On December 4, 2018, New York Attorney General Barbara D. Underwood announced a $4.95 million settlement with Oath, Inc. (formerly known as AOL), for violating the Children’s Online Privacy Protection Act (COPPA). This is the largest penalty in a COPPA enforcement case in U.S. history.
The Children’s Online Privacy Protection Act (COPPA), which was passed in 1998, governs the collection and use of personal information from children under the age of 13 that is gathered by websites and online services. The Act requires a website owner or operator to have knowledge that they are gathering information personal information from a child.
According to the FTC in 2013, personal information can be audio, video, images, location data, usernames, or other ongoing identifiers that could lead to the child (COPPA Final Rule, 78 Fed. Reg. 3971 (Jan. 17, 2013), 16 C.F.R. § 312.). Sites are required to list their privacy policies that explain what information is collected and how it will be used. They are also required to “obtain verifiable parental consent for the collection, use or disclosure of personal information from children.” § 6502(b)(1)(A)(ii).
Enforcement of COPPA is done by the FTC and by State Attorney Generals, as was the situation in this case.
During its investigation, the NY Attorney General’s Office found that:
(1) “AOL conducted billions of auctions for ad space on hundreds of websites the company knew were directed to children under the age of 13. Through these auctions, AOL collected, used, and disclosed personal information from the websites’ users in violation of COPPA, enabling advertisers to track and serve targeted ads to young children.”
(2) “Until recently, AOL’s ad exchange for display ads was not capable of conducting a COPPA-compliant auction that involved third-party bidders because AOL’s systems would necessarily collect information from users and disclose that information to the third-parties. AOL policies therefore prohibited the use of its display ad exchange to auction ad space on COPPA-covered websites to third-parties. Despite these policies, AOL nevertheless used its display ad exchange to conduct billions of auctions for ad space on websites that it knew to be directed to children under the age of 13 and subject to COPPA.”
(3) AOL permitted clients to use its display ad exchange to sell ad space on COPPA-covered sites, even though the exchange was not capable of conducting a COPPA-compliant auction that involved third-party bidders.
(4) AOL documents show that an AOL account manager based in New York intentionally configured at least one of these client’s accounts in a manner that she knew would violate COPPA in order to increase advertising revenue. In addition, AOL documents show that the NY account manager repeatedly represented to at least this client that AOL’s display ad exchange could be used to sell ad space to third-parties in a COPPA compliant manner. As a result of these misstatements, the client used AOL’s display ad exchange to place more than a billion advertisements on COPPA-covered inventory.
In the press release, Attorney General Barbara Underwood said: “COPPA is meant to protect young children from being tracked and targeted by advertisers online. AOL flagrantly violated the law – and children’s privacy – and will now pay the largest-ever penalty under COPPA. My office remains committed to protecting children online and will continue to hold accountable those who violate the law.”
Per the settlement, the company must adopt comprehensive reforms including establishing a “comprehensive COPPA compliance program,” designating an officer to oversee the program, conducting annual COPPA training of relevant personnel, doing a risk assessment, implementing reasonable controls to address risks, proper vendor management, and third-party assessments. Additionally, the company agreed to destroy all personal data obtained from children unless required to be maintained by law.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz, of the International Privacy + Security Forum (Apr. 3-5, 2019 in Washington, DC), an annual event designed for seasoned professionals.
Table of Contents