InMobi’s Illegal Location Tracking Debacle Is Just The Tip Of The Iceberg And Regulators Are Chomping At The Bit

inMobiInMobi was the first mobile ad network to get whipped by the Federal Trade Commission under the Children’s Online Privacy Protection Act (COPPA) for tracking geolocation without parental consent – and it’s not going to be the last.

“What happened here is a wake-up call for regulators,” said Allison Fitzpatrick, a partner in the advertising, marketing and promotions practice group at Davis & Gilbert LLP. “They looked at an ad network and they did not like what they saw. I’d even say it made them angry.”

The FTC hit inMobi with a $950,000 fine – lowered from $4 million due to inMobi’s “financial condition” (ouch) – for tracking the location of hundreds of millions of consumers, kids included, and using that information to serve behaviorally targeted advertising. (Read the full FTC complaint here.)

Up until now, the FTC has only used COPPA to go after developers and website operators for allowing third-party advertisers to collect personally identifiable information from their under-13 users.

Now the FTC has its eye on the middleman.

“I wouldn’t be surprised if there were a lot of other ad networks doing what inMobi was doing,” Fitzpatrick said.

The inMobi case boils down to the company’s seemingly cavalier attitude toward the opt-in process. Other than that, inMobi was operating in a similar fashion to all the other ad networks and exchanges out there – aggregating supply, matching it with demand and tracking whatever data they could get their hands on to ensure that the placements were as targeted as possible.

What actually tripped inMobi up was the kid question.

In its complaint, the FTC alleges that inMobi told its advertiser clients that its advertising software would honor COPPA and only track location after a kosher opt-in. In practice, inMobi tracked consumers, including children, whether they’d opted in or not.

But because the definition of personally identifiable information is different for children and adults (location data is not considered to be PII for consumers over the age of 13), the FTC was able to go after inMobi.

Do You Follow?

Kids are untouchable. But whether adult consumers understand the behind-the-scenes machinations of ad tech is another question entirely. And legal definitions of what constitutes PII aside, many consumers do consider their location data to be quite sensitive.

According to research from Pew, “Location data seems especially precious in the age of the smartphone.”

But inMobi appeared to be straight up ignoring opt-outs. Nevertheless, average consumers might not know how an ad network works even if there is an opt-in.

“If I’m a consumer and I install some ‘Candy Whatever’ game, I might think I have some sort of direct relationship with the game, and maybe the game is tracking me, maybe it’s not, maybe I don’t care,” said Andrew Sudbury, CTO and co-founder of Abine, a company that develops online privacy software. “But without realizing it, I’m giving a company like inMobi the right to track me and serve me ads that correspond to my location.”

In contrast to inMobi, a company like Foursquare, for example, gets first-party location data from consumers who actively check into locations in order to engage in a specific exchange of value, aka you tell me where you are and I give you a cool restaurant recommendation.

But opt-ins aren’t always straightforward, and it’s hard to imagine how permissions would work in emerging cases, like using wireless tire pressure sensors to track a car’s location or connecting CCTV images to in-store purchases.

“The only thing really holding any of those things back is finding good ways to commercialize them at scale, but it’s coming,” Sudbury said. “The people who get creeped out by location tracking are going to have a tough time in the near future.”

Consumers might logically expect that deleting an app or not playing a game anymore means they’re no longer being tracked by it.

“But they’re still giving their data to the same entity through multiple other channels that see their position because of a unifying system of apps,” Sudbury said. “Companies are aggregating all of this and they’ve built up massive databases of preferences and activities that as a consumer I would probably never understand or even realize is happening.”

Where Do We Go From Here?

If consumers don’t understand what they’re agreeing to, it’s up to the industry to be more transparent and for the FTC to encourage that transparency.

Notice and choice mechanisms – things like the AdChoices program and opt-out cookies – are mainly the preserve of self-regulatory organizations like the Digital Advertising Alliance and the Network Advertising Initiative.

The FTC seems to be starting to take a more active role.

The commission will hold a workshop in mid-September to dig into and evaluate the disclosures that companies make to consumers about advertising claims and privacy practices.

But “for the FTC to take action because they believe that disclosures and consent mechanisms are generally unclear or insufficient would require the commission to bring an unfairness claim under its Section 5 authority,” said Alan Chapell, president of the privacy consulting firm Chapell & Associates. “Generally speaking, those types of actions are more difficult for the FTC to prove than actions based on false/deceptive claims.”

Sudbury, though, says the self-reg regime around permissions is just an ornamental Band-Aid.

“I fully believe that most analytics companies are basically operating effectively unconstrained,” Sudbury said. “There’s a long history [in this space] of companies doing essentially whatever they can with any new technology to get the max amount of data possible regardless of user desire and intent or the mechanisms that are put in place to help manage those things.”

And location in particular is “simply a very confusing area,” Fitzpatrick said.

“It’s not as easy to pinpoint a violation here as it is with other types of personal information,” she said. “The FTC is getting up to speed, but it’s a fast-moving space and it’s not easy trying to figure out how and where all of these ad networks are getting their geolocation data.”

And now, advertisers and developers don’t want to be on the hook for their partners’ mistakes.

“I wouldn’t be at all surprised if operators and developers started investigating and auditing their own apps to make sure these ad networks are compliant with the law,” Fitzpatrick said. “And if they aren’t, I also wouldn’t be surprised if they started reporting these ad networks to the FTC.”

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!