Earlier today, the Federal Trade Commission announced that the agency and OpenX have reached a settlement based on the findings of an investigation into some of our data collection and ad serving processes.
We take this matter incredibly seriously, and since we have always held ourselves to the highest quality standards, we thought it would be helpful to provide some context and background about what happened and what we have done about it.
In October 2018, OpenX was informed by Google that we were inadvertently collecting a wireless network identifier, known as BSSID, from Android users. Once we were alerted to the situation, and since this was not our intent, we immediately and proactively updated our Android SDK and stopped collecting BSSID. OpenX never used the BSSID to derive location.
Around that time, the FTC decided to initiate its own examination of OpenX’s business practices, and, in doing so, raised questions with a very small percentage of our ad requests that came from apps that were directed at kids. This was contrary to our policy and did not adequately comply with the Children’s Online Privacy Protection Act, also known as COPPA.
So, how did this happen?
To put it plainly, it was a mistake. OpenX has strict rules and processes in place to ensure that we comply with COPPA. In this situation, an unintentional error was made.
The quality of our exchange has been a pillar of OpenX since the founding of the company in 2008, and we review every site or app that wants to work with us. We set up our business this way because we believe the best way to maintain our high standards is to be directly involved in approving publishers.
In general, we believe we have executed exceptionally well, having reviewed more than 100,000 individual domains and 50,000 individual apps over the years. More than 99% of those domains and apps were appropriately categorized during our review process. In this situation, however, a relatively small number of apps were miscategorized.
OpenX going forward
We have reviewed and bolstered our policies and procedures to make sure we are fully COPPA compliant, and we will continue to follow strict criteria of both qualitative and quantitative attributes to determine a site’s or an app’s suitability for inclusion in our exchange. We also have supplemented our efforts with technology that can review and filter more than 200 billion requests every day, while classifying millions of unique creatives to ensure we meet the high ad quality expectations of ourselves and our premium publishers.
We are also bolstering our comprehensive data privacy program to ensure that we are complying with all applicable data privacy laws and meeting our own high standards. Additionally, when we made the decision to move our entire tech infrastructure to the Google Cloud Platform in 2019, one of the driving factors was the access it gives us to Google’s security measures, which we believe are the best in the industry for data protection.
Finally – for the past six years, we have had outside auditors review our business operations and continuously evaluate our practices around data security and malware. We’ve always felt that it was important to have our work monitored and validated by third parties since it adds an extra layer of objectivity and impartiality, and we will continue to do this going forward. On top of the auditing we have done previously, we are also engaging another third party auditor that specializes in data privacy to examine the policies and processes we have put in place to protect the data entrusted to us.
Data privacy is an important and evolving area of regulatory focus. We look forward to working with all stakeholders in the coming months and years to help make sure the ad tech ecosystem remains a safe and ethical one for consumers, publishers, and advertisers alike.
Any other questions can be directed to firstname.lastname@example.org.