InMobi Settles FTC Charges That Geo-Tracking Advertising Software Collected Consumer and Children’s Private Information in Violation of Federal Law

Plaintiff, the United States of America, acting upon notification and authorization to the Attorney General by the Federal Trade Commission (“Commission”), filed its Complaint for Permanent Injunction, Civil Penalties, and Other Relief (“Complaint”), in this matter, pursuant to Sections 13(b), and 16(a)(1) of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. §§ 53(b), and 56(a)(1), the Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6502(c) and 6505(d), and the Commission’s Children’s Online Privacy Protection Rule (“COPPA Rule”), 16 C.F.R. Part 312. Defendant has waived service of the summons and the Complaint. The parties have been represented by the attorneys whose names appear hereafter. Plaintiff and Defendant stipulate to the entry of this Stipulated Order for Permanent Injunction and Civil Penalty Judgment (“Order”) to resolve all matters in dispute in this action between them.

THEREFORE, IT IS ORDERED as follows:

FINDINGS

1. This Court has jurisdiction over this matter.

2. The Complaint charges that Defendant participated in deceptive acts or practices in violation of Section 5 of the FTC Act, 15 U.S.C. § 45, in the tracking of consumers’ locations without providing notice or receiving consent, and regardless of the consumers’ preferences, andin the collection of personal information from children in connection with operating a Web site or online service. The Complaint further charges that Defendant violated the COPPA Rule by failing to provide notice to parents of its information practices, and to obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children.

3. Defendant neither admits nor denies any of the allegations in the Complaint, except as specifically stated in this Order. Only for purposes of this action, Defendant admits the facts necessary to establish jurisdiction.

4. Defendant waives any claim that they may have under the Equal Access to Justice Act, 28 U.S.C. § 2412, concerning the prosecution of this action through the date of this Order, and agree to bear its own costs and attorney fees.

5. Defendant and Plaintiff waive all rights to appeal or otherwise challenge or contest the validity of this Order.

DEFINITIONS

For the purpose of this Order, the following definitions apply:

A. “Child” means an individual under the age of 13.

B. “Collects” or “collection” means, for the purposes of Parts I and II of this Order only, the gathering of any personal information from a child by any means, including but not limited to:

1. Requesting, prompting, or encouraging a child to submit personal information online;
2. Enabling a child to make personal information publicly available in identifiable form; or
3. Passive tracking of a child online.

C. “Covered information” means information from or about an individual consumer including, but not limited to:

1. Personal information; and
2. Location information.

D. “Defendant” means InMobi Pte Ltd., and its subsidiaries and divisions in the UnitedStates, and successors and assigns.

E. “Delete” means, for purposes of Parts I and II of this Order only, to remove personal information such that it is not maintained in retrievable form and cannot be retrieved in the normal course of business.

F. “Disclose or disclosure” means, with respect to personal information:

1. The release of personal information collected by an operator from a child in identifiable form for any purpose, except where an operator provides such information to a person who provides support for the internal operations of the Web site or online service; and
2. Making personal information collected by an operator from a child publicly available in identifiable form by any means, including but not limited to a public posting through the Internet, or through a personal home page or screen posted on a Web site or online service; a pen pal service; an electronic mail service; a message board; or a chat room.
a. For purposes of this definition:
i. “release of personal information” means the sharing, selling, renting, or transfer of personal information to any third party; and
ii. “support for the internal operations of the Web site or online service” means those activities necessary to:
A. maintain or analyze the functioning of the Web site or online service;
B. perform network communications;
C. authenticate users of, or personalize the content on, the Web site or online service;
D. serve contextual advertising on the Web site or online service or cap the frequency of advertising;
E. protect the security or integrity of the user, Web site, or online service;
F. ensure legal or regulatory compliance; or
G. fulfill a request of a child, so long as the information collected for the activities listed in paragraphs (i) through (vii) of this definition is not used or disclosed to contact a specific individual, including through behavioral advertising, to amass a profile on a specific individual, or for any other purpose.

G. “Internet” means collectively the myriad of computer and telecommunications facilities, including equipment and operating software, which comprise the interconnected worldwide network of networks that employ the Transmission Control Protocol/Internet Protocol, or any predecessor or successor protocols to such protocol, to communicate information of all kinds by wire, radio, or other methods of transmission.

