FTC settles with OpenX Technologies for $2 million for allegedly violating children’s privacy law

The FTC also alleges that OpenX continued to collect geolocation data from some Android users even after they opted out of tracking.

Advertising platform OpenX Technologies will pay the Federal Trade Commission $2 million over allegations that it failed to comply with a federal rule requiring online services to obtain parents’ consent before collecting data about children under the age of 13.

OpenX offers automated ad buying that allows companies to reach a precise audience in real-time. The settlement effectively serves as a warning to digital advertising platforms, which funnel massive amounts of data through real-time advertising bids, often with little transparency.

“OpenX secretly collected location data and opened the door to privacy violations on a massive scale, including against children,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “Digital advertising gatekeepers may operate behind the scenes, but they are not above the law.”

A complaint from the Department of Justice filed on behalf of the FTC alleges that the company knowingly collected information from hundreds of apps that identified as “for toddlers,” “for kids,” “kids games,” or “preschool learning,” and included age ratings indicating they were aimed at users under 13.


“OpenX has received millions, if not billions of ad requests directly or indirectly from child-directed Apps, and transmitted millions, if not billions, of bid requests containing personal information of children” including location information, according to the complaint.

The FTC also alleges that OpenX violated FTC law by continuing to collect geolocation data from some Android users even after they opted out of tracking.

The order originally stipulated a $7.5 million penalty against OpenX but capped it at $2 million due to the company’s inability to pay.

OpenX called the collection an “unintentional error” in a blog post about the complaint. OpenX claims that “a relatively small number of apps were miscategorized” and that “more than 99% of those domains and apps were appropriately categorized.”

“We have reviewed and bolstered our policies and procedures to make sure we are fully COPPA compliant, and we will continue to follow strict criteria of both qualitative and quantitative attributes to determine a site’s or an app’s suitability for inclusion in our exchange,” the company wrote.


The settlement also requires OpenX to delete all the ad request data the company collected in violation of the federal children’s privacy law, Children’s Online Privacy Protection Act (COPPA). Members of Congress have in recent months introduced efforts to reform COPPA, which was passed in 1998, including raising the age of protection to 18.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts