OpenX to pay $2M for FTC privacy settlement; Google settles over children’s privacy
December 20, 2021
Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.
OpenX entered into a $2M settlement with the Federal Trade Commission (FTC) over allegations that the advertising platform collected personal information from children under 13 without consent and collected geolocation information from users who asked not to be tracked.
The FTC’s investigation found that OpenX had actual knowledge that apps in its ad exchange were child-directed, based on app store age ratings and labels, and nevertheless collected and passed personal data to third parties for ad targeting, in violation of the Children’s Online Privacy Protection Act.
In addition to the $2 million settlement, OpenX will be subject to a permanent injunction, requiring that the company cease collecting personal information from children without parental consent and making misrepresentations regarding its privacy practices and consumer ability to opt out of tracking and that the company obtain consent for collection of location information, implement a comprehensive privacy program and obtain biennial privacy assessments.
WHY IT MATTERS
This case emphasizes the need for advertising platforms to conduct active, ongoing review of not only internal privacy practices, but also the inventory accepted into the ad exchange, to ensure continued compliance with privacy laws and consistency with public representations and policies. In its public statement about the settlement, OpenX admitted “to put it plainly, it was a mistake”.
OpenX stated that they review every site or app that wants to work with them and that “a relatively small number of apps were miscategorized”. As shown by this case, adtech is increasingly under a regulatory microscope, so even small oversights can come at a cost.
In resolution of two actions by New Mexico Attorney General Balderas regarding collection of children’s information, Google has agreed to a $5.5 million settlement, $3.85 million of which will fund a joint initiative to award grants to schools and other children’s programs. The settlement also includes an injunction, requiring Google to implement new policies and measures to prevent collection of personal information from children under 13 by apps available through Google Play.
WHY IT MATTERS
One of the settled claims was based on allegations that Google’s mobile ad platform, AdMob, knowingly facilitated collection of data through apps aimed at children in violation of COPPA and New Mexico state law. The lawsuit was originally (in 2018) filed against mobile game developer Tiny Lab Productions, as well as a number of tech companies, including Google, Twitter, Inmobi and AppLovin, that allegedly facilitated the collection and transfer of children’s data without parental consent.
The claims were dismissed against Twitter, Inmobi and AppLovin, because there was insufficient evidence to establish actual knowledge that the apps or websites were directed to children, while Google’s claims persisted due to its active review of the content of the apps, which allegedly gave Google actual knowledge.
Although Twitter, Inmobi and AppLovin may have benefited in 2018 from a more blind approach to children’s privacy, the combination of the OpenX case above and Google’s settlement terms, requiring more active labeling and policing, may indicate the increasing difficulty of taking such approach.
The FTC submitted a public filing with the Executive Office of Management and Budget stating that “The Commission is considering initiating a rulemaking…to curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.”
The filing indicates that the rulemaking, titled “Trade Regulation Rule on Commercial Surveillance”, is in its “prerule” stage and that a notice of preliminary rulemaking (ANPRM) is the next action item on the timetable, scheduled for February 2022.
WHY IT MATTERS
Talk of FTC privacy rulemaking to address surveillance and algorithmic decision-making has been circulating from within and outside the FTC over the past several months. President Biden issued an Executive Order in July encouraging the FTC to establish rules on “surveillance and the accumulation of data”. We then saw a whitepaper from FTC Commissioner Rebecca Kelly Slaughter discussing how FTC rulemaking could address harmful outcomes from algorithmic decision-making.
More recently, the Electronic Privacy Information Center (EPIC) submitted comments to the FTC noting that the FTC has a critical role to play in ending “surveillance advertising”, and Accountable Tech, a nonprofit watchdog, filed a petition with the FTC encouraging the agency to prohibit “surveillance advertising” altogether. Alvaro Bedoya, Biden’s nomination to fill the vacant FTC Commissioner seat, has focused his research on the potential harms of algorithmic bias and surveillance technologies, and the potential for privacy rulemaking was a hot topic in his recent confirmation hearing.
The California Privacy Protection Agency (CPPA) released public comments that were submitted by various organizations and advocates in response to the CPPA’s invitation for public input as part of its preliminary rulemaking activities under the California Privacy Rights Act (CPRA).
Topics for public comment included cybersecurity audits and risk assessments, automated decision-making, agency audits, consumer rights to delete, correct and know, and consumer rights to opt out of sale / sharing and to limit use of sensitive information.
As a next step, the CPPA will conduct informational hearings to obtain further preliminary public input before beginning formal rulemaking activities. The regulations are expected to be issued by July 1, 2022.
WHY IT MATTERS
The following are a few anecdotal comments relevant to the digital advertising industry:
• The Association of Magazine Media requested that the agency consider publisher collection and use of content-related information for the purposes of recommending or highlighting content, creating aggregated segments, and delivering targeted advertising to meet the definition of “short-term, transient use” and therefore not subject to a person’s right to limit use and disclosure of sensitive personal information. They also requested that the delivery of content recommendations and segment-based advertising based on the type of content a person reads or views be excluded from the concept of “inferring characteristics”, which would trigger user rights to limit such use. Finally, they asked for detailed guidance (with visuals) on what the agency considers to be “dark patterns” that would subvert user autonomy in violation of the CPRA.
• A collection of advertising trade associations (ANA, 4As, IAB, NAI, AAF, and DAA) asked the agency to consider implementing a consensus framework for evaluating whether opt-out preference signals are actually user-enabled, requiring affirmative consumer choice to exercise the right to opt out and choice settings that don’t unfairly advantage certain businesses over others, as well as a jurisdictional tag so that businesses can afford the rights and privileges to consumers that align with their state of residence.
• Consumer Reports asked for clarification that when a consumer limits the use and disclosure of their sensitive information, it is unlawful to process sensitive data for most secondary uses, including monetization, personalization of advertising, and customization of content based on such data. They also asked for clarification that the sharing opt out applies to retargeting.
WHY IT MATTERS
For companies unsure of exactly what the CNIL is looking for with respect to user cookie consent, this guide may be as practical as you can get. It includes a list of exactly what elements should be included in the first and second layer of a consent interface, example images of acceptable interfaces, and a step-by-step guide to what steps should be taken on the back-end.
The day after issuing the above guide, the CNIL announced that it has issued thirty new orders to around thirty organizations that do not comply with the CNIL’s cookie requirements. The new round of orders reflected investigations that: (1) cookies subject to consent were automatically deposited on the user’s terminal before acceptance by the user, upon arrival on the site; (2) information banners do not allow the user to refuse the deposit of cookies as easily as to accept it; or (3) cookies subject to consent are still deposited after refusal expressed by the user. The organizations will be given one month to comply with the orders.
WHY IT MATTERS
This is the CNIL’s third round of notices regarding violations of its cookie rules, bringing the total number of orders from the CNIL on this subject to nearly 90 since May 2021. The CNIL has made clear that its investigation of these violations is an ongoing process, so companies under the CNIL’s authority should take measures to ensure they are in compliance with the CNIL’s cookie rules. With public notices of the CNIL’s investigations and step-by-step guidance on its requirements (see the above submission), the CNIL is taking steps to remove any mystery around its expectations.
Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.
A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.
Latest Blog Posts
The U.S. Department of Justice announced a $115,054 settlement...
The consultation, which ran for 10 weeks ending in...
Privacy for America, a coalition that includes several ad...
Latest White Papers
How to review your vendor list to mitigate compliance...
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.