The operator of a programmatic advertising platform that enables targeted advertising on websites and apps agreed to pay a $2 million civil penalty to settle Federal Trade Commission (FTC) allegations that it illegally collected personal information from children under 13 and geolocation information from those who opted out. The operator, OpenX, calls itself the largest independent advertising exchange with more than 1,200 publishers of approximately 50,000 apps, and it claims to partner with thousands of advertisers, advertising agencies and advertising networks. The settlement appears to be the first one against an advertising platform. In its Dec. 15 announcement on the settlement, the FTC also appeared to signal a focus on the advertising technology players that power digital advertising rather than on the advertisers or operators of the platforms on which the advertising is displayed, calling the OpenX settlement a wake-up call for the advertising technology industry and an opportunity for that industry to review its practices.
Misleading Privacy Policies
The FTC said OpenX Technologies Inc. violated the Children’s Online Privacy Protection Act (COPPA) and its own privacy policy. OpenX stated in its policy that it did not engage in any activities that require parental notice or consent under COPPA. Despite this assertion, the company reviewed and allowed hundreds of child-directed apps to participate in the OpenX ad exchange without flagging them as intended for children. As a result, advertisers targeted children using the OpenX ad exchange and served advertisements on child-directed apps that collected the children’s personal information without parental consent.
Additionally, OpenX violated Section 5 of the FTC Act, which prohibits making false and misleading representations to consumers. OpenX informed consumers in its privacy policy that they could opt out of its collection and use of precise geolocation data via their mobile device settings, but then collected the data anyway. Despite its stated policy, OpenX accessed geolocation data for Android users who had specifically chosen not to have such information collected.
Settlement Terms
Under the settlement agreement, OpenX will pay a $2 million civil penalty, delete any data it collected to serve targeted ads and establish a privacy program to ensure COPPA compliance. The program will include regular reviews to identify additional child-directed apps and ban them from OpenX’s advertising exchange.
The settlement agreement was filed in a federal California court.
FTC Advice for Businesses
Calling on the advertising technology industry to review its practices, the FTC advised ad tech players to:
- Review the information they collect from consumers to determine whether the data serves a legitimate business need. Gathering data without a real purpose can easily land a business in trouble.
- Ensure the appropriate permission has been granted to collect consumer information. Also make sure consumer privacy policies reflect what is being done in reality.
- Implement regular compliance checks to review the information collected and the reasons for the collection. Evolving technology and new business needs require reevaluating data collection purposes and processes.
- Check with legal advisors to clarify COPPA obligations. As the OpenX settlement illustrates, businesses that are not consumer-facing may still have responsibilities to protect children under 13. Under COPPA, a website or online service is considered “directed to children when it has actual knowledge that it is collecting personal information directly from users of another Web site or online service directed to children.”