In June 2016, India-based online advertising behemoth InMobi Ltd. agreed to pay a $ 950,000 fine to resolve Federal Trade Commission (FTC) allegations that its data collection practices violated the Children’s Online Privacy Protection Act (COPPA). InMobi, whose software resides on over a billion mobile devices, a fifth of them in North America, denied wrongdoing. It attributed the issues underlying the settlement to technical glitches. The settlement is noteworthy for three reasons.
First, the FTC has historically refrained from relying upon COPPA in enforcement actions. FTC’s preferred enforcement tool is Section 5 of the FTC Act, which gives it authority to regulate unfair and deceptive trade practices. In InMobi’s case, the FTC combined its Section 5 authority with action under COPPA. Unlike Section 5, COPPA provides for significant financial penalties even for a first offense. But that authority has been rarely used. In two decades, the FTC had fined errant companies about two dozen times.
One expert referred to a prevalent belief that the COPPA enforcement section consisted of a tottering desk in a dusty basement with a rotary phone. While FTC had issued rules to implement COPPA, its limited enforcement actions to date had left practitioners wondering if it intended to utilize its powers. With the imposition of a near-million dollar fine against InMobi, the FTC has definitively answered that question. Indeed, the originally proposed penalty was a $4 million fine. The FTC subsequently suspended all but $950,000 of that penalty, citing the company’s reportedly precarious financial condition.
Second, the facts were particularly striking. Though not a household name like competitors Facebook and Google, InMobi is one of the world’s leading mobile advertising companies. Embraced by heavyweight investors such as Kleiner Perkins, InMobi was a leading contender to become the first Indian “unicorn” – a tech startup with a market cap over a billion dollars. Microsoft was rumored to be considering an acquisition. Behind the promise lay a simple business model that is common within the industry but largely unknown outside it: InMobi software enabled developers to utilize third party ads within their own applications (and thereby monetize those apps). In bringing the action, the FTC charged that InMobi had misrepresented its data collection practices. InMobi told both its own customers – app developers – and the end users of those apps that the collection of users’ location information required their opt-in consent. In fact, the software monitored and collected that information without regard to user preferences.
Third, InMobi’s Privacy Policy stated that its platform was COPPA compliant. The company even offered app developers the ability to designate their apps as “child friendly” so as to facilitate COPPA compliance. In practice, however, the InMobi platform continued to collect information on all users, ignoring both user privacy preferences and COPPA restrictions. As a result, both InMobi and InMobi’s own customers – the app developers who utilized InMobi software in their apps – violated COPPA.
The FTC is not likely to pursue InMobi’s customers, and it has certainly shown no inclination to do so to date. However, the next enforcement action may be more sweeping and less forgiving of unwitting intermediaries like InMobi’s customers. Similarly situated software and app developers should view the settlement as a shot across the bow. At a minimum, it illustrates the importance of implementing a due diligence process when selecting software vendors. In order to avoid being put in the precarious position of InMobi’s customers, a well-developed diligence checklist should specifically vet the prospective vendor’s COPPA and data privacy compliance. Where necessary, insurance coverage and indemnification options also should be explored.
Despite the significant fine and the novel basis for enforcement, there is no indication that InMobi’s data collection practices were particularly uncommon. Critics have long charged that online analytics companies accumulate staggering amounts of data in a largely unregulated environment. The InMobi enforcement action signals the FTC’s intention to use all available tools to bring a greater level of regulatory oversight to these practices. InMobi may have been the first company to face an FTC enforcement action on COPPA grounds, but it will almost certainly not be the last. Whereas it was previously thought that the FTC may have given up the ship on COPPA enforcement, InMobi represents the first broadside in what will likely be an ongoing battle. Indeed, when it comes to COPPA, far from surrendering, the FTC has not yet begun to fine!
| © Poyner Spruill LLP. All rights reserved.