in how ads are targeted to teens. Congress is considering stricter rules over children’s online privacy. In 2019, TikTok, the Chinese-owned app was fined $5.7 million by the FTC over collecting children’s data.
There also have been major changes to how apps and websites collect data on Apple iPhones and Android devices. This year, Apple implemented its App Tracking Transparency framework, which mandates that developers obtain express consent to collect data about their users. Government and industry policies are changing the way that ad exchanges, and participants in ad auctions, share information on consumers, which is affecting programmatic advertising from the U.S. to Europe.
Noah Joshua Phillips, one of five FTC commissioners, wrote a “concurring statement” that agreed with the OpenX settlement, but also offered a defense of the company. Phillips noted that one of the reasons OpenX was liable for violating children’s privacy policies was because it is one of the only ad exchanges that conducts human reviews to verify the sites and apps in its network. “OpenX opened itself up to liability by having people review apps to make sure they were not child directed. According to the complaint, OpenX failed at that review,” Phillips wrote. “But, had it not done any such review, it might not be subject to penalties at all.”
“It is not clear to me that we want to discourage human review of whether apps are child directed,” Phillips added.