January 23, 2022

Volume XII, Number 23

Advertisement
Advertisement

January 21, 2022

Subscribe to Latest Legal News and Analysis

January 20, 2022

Subscribe to Latest Legal News and Analysis

Major COPPA Settlements Close Out 2021

Two important settlements involving alleged violations of the Children’s Online Privacy Protection Act (COPPA) were announced in December 2021. Actions by both federal and state regulators reinforce that COPPA remains on the regulatory radar screen, particularly when it comes to ad tech. Efforts to more broadly limit programmatic advertising are also underway.

FTC and OpenX Settle Programmatic Advertising Dispute

With over 1,200 premium publishers, some 50,000 mobile Apps, and tens of thousands of ad buyers, OpenX Technologies, Inc. (OpenX) boasts it is the biggest independent online advertising platform. The company makes assurances on its website that it takes compliance obligations seriously, claiming to have “the only traffic quality team in the industry that conducts a human review of each property to ensure compliance with OpenX’s policies and to classify accurately the subject matter of all Web sites and Apps for the benefit of its demand-side partners.” However, in a complaint filed on behalf of the Federal Trade Commission (FTC or Commission) by the Department of Justice, the FTC alleged that, contrary to its public statements, OpenX “did not have a regular practice of examining its data collection practices, assessing whether there was a justification or need for collecting various data, or checking whether it complied with Android or iOS platform policies.” The complaint, filed on December 15, 2021, charges that OpenX misrepresented its data collection practices by collecting geolocation information and persistent identifiers from users who had chosen to opt-out of tracking, and violated the Children’s Online Privacy Protection Rule (COPPA Rule) by neglecting to obtain parental consent before collecting personal information from children under 13.

The COPPA Rule mandates that operators of websites or online services that are child-directed or that knowingly collect personal information from children under 13 must obtain parental consent before collecting, using, or disclosing children’s personal information (subject to a few limited exceptions). OpenX’s own policies require human reviewers to flag apps that are directed to children. Once flagged, child-directed apps are not supposed to participate in the ad exchange. Nonetheless, according to the FTC, numerous child-directed sites and apps slipped past the reviewers – some with descriptions such as “preschool” and “for kids,” clearly indicating that the target audience was likely under 13. Those sites then participated in the ad exchange, which meant that targeted ads were sent to children in violation of the COPPA Rule. Moreover, OpenX had actual knowledge that it was collecting personal information from an online service directed to children through this review. Additionally, the complaint alleges that OpenX violated the FTC Act by misrepresenting its privacy practices, including the ability to consent to and opt-out of location tracking.

The order requires the company to comply with COPPA, bars misrepresentations about the company’s privacy practices, and requires the company to obtain opt-in consent for location tracking, delete all ad request data it collected, and institute an additional app and website review to prevent targeted advertising directed to children. The order also requires notices to customers. In addition, the company must provide annual COPPA training to ensure that child-directed apps and websites are not missed and maintain a record of child-directed apps that the company has banned or removed from the ad exchange.

The Commission voted 4-0 to authorize to approve the stipulated final order. Commissioner Noah Phillips issued a concurring statement in which he expressed support for the decision to forward the complaint to DOJ, but suggested the FTC should tread carefully on some aspects. He encouraged the Commission to be more transparent about the way it calculates penalties for privacy violations and questioned whether it was necessary to require OpenX to provide notice to its ad buyers that it had transferred location data without complying with COPPA. Commissioner Phillips also noted that the complaint asserted that OpenX failed to adequately implement the human review of the apps and websites to assess if they were child-directed. Paradoxically, however, the imperfect review opened the company to civil penalties. Commissioner Phillips suggested that to avoid an implication that companies are better off not engaging in a review, the FTC should “to be careful to weigh the instinct to penalize against the desire to foster a commercial environment where care is taken with regard to apps directed at children.”

New Mexico and Google Settle COPPA Complaint

Also of note is the resolution of the New Mexico Attorney General’s (NMAG) complaint against Google for violations of COPPA and state consumer protection laws, filed in U.S. District Court for the District of New Mexico on February 20, 2020. While a federal court granted Google’s motion to dismiss the NMAG’s complaint in September of that year, Attorney General Hector Balderas filed an appeal two months later. However, on December 13, 2021, NMAG Balderas announced a $3.8 million settlement that will establish the Google New Mexico Kids Initiative to promote education, privacy, and safety.

The NMAG’s complaint concerned Google G Suite for Education, a free web service used by 80 million educators and students that provides access to various Google applications, including Gmail, Google Drive, and Google Docs. The complaint charges Google with tracking and collecting the data of children under 13 without notice or parental consent, in violation of COPPA, and deceptively marketing its data collection practices to educators and parents, contrary to the New Mexico Fair Practices Act. The NMAG, acting in parens patriae, also alleged in the complaint that Google intruded on children’s privacy by tracking them surreptitiously, pursuant to New Mexico’s quasi-sovereign interest in protecting the health and well-being of its citizens. 

What’s Next: Spotlight on Programmatic Advertising

COPPA enforcement will likely remain a high priority for the FTC and state attorneys general in 2022. In the meantime, various bills to address teen and children’s privacy have been introduced. And with the FTC’s recent decision to request comments on a petition to ban so-called “surveillance advertising,” larger questions loom about the future role of programmatic and targeted advertising in general.

The petition and notice are available at Regulations.gov, Docket No. FTC 2021-0070. Comments are due January 26, 2022.

© 2022 Keller and Heckman LLPNational Law Review, Volume XII, Number 13
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Sheila Millar, Keller Heckman, advertising lawyer, privacy attorney
Partner

Sheila A. Millar counsels corporate and association clients on advertising, privacy, product safety, and other public policy and regulatory compliance issues.

Ms. Millar advises clients on an array of advertising and marketing issues.  She represents clients in legislative, rulemaking and self-regulatory actions, advises on claims, and assists in developing and evaluating substantiation for claims. She also has extensive experience in privacy, data security and cybersecurity matters.  She helps clients develop website and app privacy policies,...

202-434-4646
Tracy Marshall, Keller Heckman, regulatory attorney, for-profit company lawyer
Partner

Tracy Marshall assists clients with a range of business and regulatory matters.

In the business and transactional area, Ms. Marshall advises for-profit and non-profit clients on corporate organization, operations, and governance matters, and assists clients with structuring and negotiating a variety of transactions, including purchase and sale, marketing, outsourcing, and e-commerce agreements.

In the privacy, data security, and advertising areas, she helps clients comply with privacy, data security, and consumer protection laws, including laws governing telemarketing and...

202-434-4234
Advertisement
Advertisement
Advertisement