New York AG Announces Largest COPPA Fine in U.S. History
The New York Attorney General has fined Oath, Inc., the Verizon-owned company formerly known as AOL, a record $4.95 million in penalties for its role in allegedly helping advertisers track and target ads to children in violation of the Children's Online Privacy Protection Act (COPPA). According to the New York Attorney General's Press Release, AOL conducted billions of auctions between October 2015 and February 2017 for ad space on hundreds of websites the company knew were aimed at children under the age of 13 and collected and shared personal information of users, including young children, in violation of COPPA. In addition to paying the nearly $5 million fine, Oath agreed to implement a comprehensive COPPA compliance program and destroy all personal information collected from children.
COPPA requires that that companies obtain verifiable consent from parents before collecting, using, or disclosing the personal information of children under 13 online. The definition of "personal information" was updated in 2013 to include cookies, geolocation data, and other persistent identifiers that can be used to recognize a user over time and across websites. While operators of child-directed online services may use persistent identifiers solely to support internal operations, use for behavioral advertising purposes is not covered by this exception.
According to the New York AG, AOL's policies prohibited COPPA-covered websites from using its display ad exchange to auction ad space, but documents obtained during the investigation revealed that AOL knew that its actions violated COPPA. The AG contends that the company carried out some 750 million auctions for ad space on COPPA-covered websites.
This past year has seen seismic shifts in data privacy with the enactment of the California Consumer Protection Act in July and the entry into force of the EU General Data Protection Regulation in May. Privacy issues loom large on the Congressional agenda for 2019 as well, with many expecting the introduction of national privacy legislation in the next session. This year also marks the twentieth anniversary of COPPA, which has brought renewed scrutiny of children's data privacy by consumer advocates and regulators and the possibility of amendments.
These recent federal and state enforcement actions nevertheless demonstrate that, after 20 years, the COPPA framework still works well to safeguard children's privacy and its provisions are vigorously enforced. The complaint against Oath is the second complaint brought by the New York AG in the last two years for alleged COPPA violations; in 2016, the New York AG concluded a two-year investigation into the tracking practices of four online publishers for alleged COPPA violations. Other state AGs are flexing their enforcement muscles as well. As recently as September of this year, the New Mexico AG filed a lawsuit for alleged COPPA violations against a children's game app company, Tiny Lab Productions, and the online ad companies that work within Tiny Lab's, including those run by Google and Twitter, and other state AGs have likewise previously acted in response to potential COPPA violations. The Federal Trade Commission (FTC) continues to vigorously enforce COPPA, closing out investigations of alleged COPPA violations against smart toy manufacturer VTech and online talent search company Explore Talent just this year. This means there have been a total of 28 enforcement proceedings since the COPPA rule was issued in 2000.
In general, the level of compliance with COPPA requirements is high. Nevertheless, all businesses that direct their online services to children should evaluate their compliance processes to maintain their commitments to safeguard children's privacy. And, it will be important for them to keep an eye on the evolving privacy landscape in 2019.