As a certain elusive children’s videogame character will attest, precise geolocation can be highly sensitive information. According to a settlement the FTC just announced with OpenX Technologies, Inc. – a real-time bidding platform that enables targeted advertising on websites and apps – OpenX deceived people about their right to opt out of the collection of precise location data. What’s more, OpenX collected personal information from kids under 13, in violation of the Children’s Online Privacy Protection Rule. To settle the case, OpenX will pay $2 million in civil penalties and make substantial changes to how they do business. What can your company learn from the latest settlement?
California-based OpenX operates a programmatic advertising exchange – a real-time bidding platform that conducts auctions for ad space. Among the ways that companies can facilitate the publication of ads in their apps is by integrating OpenX’s software development kit (SDK). That code allows OpenX to collect data from consumers’ devices, which in turn allows OpenX to serve up ads within those apps.
Programmatic advertising lets advertisers select among various criteria to deliver targeted ads to their preferred audiences. OpenX manages the competing bids and facilitates the display of ads from the winning bidder. It may sound like a niche market, but it’s not. OpenX describes itself as the largest independent advertising exchange, with over 1,200 premium publishers, at least 50,000 apps, and tens of thousands of participating partners – advertisers, ad agencies, and ad networks.
Over the years, OpenX has told consumers in its Privacy Policy:
Opting Out for Location Data: You may opt out of our collection, use, and transfer of precise location data by using the location services controls in your mobile device’s settings.
Despite that claim, the FTC says that OpenX accessed precise geolocation data from Android users even after those consumers chose not to have their data collected. The complaint alleges that OpenX used a pathway that ignored the permissions-based model incorporated within consumers’ apps, rendering its representations false or misleading under Section 5 of the FTC Act.
But that’s not all. The complaint also alleges that OpenX violated the COPPA Rule. In its Privacy Policy, OpenX represented that it “does not engage in activities that require parental notice or consent under the Children’s Online Privacy Protection Act (COPPA).” OpenX, however, reviewed apps before allowing them to participate in the OpenX Ad Exchange in order to identify restricted content (for example, gambling or pornography) and categorize content by subject matter (for example, “Finance” or “Sports”). It also claimed to flag child-directed content so that it didn’t engage in activities that would require it to comply with COPPA.
But despite what OpenX said, hundreds of child-directed apps that OpenX reviewed weren’t banned from the OpenX Ad Exchange or flagged as child-directed. Many of these apps included terms that identified the intended audience as “toddlers,” “for kids,” “kids games,” or “preschool learning,” and included age ratings indicating they were directed to children under 13. The upshot: Kids who used those child-directed apps were targeted with advertising that used their personal information, including their precise geolocation, in violation of the COPPA Rule and in contravention of OpenX’s own privacy promises.
In addition to the $2 million civil penalty, the settlement requires OpenX to delete any data it collected to serve targeted ads and to put in place a comprehensive privacy program to ensure COPPA compliance. That includes a periodic re-review to identify additional child-directed apps and ban them from the company’s ad exchange.
What can other companies take from the OpenX settlement?
The case sends a loud-and-clear “listen up” message to the ad tech industry. All companies – especially members of the ubiquitous (but often invisible) ad tech industry – should pay attention to the information they’re collecting. Gathering massive amounts of data “just because” is an unwise approach that sensible businesses abandoned in the last century.
Do you have permission to collect what you do? Pay attention to the data you gather and make sure you have appropriate permissions governing that data. You must respect consumers’ stated choices.
“Set it and forget it” may work for crockpots, but not for the collection of consumer information. Collecting certain data at one point in time doesn’t mean it’s OK forever and ever. Wise companies build periodic compliance checks into their procedures. Take a fresh look at what you’re collecting, whether it’s still permissible for you to gather that data, and whether your business reasons still hold up in light of changes in technology and the nature of your company.
Companies that aren’t consumer-facing may still have obligations under COPPA. Most businesses know that under the COPPA Rule, sites and apps “directed to children” are covered. But the Rule also spells out that a site or online service – including an app – will be considered “directed to children when it has actual knowledge that it is collecting personal information directly from users of another Web site or online service directed to children.” Does that definition apply to you?
Looking for resources to streamline your COPPA compliance ? Visit the FTC’s Children’s Privacy page.