Ad network InMobi has agreed to pay nearly $1 million to settle Federal Trade Commission charges that it deceived consumers and tracked their locations without knowledge and consent. In its complaint for civil damages and a permanent injunction (below), the FTC alleged that even if consumers had denied the location services request of one of InMobi’s partner apps, the company still used WiFi triangulation to track location:

Even if the consumer had restricted an application’s access to the location API, until December 2015, Defendant still tracked the consumer’s location and, in many instances, served geo-targeted ads, by collecting information about the WiFi networks that the consumer’s device connected to or that were in-range of the consumer’s device.

The FTC asserted that InMobi disregarded the privacy preferences of “hundreds of millions of consumers, including children.” The FTC also charged that by tracking kids’ locations, the company violated the Children’s Online Privacy Protection Act (COPPA).

The settlement requires InMobi to pay a reduced fine of $950,000 of a $4 million civil penalty and permanently delete the information it collected on the location/movements of children. It must also create a “comprehensive privacy program that will be independently audited every two years for the next 20 years.”

A blog post from the Future of Privacy Forum further explains what happened in plain language:

InMobi’s behavior was deceptive because they misrepresented their data collection — that is, they told the public and app developers that geo-targeting required opt-in consent, stating that they would respect users’ choices, and then didn’t respect those choices.

The simple interpretation and implication of today’s announcement is that developers and ad networks must provide transparency to consumers and respect their decisions around location tracking/services. The problem here was that InMobi represented that it would only track location and serve geotargeted ads in cases where users had consented. Its actions contradicted that policy.

I suspect this case could be the first in a series of closer FTC examinations of location-related ad platforms and analytics companies. Everyone in the industry using location data should review their privacy policies and consumer disclosures and make sure they aren’t even inadvertently disregarding consumer privacy preferences.

Postscript: The following is a statement provided by InMobi:

With best intentions to adhere to COPPA requirements, InMobi implemented a process to exclude any publisher’s site or app identified as a COPPA app from interest-based, behavioral advertising. During the investigation by FTC, InMobi discovered that there was a technical error at InMobi’s end that led to the process not being correctly implemented in all cases. As a result, some COPPA sites were served with interest-based campaigns on the InMobi Network. InMobi promptly notified the FTC of this issue as soon as it was discovered and has made it clear from the outset that this was by no way means deliberate. Any family safe ads that may have formed part of targeted campaigns would have been undertaken to target the adult owner of the device. In certain instances, InMobi has inferred user location through the Wifi identifier as part of the SDK integration with publisher apps without express election by an user. While InMobi was not fined by the FTC for this practice, to implement best practices, going forward InMobi will only use WiFi information when serving location based targeted advertising campaigns when an app user has authorized the app to collect and transmit the same. The errors were corrected in Q4 2015, and since then, InMobi has been fully compliant with all COPPA regulations. InMobi operates across several countries and continents, and intend to adhere to the best practices related to the data and privacy requirements of all the countries.