Ad Platform Faces $2 Million Fine Over COPPA Violation
20 December 2021
The Federal Trade Commission (“FTC“) announced a settlement with OpenX Technologies, Inc. (“OpenX“), an online advertising company, under which OpenX agreed to pay $2 million to the FTC. The settlement resolves the FTC’s claims that the company unlawfully collected personal information from children under 13 without their parents’ permissions, and thereby violated the federal Children’s Online Privacy Protection Act (“COPPA“).
OpenX operates a real-time bidding platform that monetizes websites and mobile applications by selling ad space. According to the complaint, filed by the Department of Justice on behalf of the FTC, the company collected information from mobile applications that include obvious references to children. Such mobile applications contained terms such as “kids games”, “for toddlers” or “for kids” to identify their intended audience, contained graphics that were designed for kids and their age rating showed they were appropriate for children under the age of 13. According to the complaint, OpenX reviewed hundreds of such children directed applications and shared the children’s personal information it collected from them, including location data, IP addresses and unique device identifiers with third parties that used the information to target child audiences.
The COPPA requires that a company that operates online services directed to children, or that has actual knowledge that it is collecting or maintaining personal information from a child under 13 years of age, will obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children. In light of the above, the FTC claimed that OpenX had actual knowledge that the mobile applications in the ad exchange were directed to children under the age of 13, and as no parental consent was collected, the FTC alleged that OpenX had violated the COPPA.
Furthermore, the FTC found that OpenX represented that consumers can opt-out of its collection, use and transfer of precise location data, while in fact, OpenX collected and transferred such data even if consumers did not provide consent or had expressly denied permission to the collection of such location data. The FTC alleged that by misrepresenting its data collection practices, OpenX also violated the FTC Act.
In addition to the $2 million fine, the settlement requires OpenX to delete the data that the company collected in violation of the COPPA and to implement a comprehensive privacy program to ensure that it complies with the COPPA requirements. Such privacy program requires the company to, inter alia, implement policies, procedures and technical measures to ensure that personal information is processed in accordance with the COPPA requirements; re-review participating mobile applications on a periodic basis to identify additional child-directed applications and add them from OpenX’s ad exchange; to create a record of the child-directed applications that it has nabbed or removed from its ad exchange; and to designate an employee that will be responsible for this privacy program.
It should be also noted that the order originally stipulated a $7.5 million penalty against OpenX, but the fine was reduced to $2 million due to the company’s inability to pay.
This enforcement action emphasizes the focus of regulators, such as the FTC, on children’s data protection and the scrutiny of such regulators over advertising platforms in this context.
Please feel free to contact us if you have any questions regarding the implications of this enforcement action on your business.
Ariel Yosefi, Partner
Head of Technology & eCommerce Regulation