• by Wendy Davis  @wendyndavis, December 16, 2021

Ad-tech company OpenX will pay $2 million to settle accusations that it violated the federal children's privacy law by collecting personal data from children under the age of 13, the Federal Trade Commission said this week.

The settlement resolves a complaint alleging the company gathered geolocation data and persistent identifiers from users of apps with that were obviously directed at young children, including apps that included phrases like “for toddlers,” “for kids,” “kids games,” and “preschool learning,” in either the apps' names or the developers' names.

The Children's Online Privacy Protection Act prohibits online companies from knowingly collecting personal data -- including geolocation data and some types of pseudonymous information, such as device identifiers -- from children 12 and under without parental permission.

The FTC alleged that OpenX had “actual knowledge” that the apps were aimed at young children, because the company boasts that it “conducts a human review of each web site or app that sends ad requests,” in order to ensure compliance with its policies, and accurately classify the apps' subject matter.

“Notwithstanding OpenX’s policies and procedures, hundreds of child-directed Apps that OpenX reviewed were not flagged as child-directed and have participated in the OpenX Ad Exchange,” the FTC alleged in a complaint unveiled Wednesday. “OpenX had actual knowledge that these apps were child-directed based on its human review of the apps.”

In addition to alleging that OpenX violated children's privacy rules, the FTC also said the company collected precise geolocation data from consumers who had opted out, in violation of its privacy policy.

“Contrary to OpenX’s statements, OpenX collected precise location data ... from consumers who opted out of such collection,” the FTC alleged.

The agency added that OpenX used a “backdoor” method to retrieve that data in circumstances where consumers had attempted to prevent sharing.

OpenX allegedly transmitted that data to “numerous third parties, including location data brokers, advertisers, advertising agencies, and advertising networks,” the complaint alleges.

“As a result of OpenX’s practices, publishers provided incorrect information to consumers regarding their apps’ privacy practices,” the FTC added.

In addition to the $2 million fine, the settlement agreement prohibits OpenX from collecting location data without opt-in consent. Other terms include requirements to delete all “ad request” data it collected to serve targeted ads, implement a privacy program, and review apps periodically.

OpenX said in a blog post it had inadvertently collected the location-related data -- a wireless network identifier -- from Android users. The company added that after it was alerted to the situation, it updated its software and stopped collecting the data. OpenX also said it never used the wireless network identifier to derive location.

The company also said that any data collection from children was the result of “unintentional error.”

“In general, we believe we have executed exceptionally well, having reviewed more than 100,000 individual domains and 50,000 individual apps over the years.

More than 99% of those domains and apps were appropriately categorized during our review process. In this situation, however, a relatively small number of apps were miscategorized,” the company stated.