The Federal Trade Commission (“FTC”) issued a press release last week announcing it has assessed $950,000 in civil penalties against Singapore-based mobile advertising company InMobi for alleged violations of the FTC Act and the Children’s Online Privacy Protection Act of 1998 (“COPPA”).  The penalty is part of InMobi’s settlement with the FTC over allegations that InMobi tracked user location information without user knowledge or consent.  The FTC’s decision highlights the complexities inherent in the growing internet of things (IoT), especially the diversity of consumer groups involved and the impact of privacy statements made across applications and platforms.

In its complaint filed in the United States District Court for the Northern District of California, the FTC alleges that InMobi, which describes itself as “the world’s largest independent mobile advertising company,” impermissibly collected user geolocation data through its “InMobi SDK” software development kit.  InMobi marketed its software development kit to application developers, who could monetize their applications by allowing third party advertisers to provide targeted, location-based advertising to consumers across all mobile applications integrating InMobi SDK.

The FTC alleges that InMobi represented to application developers that it tracked consumer locations and served geo-targeted ads only if the application developer and consumer provided consent.  According to the complaint, InMobi instead collected wireless network BSSID information related to the wireless network to which a consumer’s device was connected or in-range, even if the consumer had not provided consent.  InMobi would then allegedly infer a user’s latitude and longitude by feeding the wireless network information into its geocoder database, where it was correlated with known location information.

InMobi also allegedly violated COPPA by falsely representing that it did not collect or use personal information from applications directed to children.  The complaint cites to InMobi’s privacy policy, which provided that any information collected from a child under the age of 13 would be immediately deleted.  The FTC alleges that InMobi knowingly collected and used personal information, including unique device identifiers, geolocation information, and BSSIDs, from thousands of applications InMobi knew were directed to children.

InMobi’s settlement with the FTC further requires that the company delete any information collected from children, as well as any other user location information obtained without consent.  InMobi is also prohibited from gathering consumer location information without consent, and the company must establish a privacy program subject to independent audit for the next 20 years.