InMobi, the world's largest mobile advertising network, has agreed to pay a $1.3 million penalty to US consumer watchdog, the Federal Trade Commission (FTC), for collecting the location data of users without consent.
Location data was used to push targeted ads to users' devices. Initially, InMobi claimed that it would only use the geolocation information if the user had consented or opted in to receive targeted ads.
However, the FTC discovered through a technical analysis of InMobi's software development kit that the information was collected by the company even when users had not given permission to do so.
InMobi's software used wi-fi signals to infer locations, and archived the information, the watchdog said in a filed complaint [pdf].
The company picked up the basic and extend service set identifiers (BSSID and ESSID) that are unique to each wi-fi access point along with signal strength and correlated these to latitude and longitude data when available, to build its own geo-order database, the FTC said.
This was done by InMobi on both Google's Android and Apple's iOS platforms until December last year.
InMobi's user tracking took place at a massive scale, as the ad network reached over one billion devices and served up some six billion requests a day.
FTC said the Bangalore-based ad network violated the US Children's Online Privacy Protection Act by collecting the information from apps aimed directly at children despite promises not to do. It must now delete all data collected from children's devices.
InMobi originally faced an A$5.4 million civil penalty, but the FTC took into consideration the company's financial condition and reduced the fine to A$1.3 million.
The company must delete all the data it collected from all users' devices without their permission, and is prohibited from collecting consumers' location without their express consent.
InMobi must also honour location privacy settings in the future, and not misrepresent its privacy practices again.
As part of the settlement with FTC, InMobi is required to institute a comprehensive privacy program that will be independently audited bi-annually for the next two decades.