Recently in United States v. InMobi Pte Ltd., the Federal Trade Commission (FTC) set a new standard for geolocational tracking. The FTC told app developers and app marketers one simple rule: honor consumers location privacy preferences and do not track them without permission.
InMobi is a Singapore Company that provides ads within mobile apps. They are a business-to-business company and its only customers are app developers who integrate InMobi’s software into their apps. InMobi allows for the collection of data from app users to display targeted ads.
Geolocation is often the best data for determining what types of ads to present to users. InMobi offers app developers three options: 1) “now” suite based on current location; 2) “conditional” suite based on customers’ past habits; and 3) “psychographic” suite based on demographics and activities in the last two months (e.g. frequent airport trips, luxury vacations). However, many consumers choose not to allow apps to access their geolocation. So one might think that this InMobi software would be useless for those consumers. On the contrary, InMobi realized they could access geolocation indirectly and still provide value to mobile app developers; InMobi started using data generated when devices connect to WiFi networks, and geolocational data from users who had opted in (i.e., figured out locations of other users by using other similar users’ data). The FTC considered this inference of the user’s location as an improper end-run around. The FTC’s investigation and enforcement against InMobi focused on InMobi’s statements to app developers: “First we take in location data on each user, in the form of user opt-in lat/long signals. Then we add real world context to these signals to figure out what places or businesses the user has visited. Our machine learning algorithms mine for patterns in this location history to identify what these trends mean about the user, from which we can infer what kind of consumer the user is.” The FTC did not consider this statement to be a complete, transparent explanation of how InMobi tracks the app’s users.
After the investigation, the FTC found that InMobi violated the Children’s Online Privacy Protection Act (COPPA) while also accusing InMobi of unfair and deceptive indirect location tracking. The consent decree, however, focused on COPPA and assessed damages only on that violation, while also enjoining InMobi from continuing its geolocation inference system. The FTC did not address the indirect location tracking’s unlawfulness overall.
This means that other app developers and app marketers are now on notice that the FTC considers inferential geolocational tracking to be unlawful (even though the consent decree only addressed monetary assessments under COPPA). After this action, the FTC also warns app developers to consider contractual terms with third party service providers to ensure they do not circumvent consumers’ privacy choices. Certainly sound advice from the FTC.