OpenX Ad Exchange Settles With FTC Over Alleged COPPA and Other Violations
OpenX Technologies recently agreed to pay $2 million to settle FTC allegations that the advertising platform violated the FTC Act and the Children’s Online Privacy Protection Act. OpenX runs a programmatic ad exchange, running a bidding platform that auctions online ad space. The company contracts with publishers who have open ad space as well as ad networks with inventories of ads they are seeking to publish online.
According to the FTC, while OpenX indicated in its privacy policy that users could opt out of having location information collected or used by “using the location service controls in your mobile device’s setting” in fact, it continued to collect and use location information from those who had followed the opt-out process. The FTC argued this was deceptive in violation of Section 5 of the FTC Act.
In addition, according to the FTC, OpenX posted ads on sites that its human quality team identified as child-directed. The FTC complaint indicated that millions (if not billions) of ad requests were received from these sites and aps, and these bid requests contained personal information of children. Ads were then placed on those sites. The FTC found that because of the placement of programmatic ads on these child sites, OpenX needed to have complied with COPPA’s parental notice and consent requirements, since the serving of these ads involved the collection of personal information from children. The FTC found incorrect the standard language OpenX had in its privacy policy. Namely, stating that the company did not “engage in activities that require parental notice or consent” under COPPA.
In addition to the monetary penalty, OpenX has agreed to delete all data that it collected in violation of the COPPA Rule. OpenX has also agreed to implement a comprehensive privacy program to ensure COPPA compliance.
Putting it into Practice: This case serves as a reminder that the FTC will look closely at companies’ underlying technologies and practices when determining privacy compliance, including whether companies are adhering to their stated privacy notice. (In other words, not doing anything the FTC might consider a deceptive practice.) This case is also a reminder that the FTC takes the perspective that the serving of targeted advertising in many circumstances involves the collection of personal information.