H. “Location information” means:

1. Information about a consumer’s location that is collected through an application programming interface; or
2. Information about a consumer’s location that is inferred from any other data collected through an application programming interface, including but not limited to Basic Service Set Identifiers (BSSIDs), with the limited exception of Internet Protocol (IP) addresses used to infer location at no greater accuracy than city-level.

I. “Obtaining verifiable consent” means making any reasonable effort (taking into consideration available technology) to ensure that before personal information is collected from a child, a parent of the child:

1. Receives notice of the operator’s personal information collection, use, and disclosure practices; and
2. Authorizes any collection, use, and/or disclosure of the personal information.

J. “Online contact information” means an e-mail address or any other substantially similar identifier that permits direct contact with a person online, including but not limited to, an instant messaging user identifier, a voice over internet protocol (VOIP) identifier, or a video chat user identifier.

K. “Operator” means any person who operates a Web site located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such Web site or online service, or on whose behalf such information is collected or maintained, or offers products or services for sale through that Web site or online service, where such Web site or online service is operated for commercial purposes involving commerce among the several States, or with one or more foreign nations; in any territory of the United States or in the District of Columbia, or between any such territory and another such territory or any State or foreign nation; or between the District of Columbia and any State, territory, or foreign nation.

L. “Parent” includes a legal guardian.

M. “Person” means any individual, partnership, corporation, trust, estate, cooperative, association, or other entity.

N. “Personal information” means individually identifiable information about an individual collected online, including:

1. A first and last name;
2. A home or other physical address including street name and name of a city or town;
3. Online contact information;
4. A screen or user name where it functions in the same manner as online contact information;
5. A telephone number;
6. A Social Security number;
7. A persistent identifier that can be used to recognize a user over time and across different Web sites or online services. Such persistent identifier includes, but is not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or a unique device identifier.
8. A photograph, video, or audio file where such file contains a child’s image or voice;
9. Geolocation information sufficient to identify street name and name of a city or town; or
10. Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described in this definition.

O. “Software development kit” shall mean the code necessary to integrate Defendant’s advertisements in an application, Web site, or other online service.

P. “Third party” means any person who is not:

1. An operator with respect to the collection or maintenance of personal information on the Web site or online service; or
2. A person who provides support for the internal operations of the Web site or online service and who does not use or disclose information protected under 16 C.F.R. Part 312 for any other purpose.

Q. “Web site or online service directed to children” means a commercial Web site or online service, or portion thereof, that is targeted to children.

1. In determining whether a Web site or online service, or a portion thereof, is directed to children, the Commission will consider its subject matter, visual content, use of animated characters or child-oriented activities and incentives, music or other audio content, age of models, presence of child celebrities or celebrities who appeal to children, language or other characteristics of the Web site or online service, as well as whether advertising promoting or appearing on the Web site or online service is directed to children. The Commission will also consider competent and reliable empirical evidence regarding audience composition, and evidence regarding the intended audience.
2. A Web site or online service shall be deemed directed to children when it has actual knowledge that it is collecting personal information directly from users ofanother Web site or online service directed to children.
3. A Web site or online service that is directed to children under the criteria set forth in paragraph (1) of this definition, but that does not target children as its primary audience, shall not be deemed directed to children if it:
a. Does not collect personal information from any visitor prior to collecting age information; and
b. Prevents the collection, use, or disclosure of personal information from visitors who identify themselves as under age 13 without first complying with the notice and parental consent provisions of 16 C.F.R. Part 312.
4. A Web site or online service shall not be deemed directed to children solely because it refers or links to a commercial Web site or online service directed to children by using information location tools, including a directory, index, reference, pointer, or hypertext link.

ORDER

I. INJUNCTION CONCERNING COLLECTION OF PERSONAL INFORMATION FROM CHILDREN

IT IS ORDERED that Defendant and Defendant’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with being an operator of any Web site or online service directed to children or of any Web site or online service with actual knowledge that it is collecting or maintaining personal information from a child, are hereby permanently restrained and enjoined from violating the Children’s Online Privacy Protection Rule, 16 C.F.R. Part 312, including, but not limited to:

A. failing to make reasonable efforts, taking into account available technology, to ensure that a parent of a child receives direct notice of Defendant’s practices with regard to the collection, use, or disclosure of personal information from children, including notice of any material change in the collection, use, or disclosure practices to which the parent has previously consented;

B. failing to post a prominent and clearly labeled link to an online notice of its information practices with regard to children, if any, on the home or landing page or screen of its Web site or online service, and at each area of the Web site or online service where personal information is collected from children; and

C. failing to obtain verifiable parental consent before any collection, use, or disclosure of personal information from children, including consent to any material change in the collection, use, or disclosure practices to which the parent has previously consented.

