Connect with us

Hi, what are you looking for?


Privacy & Compliance

Ad Network InMobi Settles FTC Charges Over Location Tracking

Singapore-based mobile ad network InMobi will pay $950,000 after it was charged by the U.S. Federal Trade Commission (FTC) for tracking the location of millions of users without their consent.

Singapore-based mobile ad network InMobi will pay $950,000 after it was charged by the U.S. Federal Trade Commission (FTC) for tracking the location of millions of users without their consent.

According to the FTC, InMobi told users that their location would only be tracked if they opted in, but in reality consumers were tracked even if apps using the company’s software had not requested permission to do so. Moreover, the software tracked their location even if they specifically denied access to location data.

InMobi, whose advertising network has reached over one billion devices through thousands of popular applications, allows its customers to serve location-based ads. This service relied on geolocation information collected from individuals who offered consent, but it also leveraged the data to determine the physical location of the wireless networks they had been using. By knowing the location of the wireless networks, the company could track users who had disabled location features on their devices based on the networks they were near.

The FTC also accused InMobi of violating the Children’s Online Privacy Protection Act (COPPA) by collecting location data from apps designed for children.

“InMobi tracked the locations of hundreds of millions of consumers, including children, without their consent, in many cases totally ignoring consumers’ express privacy preferences,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “This settlement ensures that InMobi will honor consumers’ privacy choices in the future, and will be held accountable for keeping their privacy promises.”

InMobi should have received a $4 million penalty for its deceptive practices, but the FTC agreed to lower the amount to $950,000 due to the company’s finances. In addition to paying the penalty, the mobile ad network will also have to delete all the information it collected from children and adults who did not offer consent, and implement a privacy program that will undergo independent audits every two years over the next two decades.

Contacted by SecurityWeek, InMobi has provided the following statement:

With best intentions to adhere to COPPA requirements, InMobi implemented a process to exclude any publisher’s site or app identified as a COPPA app from interest-based, behavioral advertising. During the investigation by FTC, InMobi discovered that there was a technical error at InMobi’s end that led to the process not being correctly implemented in all cases. As a result, some COPPA sites were served with interest-based campaigns on the InMobi Network. InMobi promptly notified the FTC of this issue as soon as it was discovered and has made it clear from the outset that this was by no way means deliberate. Any family safe ads that may have formed part of targeted campaigns would have been undertaken to target the adult owner of the device.


Advertisement. Scroll to continue reading.

In certain instances, InMobi has inferred user location through the Wifi identifier as part of the SDK integration with publisher apps without express election by an user. While InMobi was not fined by the FTC for this practice, to implement best practices, going forward InMobi will only use WiFi information when serving location based targeted advertising campaigns when an app user has authorized the app to collect and transmit the same. The errors were corrected in Q4 2015, and since then, InMobi has been fully compliant with all COPPA regulations. InMobi operates across several countries and continents, and intend to adhere to the best practices related to the data and privacy requirements of all the countries.

*Updated with statement from InMobi

Related Reading: Oracle Settles FTC Charges Over Java Security Updates

Related Reading: Asus Settles FTC Charges Over Router Security

Related Reading: Identity Theft Security Firm Fined $100 Million for Lapses

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

Joe Levy has been appointed Sophos' permanent CEO, and Jim Dildine has been named the company's CFO.

CISA executive assistant director for cybersecurity Eric Goldstein is leaving the agency after more than three years.

More People On The Move

Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.


The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...

Application Security

Security researchers at Google’s Project Zero have picked apart one of the most notorious in-the-wild iPhone exploits and found a never-before-seen hacking roadmap that...