The United States Federal Trade Commission fined OpenX Ad Exchange $2 Million dollars for violating the Children’s Online Privacy Protection Act Rule (COPPA Rule) which requires parental consent before collecting, using or disclosing personal information of children.
OpenX Ad Exchange
OpenX is a programmatic ad exchange that sells advertising on over 1,200 premium publishers and at least 50,000 mobile apps.
The FTC found that OpenX was in violation of the FTC’s COPPA Rule by knowingly trafficking in the personal data collected from toddlers and other children under 13 years of age and exposing children to behavioral targeting ads in violation of COPPA Rules.
The United States government FTC Commissioner wrote:
“OpenX misrepresented its data collection practices on two fronts: by collecting and transferring location data when the consumer had not provided consent or had expressly denied consent; and by misrepresenting its COPPA-related activities and practices.
The complaint further alleges that OpenX also ran afoul of COPPA itself, by collecting personal information from users of child-directed properties without providing parents notice and then obtaining consent.
…Part XI of the stipulated order requires that OpenX email all its “demandside” clients and inform them that OpenX… failed to adequately comply with COPPA by allowing some child-directed apps to participate in its Ad Exchange, despite its policy of banning child-directed apps from participating.
As a result of this alleged failure, targeted advertising was served to some children without parental notice and consent.”
What exposed OpenX to this finding was the fact that they advertised their ad exchange as having human reviewers performing traffic quality checks.
“According to OpenX, it has the only traffic quality team in the industry that conducts a human review of each property to ensure compliance with OpenX’s policies and to classify accurately the subject matter of all Web sites and Apps for the benefit of its demand-side partners.”
OpenX
OpenX is a programmatic ad exchange company that provides ad serving technology to place ads on websites and real-time bidding for the placement of those ads.
One of the founders of OpenX is Tim Cadogan, formerly Senior Vice President of Global Advertising Marketplaces at Yahoo and is now the CEO of GoFundMe.
COPPA
The Children’s Online Privacy Protection Act is designed to give parents control over the kinds of data that is collected about their children.
The rules apply to websites that are directed to children and sites that have knowledge that they are collecting information from children.
Websites that are directed to toddlers and children under 13 are required to obtain parental permission.
Full COPPA requirements are listed at the FTC.
FTC Accuses OpenX of Selling Ads to Children
According to the FTC, OpenX knowingly sold advertising space on children’s apps to advertisers without flagging that the ads were being shown on apps that were directed to toddlers and other children.
The reason the FTC states that OpenX knowingly sold ads to children is because OpenX markets their ad exchange as having human reviewers in addition to automated reviews.
According to the FTC announcement:
“The FTC’s investigation found that OpenX reviewed hundreds of child-directed apps with terms that identified the intended audience as “for toddlers,” “for kids,” “kids games,” or “preschool learning,” and included age ratings for the apps indicating they were directed to children under 13.
These apps and their data were not flagged as child-directed and participated in the OpenX ad exchange, according to the FTC.
Because OpenX had knowledge that apps in the ad exchange were child-directed and that the company was collecting personal information from children under 13, the FTC alleged that it had violated the COPPA Rule.
OpenX passed this personal data to third parties that used it to target ads to users of the child-directed apps.”
OpenX Violated Users GeoLocation Preferences
In addition to selling advertising to toddlers, OpenX also sold ads based on a site visitor’s geographic location even though they had opted out of geographic targeting.
According to the FTC the violation of users who opted out of geolocation tracking happened on Android phones.
The FTC stated:
“OpenX violated the FTC Act by falsely claiming that the company did not collect geolocation from users who opted out of such data collection, according to the complaint.
In fact, the FTC alleged, OpenX did continue to collect geolocation data from some Android mobile phone users even after they specifically chose not to have such location tracking data collected.”
Citations
Read the FTC OpenX Fine Announcement
Read the Children’s Online Privacy Protection Rule
https://www.ecfr.gov/current/title-16/part-312
Read the Concurring Statement from FTC Commissioner Phillips
Concurring Statement of Commissioner Noah Joshua Phillips (PDF)