Keypoint: Advertising platform settles with the FTC over allegations that it collected location data without consent and collected information from child-directed apps without notice or parental consent in violation of the FTC Act and COPPA.

Online advertising exchange platform, OpenX Technologies, Inc., has been ordered to pay $2 million of a $7.5 million judgment to settle Federal Trade Commission allegations that it misrepresented its data collection, use, and disclosure practices as it concerns personal information collected from children and location information collected from consumers who had not granted or had denied requisite location permissions.

OpenX helps publishers monetize their websites and mobile applications by auctioning ad space on those digital properties to advertisers, advertising agencies, and advertising networks. OpenX collects information from a consumer’s device when they visit a publisher’s website or app. OpenX then shares this information with advertisers on its exchange to enable advertisers to bid on the ad space and OpenX facilitates the display of an ad associated with the winning bid.

The FTC initiated its investigation in 2018 when Google notified OpenX that it was in violation of Google’s policies by acquiring location information through a non-sanctioned “backdoor method” and under circumstances where the consumer’s privacy controls were set to restrict access to their location data. OpenX was then disclosing this information to its ad exchange to enable advertisers to serve targeted advertisements. As a result, publishers were providing inaccurate information to consumers regarding their ability to manage their preferences. Further, as alleged in the Complaint, OpenX’s privacy policy misrepresented that individuals could “opt out of our collection, use, and transfer of precise location data by using the location services controls in your mobile device’s settings.” OpenX remedied the error, but the FTC continued its investigation.

The FTC’s investigation found that OpenX violated the Children’s Online Privacy Protection Act and the Children’s Online Privacy Protection Rule (collectively “COPPA”). COPPA requires operators of websites, applications, and online services directed at children or operators that knowingly collect personal information from children, to notify parents and receive parental consent prior to collecting, using, or disclosing personal information from children under 13. According to the FTC, OpenX collected personal information from children under 13 without complying with its notice and consent obligations under COPPA.

OpenX represented that it did not engage in activities that would require notice and consent under COPPA since its traffic quality analysts were tasked with thoroughly reviewing every website and app against numerous criteria, including COPPA, and restricting any child-directed properties from participating in its ad exchange. The Complaint alleges, however, that “OpenX’s instructions to its analysts narrowly defined child-directed properties as those ‘primarily’ directed to children thereby excluding … many Web sites and Apps that target children as one of their audiences. The FTC alleges that OpenX reviewed hundreds of child-directed apps that included age ratings and identified the intended audience as “for toddlers,” “for kids,” “kids games,” “preschool learning,” and “kindergarten.” OpenX did not flag these apps as child-directed and passed the personal data it collected from the websites and apps to third parties to target users of the child-directed apps, in violation of COPPA.

OpenX responded to the settlement in a blog post, describing the alleged violations as a “mistake” and “unintentional error.”

The FTC categorized it differently. “OpenX secretly collected location data and opened the door to privacy violations on a massive scale, including against children,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Digital advertising gatekeepers may operate behind the scenes, but they are not above the law.”

In addition to the monetary fine, OpenX must, among other things, establish and implement a comprehensive privacy program, undergo third-party privacy assessments, delete all consumer data previously collected, and provide notice of the order to its advertising partners.

FTC Commissioner, Noah Joshua Phillips, submitted a Concurring Statement. Phillips acknowledges that “there is no obvious reason to require that OpenX provide notice to its clients[] [o]ther than perhaps to further penalize OpenX.” Phillips also raised the concern that this investigation may be setting bad precedent: “OpenX opened itself up to liability by having people review apps to make sure they were not child directed. … OpenX failed at that review. But, had it not done any such review, it might not be subject to penalties at all. … we need to be careful to weigh the instinct to penalize against the desire to foster a commercial environment where care is taken with regard to apps directed at children.”

This order serves as a warning to advertising networks and highlights regulators continued focus on children’s privacy. More generally, companies should ensure the accuracy of their privacy policies and terms – by not overstating what you do, complying with applicable contractual obligations (e.g., Android or iOS platform policies), and properly training personnel engaged in data collection and use.