The operator of a programmatic advertising platform that enables targeted advertising on websites and apps agreed to pay a $2 million civil penalty to settle Federal Trade Commission (FTC) allegations that it illegally collected personal information from children under 13 and geolocation information from those who opted out. The operator, OpenX, calls itself the largest independent advertising exchange with more than 1,200 publishers of approximately 50,000 apps, and it claims to partner with thousands of advertisers, advertising agencies and advertising networks. The settlement appears to be the first one against an advertising platform. In its Dec. 15 announcement on the settlement, the FTC also appeared to signal a focus on the advertising technology players that power digital advertising rather than on the advertisers or operators of the platforms on which the advertising is displayed, calling the OpenX settlement a wake-up call for the advertising technology industry and an opportunity for that industry to review its practices.
Misleading Privacy Policies
Under the settlement agreement, OpenX will pay a $2 million civil penalty, delete any data it collected to serve targeted ads and establish a privacy program to ensure COPPA compliance. The program will include regular reviews to identify additional child-directed apps and ban them from OpenX’s advertising exchange.
The settlement agreement was filed in a federal California court.
FTC Advice for Businesses
Calling on the advertising technology industry to review its practices, the FTC advised ad tech players to:
- Review the information they collect from consumers to determine whether the data serves a legitimate business need. Gathering data without a real purpose can easily land a business in trouble.
- Ensure the appropriate permission has been granted to collect consumer information. Also make sure consumer privacy policies reflect what is being done in reality.
- Implement regular compliance checks to review the information collected and the reasons for the collection. Evolving technology and new business needs require reevaluating data collection purposes and processes.
- Check with legal advisors to clarify COPPA obligations. As the OpenX settlement illustrates, businesses that are not consumer-facing may still have responsibilities to protect children under 13. Under COPPA, a website or online service is considered “directed to children when it has actual knowledge that it is collecting personal information directly from users of another Web site or online service directed to children.”