On December 15, 2021, the Federal Trade Commission announced the settlement of a complaint brought by the US Department of Justice against OpenX Technologies, Inc., an online advertising platform headquartered in California. According to the stipulated settlement, OpenX operates an advertising exchange – a real-time bidding platform that helps publishers of websites and mobile phone applications to monetize their products via advertisements. OpenX contracts with online publishers, whose websites and applications transmit requests to OpenX for advertisements; OpenX also contracts with advertising aggregators who sell advertising inventory, and send ad requests to the OpenX exchange.
The complaint alleges that OpenX collected precise location data (the basic service set identifier or BSSID) from consumers who had opted out of OpenX’s collection, use, or transfer of their location data, or who had not given consent thereto. OpenX collected the information through a backdoor method from 2012 to 2018, and continued to do so after receiving a warning that its practices violated the Device and Network Abuse Policy of a major search engine. This practice of OpenX caused publishers of websites and mobile applications to provide incorrect information to consumers about their privacy practices. According to the FTC, by misrepresenting its data collection practices and collecting consumer location data without the consumer’s consent, OpenX violated Section 5(a) of the Federal Trade Commission Act, 15 USC §§ 45(a).
The complaint alleges, furthermore, that OpenX employs traffic quality analysts to conduct a human review of the websites and applications that send ad requests to its ad exchange. Their role is to identify restricted content such as pornography, to categorize the sites by subject matter, and determine whether they are directed at children. OpenX’s policy requires the traffic quality analysts to flag child-directed applications so that these can be excluded from participation in the ad exchange. Nevertheless, the company failed to flag hundreds of children’s applications for exclusion from the ad exchange, despite having actual knowledge that the applications were child-directed. This failure resulted in the collection and transmission of children’s personal information on millions of occasions, without parental consent, and without providing the notices required by law. OpenX’s conduct with regard to children allegedly violated the 1303(c) and 1306(d) of the Children’s Online Privacy Protection Act (COPPA), 15 USC §§ 6502(c) and 6505(d), and the Children’s Online Privacy Protection Rule, 16 CFR Part 312. The COPPA Rule requires operators to provide notice, and to obtain parental consent before collecting, using or disclosing the personal information of children. By falsely representing that it does not engage in activities that require parental consent pursuant to COPPA, OpenX also violated the deceptive practices provision of Section 5(a) of the FTC Act, according to the complaint.
The order issued by the US District Court for the Central District of California with the consent of OpenX and the FTC permanently enjoins OpenX from further violation of the COPPA Rule and from misrepresenting the extent to which it collects personal information, protects consumer privacy, and complies with the COPPA Rule. The order also enjoins the company from using its backdoor software to collect location information without obtaining the consumer’s express consent, and requires the company to delete all ad request data collected prior to the entry of the order. OpenX has also agreed to implement a comprehensive privacy program, including written documentation of implementation and maintenance of the program under the supervision of the company’s board of directors. The privacy program must entail an annual risk assessment, and the company must designate qualified employees to coordinate the program. The company must, furthermore, implement safeguards against identified risks, including annual employee and contractor training. OpenX must create a log of child-directed applications to be excluded from the ad exchange, and must provide annual certification of compliance with provisions of the court’s order. The company must also engage an independent third-party professional to assess its compliance biennially. Finally, the court imposed a $7.5 million civil penalty on OpenX; upon payment of $2 million of this amount, the remainder of the fine will be suspended, provided that the company cooperates with, and is not found to have made false representations in connection with, the FTC’s investigation.