A copy of the Children’s Online Privacy Protection Rule, 16 C.F.R. Part 312, is attached hereto as Appendix A.

II. INJUNCTION CONCERNING DELETION OF CHILDREN’SPERSONAL INFORMATION

IT IS FURTHER ORDERED that Defendant, Defendant’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, are permanently restrained and enjoined from:

A. disclosing, using, or benefitting from personal information collected from children which Defendant obtained prior to entry of this Order; and

B. failing to destroy personal information collected from children that is in their possession, custody, or control within ten (10) days after entry of this Order. Provided, however, that such personal information need not be disposed of, and may be disclosed, to the extent requested by a government agency or required by law, regulation, or court order.

III. MONETARY JUDGMENT FOR CIVIL PENALTY

IT IS FURTHER ORDERED that:

A. Judgment in the amount of four million dollars ($4,000,000) is entered in favor of Plaintiff against Defendant as a civil penalty.

B. Defendant is ordered to pay to Plaintiff, by making payment to the Treasurer of the United States, three hundred thousand dollars ($300,000), within seven (7) days of entry of this Order, followed by payment of six hundred fifty thousand dollars ($650,000) in two (2) equal installments of three hundred twenty five thousand dollars ($325,000), plus interest computed from the date of entry of this Order, due within six (6) months and twelve (12) months, respectively, of the date of entry of this Order. Defendant shall make all payments required by this paragraph by electronic fund transfer in accordance with instructions previously provided by a representative of Plaintiff. Upon such payments, the remainder of the judgment is suspended, subject to the Subparts below.

C. The Commission’s and Plaintiff’s agreement to this suspension of part of the judgment is expressly premised upon the truthfulness, accuracy, and completeness of Defendant’s sworn financial statement and related documents (collectively, “financial representations”) submitted to the Commission, namely: the Financial Statement of Defendant signed by Abhay Singhal on March 28, 2016, including the attachments.

D. The suspension of the judgment will be lifted as to Defendant if, upon motion by the Commission or Plaintiff, the Court finds that Defendant failed to disclose any material asset, materially misstated the value of any asset, or made any other material misstatement or omission in the financial representations identified above.

E. If the suspension of the judgment is lifted, the judgment becomes immediately due as to Defendant in the amount specified in Subpart A above which the parties stipulate only for purposes of this Part represents the amount of the civil penalty for the violations alleged in the Complaint, less any payment previously made pursuant to this Part, plus interest computed from the date of entry of this Order.

IV. ADDITIONAL MONETARY PROVISIONS

A. Defendant relinquishes dominion and all legal and equitable right, title, and interest in all assets transferred pursuant to this Order and may not seek the return of any assets.

B. The facts alleged in the Complaint will be taken as true, without further proof, in any subsequent civil litigation by or on behalf of the Commission, including in a proceeding to enforce its rights to any payment or monetary judgment pursuant to this Order.

C. Defendant acknowledges that its Taxpayer Identification Number, which Defendant must submit to the Commission, may be used for collecting and reporting on any delinquent amount arising out of this Order, in accordance with 31 U.S.C. § 7701.

V. INJUNCTION REGARDING MISREPRESENTING PRACTICES RELATING TO INFORMATION PRIVACY

IT IS FURTHER ORDERED that Defendant, Defendant’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, are permanently restrained and enjoined from misrepresenting in any manner, expressly or by implication, the extent to which they maintain and protect the privacy, confidentiality, security, or integrity of covered information, including but not limited to:

A. Defendant’s practices with respect to personal information collected from children, including Defendant’s collection, use, disclosure, and deletion practices;

B. the extent to which Defendant collects or infers consumers’ location information; or

C. the extent to which Defendant obtains consumers’ consent for the collection of covered information, including opt-in consent.

