The Federal Trade Commission (“FTC”) issued a press release last week announcing it has assessed $950,000 in civil penalties against Singapore-based mobile advertising company InMobi for alleged violations of the FTC Act and the Children’s Online Privacy Protection Act of 1998 (“COPPA”). The penalty is part of InMobi’s settlement with the FTC over allegations that InMobi tracked user location information without user knowledge or consent. The FTC’s decision highlights the complexities inherent in the growing internet of things (IoT), especially the diversity of consumer groups involved and the impact of privacy statements made across applications and platforms.
In its complaint filed in the United States District Court for the Northern District of California, the FTC alleges that InMobi, which describes itself as “the world’s largest independent mobile advertising company,” impermissibly collected user geolocation data through its “InMobi SDK” software development kit. InMobi marketed its software development kit to application developers, who could monetize their applications by allowing third party advertisers to provide targeted, location-based advertising to consumers across all mobile applications integrating InMobi SDK.
The FTC alleges that InMobi represented to application developers that it tracked consumer locations and served geo-targeted ads only if the application developer and consumer provided consent. According to the complaint, InMobi instead collected wireless network BSSID information related to the wireless network to which a consumer’s device was connected or in-range, even if the consumer had not provided consent. InMobi would then allegedly infer a user’s latitude and longitude by feeding the wireless network information into its geocoder database, where it was correlated with known location information.
InMobi’s settlement with the FTC further requires that the company delete any information collected from children, as well as any other user location information obtained without consent. InMobi is also prohibited from gathering consumer location information without consent, and the company must establish a privacy program subject to independent audit for the next 20 years.