FTC sets new standard for mobile app location tracking – indirectly

by Thompson Coburn LLP
Contact

If you have wondered how users' physical locations can be tracked when they use mobile devices, a new white paper explains the process. 

It's actually an FTC complaint, and thus a white paper only indirectly. But everything about the case is indirect. The FTC targeted a company for figuring out geolocation data by an indirect method. The agency then charged the company with indirectly misrepresenting its practices. And the case indirectly lays out important new national standards for how geolocation information may be collected.

In a nutshell, the FTC charged inMobi, a business-to-business mobile advertising provider, with misleading consumers, because while InMobi accurately told its clients (mobile app providers) how it collected and used direct geolocation information, it never explained that when direct geolocation data wasn't available, it used other data to infer a mobile device's location. Since InMobi's app developer clients didn't know that it was inferring customer locations, those clients never told their customers (mobile app users). Subsequently, the customers were misled about how they were being tracked, the FTC claimed.

Taken step by step, the case is a fascinating look at mobile apps, geolocation tracking, and how the FTC sets Internet standards.

The rise of mobile app advertising

InMobi, a Singapore company, is a giant provider of ads seen on mobile apps. Its software allows InMobi to display ads (preferably targeted ads) on those apps, and share ad revenue with each app provider. Data collected from app users is used for the ad targeting. 

Often the best user data is geolocation data, and InMobi offers three categories of ads keyed to customer locations: a "now" suite based on current location, a "conditional" suite based on past customer habits (like frequent airport visits), and a "psychographic" suite based on demographics and activities in the last two months (like affluent users who have visited luxury auto dealers).

Advertisers love targeted advertising for its presumed efficiency and effectiveness, and InMobi has been very successful in ad placement. InMobi described itself as the “world's largest independent mobile advertising company,” which by February 2015 had reached over one billion unique mobile devices, 19% of them devices in North America. It served 6 billion ad requests per day.

Can location tracking be ‘too effective’?

App users have several opportunities to consent to, or to withhold consent to, use of the specific location data that their mobile devices generate. The consent mechanisms and the application program interfaces (APIs) through which this location data is provided to third parties like InMobi, vary between iOS and Android systems. 

InMobi abided by consumer consents as to this direct location data. However, InMobi realized that other available data, generated when devices connect to WiFi networks, could be used to determine locations. Using this data, and its own robust data from the many app users who permitted use of their direct location data, InMobi figured out locations even for users who opted out of location data sharing. 

The ability to infer locations from WiFi data wasn't a secret; it had been spelled out in a 2014 research paper by several French researchers. Nor is it startling that locations can be inferred; the FTC implicitly admitted that even readily available IP addresses can at least narrow down users to a particular city. 

But the FTC considered InMobi's practice an improper end-run around user control over geolocation tracking. Without explicitly saying so, the FTC seemed to classify InMobi's WiFi tracking as simply too effective and too sneaky to be allowed. 

Indirect misleading disclosures

The FTC had a problem in going after InMobi, because InMobi never dealt with mobile device users, only app developers. How could InMobi have deceived app users with whom it never dealt?

Perhaps picking up the spirit of InMobi's focus on indirect means, the FTC alleged that users were indirectly misled. Because InMobi told app developers that it complied with consumer direction on direct location data--but never revealed its indirect location tracking methods--the developers in turn never gave their users the whole story. InMobi's coyness with its app developer customers essentially led to their concealment of key facts from app users, the FTC alleged.

New rules from an inconclusive case

There is one final indirection in the InMobi case. InMobi contested the FTC's allegation that its indirect location tracking was deceptive or unlawful. Nor did it accept the FTC's indirect deception theory.

But in its investigation, the FTC found that InMobi violated the Childrens Online Privacy Protection Act (COPPA). InMobi said it had attempted to exclude any publisher's site or app containing content targeted at children under 13 years of age from interest-based, behavioral advertising, but because of a technical error, that policy was not always correctly implemented. InMobi said it corrected the mistake upon learning of it. 

Ultimately the consent decree focused on the COPPA violation, and assessed damages only on that violation. But it also enjoined InMobi from continuing its geolocation inference system, and required deletion of data developed from that system. InMobi said it "proactively" decided to take this course as a matter of following best practices. 

All other targeted advertising providers and mobile app developers are now on notice, through the InMobi case, that the FTC considers inferential geolocation determinations, at least at the level of sophistication followed by InMobi, to be unlawful — even though that issue was not fully litigated.

Thus, this case of indirect geolocation determination, and indirect misleading of mobile app users, has, indirectly, set a new standard in the important area of mobile app geolocation tracking. 

It is the latest, and one of the most important, in the FTC's recent history of Internet standard setting through complaints and consent judgments.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Thompson Coburn LLP | Attorney Advertising

Written by:

Thompson Coburn LLP
Contact
more
less

Thompson Coburn LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.