VI. INJUNCTION REGARDING CONSENT FOR COLLECTION OR INFERENCE OF LOCATION INFORMATION

IT IS FURTHER ORDERED that Defendant, Defendant’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, are permanently restrained and enjoined from collecting or inferring location information without first confirming that:

A. the consumer has provided affirmative express consent for the collection of location information to the application, Web site, or other online service that has integrated Defendant’s software development kit;

B. the consumer has not expressed, through any operating system, device, browser, or application permission or setting, that the consumer does not consent to, or revokes consent to, the collection of location information; and

C. the consumer has not expressed, through any operating system, device, browser, or application permission or setting, that the consumer’s consent to the collection of location information is limited to a level of accuracy that is less precise than the location information that is to be collected or inferred by Defendant.

VII. INJUNCTION REGARDING DELETION OF LOCATION INFORMATION

IT IS FURTHER ORDERED that Defendant, Defendant’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, are permanently restrained and enjoined from:

A. disclosing, using, or benefitting from location information that was collected or inferred prior to entry of this Order without meeting the requirements of Part VI of this Order; and

B. failing to destroy location information that was collected or inferred prior to entry of this Order without meeting the requirements of Part VI of this Order that is in their possession, custody, or control within ten (10) days after entry of this Order. Provided, however, that such location information need not be disposed of, and may be disclosed, to the extent requested by a government agency or required by law, regulation, or court order.

VIII. COMPREHENSIVE PRIVACY PROGRAM REQUIREMENT

IT IS FURTHER ORDERED that Defendant, whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, in or affecting commerce, shall, no later than the date of service of this Order, establish and implement, and thereafter maintain, a comprehensive privacy program that is reasonably designed to: (1) address privacy risks related to the development and management of new and existing products and services and (2) protect the privacy and confidentiality of covered information. Such program, the content and implementation of which must be fully documented in writing, shall contain privacy controls and procedures appropriate to Defendant’s size and complexity, the nature and scope of Defendant’s activities, and the sensitivity of the covered information, including:

A. the designation of an employee or employees to coordinate and be responsible for the privacy program;

B. the identification of reasonably foreseeable, material risks, both internal and external, that could result in the Defendant’s unauthorized collection, use, or disclosure of covered information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this privacy risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management, including training on the requirements of this Order; and (2) product design, development, and research;

C. the design and implementation of reasonable privacy controls and procedures to address the risks identified through the privacy risk assessment, and regular testing or monitoring of the effectiveness of those privacy controls and procedures;

D. the development and use of reasonable steps to select and retain service providers capable of appropriately protecting the privacy of covered information they receive from Defendant, and requiring service providers by contract to implement and maintain appropriate privacy protections; and

E. the evaluation and adjustment of Defendant’s privacy program in light of the results of the testing and monitoring required by Subpart C, any material changes to Defendant’s operations or business arrangements, or any other circumstances that Defendant knows or has reason to know may have a material impact on the effectiveness of its privacy program.

IX. PRIVACY PROGRAM ASSESSMENT REQUIREMENT

IT IS FURTHER ORDERED that, in connection with its compliance with Part VIII of this Order, Defendant shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. The reporting period for the Assessments shall cover: (1) the first year after service of the Order for the initial Assessment; and (2) each two (2) year period thereafter for twenty (20) years after service of the order for biennial Assessments.

A. Each Assessment shall:

1. set forth the specific privacy controls that Defendant has implemented and maintained during the reporting period;
2. explain how such privacy controls are appropriate to Defendant’s size and complexity, the nature and scope of Defendant’s activities, and the sensitivity of the covered information collected from or about consumers;
3. explain how the privacy controls that have been implemented meet or exceed the protections required by Part VIII of this Order; and
4. certify that Defendant’s privacy program is operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of covered information and that the program has so operated throughout the reporting period.

B. Each Assessment shall be prepared and completed within sixty (60) days after the end of the reporting period to which the Assessment applies by a person that has a minimum of three (3) years of experience in the field of privacy and data protection. All persons conducting such Assessments and preparing such reports shall be approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Ave. NW, Washington D.C. 20580, in his or her sole discretion.

C. Defendant shall provide the initial Assessment by overnight courier (not the U.S. Postal Service) to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Ave. NW, Washington D.C. 20580, or by email to Debrief@ftc.gov, within ten (10) days after the Assessment has been prepared. All subsequent biennial Assessments shall be retained by Defendant until the Order is terminated and provided to the Associate Director for Enforcement within ten (10) days of request. The subject line must begin: United States v. InMobi Pte Ltd.

