Ad exchange OpenX slapped with FTC fine for collecting location data on children

OpenX, an advertising tech company, will pay $2 million to the U.S. Federal Trade Commission to settle allegations that the company violated federal children’s privacy law.

In a complaint filed in the U.S. District Court for the Central District of California, the FTC alleges that OpenX violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children under 13 without obtaining parental consent.

The California-based company is also accused of knowingly collecting information from hundreds of apps marketed for children, toddlers and for preschool learning, before passing this data — including granular location data, IP addresses and unique device identifiers — to third parties that used the data for targeted advertising.

“OpenX has received millions, if not billions of ad requests directly or indirectly from child-directed apps, and transmitted millions, if not billions, of bid requests containing personal information of children,” the complaint read.

In addition to violating COPPA, the FTC’s complaint alleges that OpenX also violated the FTC Act by falsely claiming that it did not collect granular location from users who opted out of such data collection. Rather, OpenX continued to collect location data from some Android users even after they specifically chose not to have such location tracking data collected, according to the FTC.

“OpenX secretly collected location data and opened the door to privacy violations on a massive scale, including against children,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “Digital advertising gatekeepers may operate behind the scenes, but they are not above the law.”

In a separate statement, FTC Commissioner Noah Joshua Phillips said that the order originally stipulated a $7.5 million penalty against OpenX, but the fine was reduced to $2 million due to the company’s inability to pay. The settlement also requires the company to delete all of the ad request data it collected to serve targeted ads and to implement a comprehensive privacy program to ensure it fully complies with COPPA.

OpenX did not immediately respond to our request for comment, but in a blog post addressing the settlement it called the data collection an “unintentional error”, adding that an internal review showed that “more than 99% of domains and apps were appropriately categorized.”

“We have reviewed and bolstered our policies and procedures to make sure we are fully COPPA compliant, and we will continue to follow strict criteria of both qualitative and quantitative attributes to determine a site’s or an app’s suitability for inclusion in our exchange,” the company wrote.