OpenX to pay $2M for FTC privacy settlement; Google settles over children’s privacy

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

OpenX to Pay $2M for FTC Privacy Settlement

OpenX entered into a $2M settlement with the Federal Trade Commission (FTC) over allegations that the advertising platform collected personal information from children under 13 without consent and collected geolocation information from users who asked not to be tracked.

The FTC’s investigation found that OpenX had actual knowledge that apps in its ad exchange were child-directed, based on app store age ratings and labels, and nevertheless collected and passed personal data to third parties for ad targeting, in violation of the Children’s Online Privacy Protection Act.

The FTC further found that, despite statements in its privacy policy representing that consumers could opt out of OpenX’s collection, use and transfer of precise location data by using the location services controls in their mobile device settings, OpenX collected and transferred such data without regard to such settings. The FTC held that these false or misleading statements constituted a deceptive act or practice in violation of the FTC Act.

In addition to the $2 million settlement, OpenX will be subject to a permanent injunction, requiring that the company cease collecting personal information from children without parental consent and making misrepresentations regarding its privacy practices and consumer ability to opt out of tracking and that the company obtain consent for collection of location information, implement a comprehensive privacy program and obtain biennial privacy assessments. 

WHY IT MATTERS

This case emphasizes the need for advertising platforms to conduct active, ongoing review of not only internal privacy practices, but also the inventory accepted into the ad exchange, to ensure continued compliance with privacy laws and consistency with public representations and policies. In its public statement about the settlement, OpenX admitted “to put it plainly, it was a mistake”.

OpenX stated that they review every site or app that wants to work with them and that “a relatively small number of apps were miscategorized”. As shown by this case, adtech is increasingly under a regulatory microscope, so even small oversights can come at a cost. 

Google Settles with New Mexico AG re Children’s Privacy

In resolution of two actions by New Mexico Attorney General Balderas regarding collection of children’s information, Google has agreed to a $5.5 million settlement, $3.85 million of which will fund a joint initiative to award grants to schools and other children’s programs. The settlement also includes an injunction, requiring Google to implement new policies and measures to prevent collection of personal information from children under 13 by apps available through Google Play.

The new measures, which will take effect after 120 days, will require (among other measures) that app developers identify the targeted age group of their apps, disclose collection of any children’s data, and include a link to the app’s privacy policy on the Google Play Store page.

WHY IT MATTERS

One of the settled claims was based on allegations that Google’s mobile ad platform, AdMob, knowingly facilitated collection of data through apps aimed at children in violation of COPPA and New Mexico state law. The lawsuit was originally (in 2018) filed against mobile game developer Tiny Lab Productions, as well as a number of tech companies, including Google, Twitter, Inmobi and AppLovin, that allegedly facilitated the collection and transfer of children’s data without parental consent.

The claims were dismissed against Twitter, Inmobi and AppLovin, because there was insufficient evidence to establish actual knowledge that the apps or websites were directed to children, while Google’s claims persisted due to its active review of the content of the apps, which allegedly gave Google actual knowledge.

Although Twitter, Inmobi and AppLovin may have benefited in 2018 from a more blind approach to children’s privacy, the combination of the OpenX case above and Google’s settlement terms, requiring more active labeling and policing, may indicate the increasing difficulty of taking such approach. 

FTC Provides Notice of Privacy Rulemaking Process Consideration

The FTC submitted a public filing with the Executive Office of Management and Budget stating that “The Commission is considering initiating a rulemaking…to curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.”

The filing indicates that the rulemaking, titled “Trade Regulation Rule on Commercial Surveillance”, is in its “prerule” stage and that a notice of preliminary rulemaking (ANPRM) is the next action item on the timetable, scheduled for February 2022.

WHY IT MATTERS

Talk of FTC privacy rulemaking to address surveillance and algorithmic decision-making has been circulating from within and outside the FTC over the past several months. President Biden issued an Executive Order in July encouraging the FTC to establish rules on “surveillance and the accumulation of data”. We then saw a whitepaper from FTC Commissioner Rebecca Kelly Slaughter discussing how FTC rulemaking could address harmful outcomes from algorithmic decision-making.