X. ORDER ACKNOWLEDGMENTS

IT IS FURTHER ORDERED that Defendant obtain acknowledgments of receipt of this Order:

A. Defendant, within seven (7) days of entry of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.

B. For twenty (20) years after entry of this Order, Defendant must deliver a copy of this Order to: (1) all principals, officers, and directors, and managers of Defendant and of its subsidiaries and divisions in the United States; (2) all employees, agents, and representatives having responsibilities relating to the collection, retention, storage, or security of covered information and all employees, agents, and representatives having responsibilities related to the operation of any website or online service subject to this Order; and (3) any business entity resulting from any change in structure as set forth in the Part titled Compliance Reporting. Delivery must occur within seven (7) days of entry of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.

C. From each individual or entity to which Defendant delivers a copy of this Order, Defendant must obtain, within thirty (30) days, a signed and dated acknowledgment of receipt of this Order.

XI. COMPLIANCE REPORTING

IT IS FURTHER ORDERED that Defendant make timely submissions to the Commission:

A. One hundred eighty (180) days after entry of this Order, Defendant must submit a compliance report, sworn under penalty of perjury. In such report, Defendant must:

1. identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission and Plaintiff may use to communicate with Defendant;
2. identify all of Defendant’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses;
3. describe the activities of each such business, including the goods and services offered, the means of advertising, marketing, and sales;
4. describe in detail whether and how Defendant is in compliance with each Part of this Order;
5. provide a copy of each different version of any privacy notice posted on each Web site or online service operated by Defendant or otherwise communicated to parents of children from whom Defendant collects personal information;
6. provide a statement setting forth in detail any methods used to obtain verifiable parental consent prior to any collection, use, and/or disclosure of personal information from children or the methods used to avoid collecting, using, and/or disclosing personal information from children;
7. provide a statement setting forth in detail the means provided for parents to review any personal information collected from their children and to refuse to permit its further use or maintenance;
8. provide a statement setting forth in detail why each type of information collected from a child is reasonably necessary for the provision of the particular related activity;
9. provide a statement setting forth in detail the procedures used to protect the confidentiality, security, and integrity of personal information collected from children; and
10. provide a copy of each Order Acknowledgment obtained pursuant to this Order, unless previously submitted to the Commission.

B. For twenty (20) years after entry of this Order, Defendant must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in: (a) any designated point of contact; or (b) the structure of Defendant or any entity that Defendant has any ownership interest in or control directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.

C. Defendant must submit to the Commission notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Defendant within fourteen (14) days of its filing.

D. Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.

E. Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580.

The subject line must begin: United States v. InMobi Pte Ltd.

XII. RECORDKEEPING

IT IS FURTHER ORDERED that Defendant must create certain records for twenty (20) years after entry of the Order, and retain each such record for five (5) years. Specifically, Defendant must create and retain the following records:

A. all records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission;

B. copies of all consumer complaints relating to Defendant’s collection of covered information or personal information, and any response; and

C. a copy of each materially different version of any software development kit Defendant makes available to developers, and any associated documentation or instructions.

XIII. COMPLIANCE MONITORING

IT IS FURTHER ORDERED that, for the purpose of monitoring Defendant’s compliance with this Order:

A. Within fourteen (14) days of receipt of a written request from a representative of the Commission or Plaintiff, Defendant must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury; appear for depositions; and produce documents for inspection and copying. The Commission and Plaintiff are also authorized to obtain discovery, without further leave of court, using any of the procedures prescribed by Federal Rules of Civil Procedure 29, 30 (including telephonic depositions), 31, 33, 34, 36, 45, and 69.

B. For matters concerning this Order, the Commission and Plaintiff are authorized to communicate directly with Defendant. Defendant must permit representatives of the Commission and Plaintiff to interview any employee or other person affiliated with Defendant who has agreed to such an interview. The person interviewed may have counsel present.

C. The Commission and Plaintiff may use all other lawful means, including posing, through its representatives as consumers, suppliers, or other individuals or entities, to Defendant or any individual or entity affiliated with Defendant, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57(b)-1.

XIV. RETENTION OF JURISDICTION

IT IS FURTHER ORDERED that this Court retains jurisdiction of this matter for purposes of construction, modification, and enforcement of this Order.