22.
Even if these third-party app developers wanted to provide adequate disclosure to their
users about InMarket’s use of their location data, InMarket does not provide the developers
with sufficient information to provide that notice. Specifically, InMarket’s contract with
third-party app developers merely states that InMarket will serve ads on the developer’s apps
in return for developers passing user information to InMarket, including precise location and
advertising identifiers. InMarket does not disclose that information collected from these
third-party users will be supplemented and cross-referenced with purchased data and analyzed
to draw inferences about those users for marketing purposes. Nor does it disclose to these
app developers that it retained their users’ location information for up to five years.
Moreover, although InMarket’s privacy policy generally describes its use of consumer data
for advertising purposes, InMarket does not even reference this privacy policy in its third-
party developer agreements.
23.
InMarket therefore does not know whether users of hundreds of third-party apps that
incorporate the InMarket SDK were informed of their data being collected and used for
targeted advertising. In fact, several of these third-party apps seek users’ location using
incomplete and misleading disclosures that are similar to those that InMarket uses. For
example, one photo- editing app that incorporates InMarket’s SDK seeks location permission
with the prompt: “Your location is used to provide you with rewards and discounts when you
visit retail partners.” Based on this disclosure, a consumer may believe that her location data
will be used for this one purpose and used solely by the photo-editing app itself. The
consumer would never know, based on the above disclosure, that her location will be
collected multiple times per day (whether or not she was near the app’s retail partner) and that
her movements will be shared with third parties like InMarket, who will then purchase
additional data about her in order to create her detailed consumer profile. The consumer
would never know that, by granting location permission to a photo-editing app, she actually
set into motion a string of data collections that enabled InMarket, a third-party she likely
never heard of, to amass a mountain of sensitive data about her without her knowledge.
24.
Because InMarket readily combined the location data of those users into its databases
and systems without confirming user consent, InMarket obtained and used that data without
informed user consent, resulting in likely consumer injury, as discussed below.
Respondent retains consumer data longer than reasonably necessary for its business purposes
leading to likely consumer injury.
25.
After collecting sensitive precise location data about consumers’ daily movements,
InMarket retains that information longer than reasonably necessary to accomplish the purpose
for which that information was collected and thereby exposes consumers to significant
unnecessary risk. Specifically, InMarket has retained consumer location data for five years
prior to deletion.
26.
This unreasonably long retention period—far longer than is necessary to accomplish
InMarket’s stated purpose for collection (to allow a consumer to earn shopping points or
make shopping lists)—significantly increases the risk that this sensitive data could be
disclosed, misused, and linked back to the consumer, thereby exposing sensitive information
6