More recently, the Electronic Privacy Information Center (EPIC) submitted comments to the FTC noting that the FTC has a critical role to play in ending “surveillance advertising”, and Accountable Tech, a nonprofit watchdog, filed a petition with the FTC encouraging the agency to prohibit “surveillance advertising” altogether. Alvaro Bedoya, Biden’s nomination to fill the vacant FTC Commissioner seat, has focused his research on the potential harms of algorithmic bias and surveillance technologies, and the potential for privacy rulemaking was a hot topic in his recent confirmation hearing. 

California CPPA Releases Public Comments

The California Privacy Protection Agency (CPPA) released public comments that were submitted by various organizations and advocates in response to the CPPA’s invitation for public input as part of its preliminary rulemaking activities under the California Privacy Rights Act (CPRA).

Topics for public comment included cybersecurity audits and risk assessments, automated decision-making, agency audits, consumer rights to delete, correct and know, and consumer rights to opt out of sale / sharing and to limit use of sensitive information.

As a next step, the CPPA will conduct informational hearings to obtain further preliminary public input before beginning formal rulemaking activities. The regulations are expected to be issued by July 1, 2022. 

WHY IT MATTERS

The following are a few anecdotal comments relevant to the digital advertising industry: 

• The Association of Magazine Media requested that the agency consider publisher collection and use of content-related information for the purposes of recommending or highlighting content, creating aggregated segments, and delivering targeted advertising to meet the definition of “short-term, transient use” and therefore not subject to a person’s right to limit use and disclosure of sensitive personal information. They also requested that the delivery of content recommendations and segment-based advertising based on the type of content a person reads or views be excluded from the concept of “inferring characteristics”, which would trigger user rights to limit such use. Finally, they asked for detailed guidance (with visuals) on what the agency considers to be “dark patterns” that would subvert user autonomy in violation of the CPRA. 

• A collection of advertising trade associations (ANA, 4As, IAB, NAI, AAF, and DAA) asked the agency to consider implementing a consensus framework for evaluating whether opt-out preference signals are actually user-enabled, requiring affirmative consumer choice to exercise the right to opt out and choice settings that don’t unfairly advantage certain businesses over others, as well as a jurisdictional tag so that businesses can afford the rights and privileges to consumers that align with their state of residence. 

• Consumer Reports asked for clarification that when a consumer limits the use and disclosure of their sensitive information, it is unlawful to process sensitive data for most secondary uses, including monetization, personalization of advertising, and customization of content based on such data. They also asked for clarification that the sharing opt out applies to retargeting.  

EUROPE

CNIL Issues New Developer Guide re Cookies

The France Data Protection Authority (CNIL) updated its GDPR guide for developers to, among other changes, include a new fact sheet titled “Analyze tracking practices on your sites and applications”, which relates to the application of rules on the use of cookies and other online tracers. The fact sheet lists the type of tracers covered and not covered by the obligation to obtain consent prior to their use and sets out the steps developers must take in practice if tracers covered by the obligations are used.

WHY IT MATTERS

For companies unsure of exactly what the CNIL is looking for with respect to user cookie consent, this guide may be as practical as you can get. It includes a list of exactly what elements should be included in the first and second layer of a consent interface, example images of acceptable interfaces, and a step-by-step guide to what steps should be taken on the back-end. 

CNIL Issues ~30 New Orders for Cookie Non-compliance

The day after issuing the above guide, the CNIL announced that it has issued thirty new orders to around thirty organizations that do not comply with the CNIL’s cookie requirements. The new round of orders reflected investigations that: (1) cookies subject to consent were automatically deposited on the user’s terminal before acceptance by the user, upon arrival on the site; (2) information banners do not allow the user to refuse the deposit of cookies as easily as to accept it; or (3) cookies subject to consent are still deposited after refusal expressed by the user. The organizations will be given one month to comply with the orders.

WHY IT MATTERS

This is the CNIL’s third round of notices regarding violations of its cookie rules, bringing the total number of orders from the CNIL on this subject to nearly 90 since May 2021. The CNIL has made clear that its investigation of these violations is an ongoing process, so companies under the CNIL’s authority should take measures to ensure they are in compliance with the CNIL’s cookie rules. With public notices of the CNIL’s investigations and step-by-step guidance on its requirements (see the above submission), the CNIL is taking steps to remove any mystery around its expectations.

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.