June 18, 2019

June 18, 2019

Subscribe to Latest Legal News and Analysis

June 17, 2019

Subscribe to Latest Legal News and Analysis

New York AG Announces Largest COPPA Fine in U.S. History

The New York Attorney General has fined Oath, Inc., the Verizon-owned company formerly known as AOL, a record $4.95 million in penalties for its role in allegedly helping advertisers track and target ads to children in violation of the Children's Online Privacy Protection Act (COPPA). According to the New York Attorney General's Press Release, AOL conducted billions of auctions between October 2015 and February 2017 for ad space on hundreds of websites the company knew were aimed at children under the age of 13 and collected and shared personal information  of users, including young children, in violation of COPPA. In addition to paying the nearly $5 million fine, Oath agreed to implement a comprehensive COPPA compliance program and destroy all personal information collected from children.

COPPA requires that that companies obtain verifiable consent from parents before collecting, using, or disclosing the personal information of children under 13 online. The definition of "personal information" was updated in 2013 to include cookies, geolocation data, and other persistent identifiers that can be used to recognize a user over time and across websites. While operators of child-directed online services may use persistent identifiers solely to support internal operations, use for behavioral advertising purposes is not covered by this exception.

According to the New York AG, AOL's policies prohibited COPPA-covered websites from using its display ad exchange to auction ad space, but documents obtained during the investigation revealed that AOL knew that its actions violated COPPA. The AG contends that the company carried out some 750 million auctions for ad space on COPPA-covered websites. 

This past year has seen seismic shifts in data privacy with the enactment of the California Consumer Protection Act in July and the entry into force of the EU General Data Protection Regulation in May. Privacy issues loom large on the Congressional agenda for 2019 as well, with many expecting the introduction of national privacy legislation in the next session. This year also marks the twentieth anniversary of COPPA, which has brought renewed scrutiny of children's data privacy by consumer advocates and regulators and the possibility of amendments. 

These recent federal and state enforcement actions nevertheless demonstrate that, after 20 years, the COPPA framework still works well to safeguard children's privacy and its provisions are vigorously enforced. The complaint against Oath is the second complaint brought by the New York AG in the last two years for alleged COPPA violations; in 2016, the New York AG concluded a two-year investigation into the tracking practices of four online publishers for alleged COPPA violations. Other state AGs are flexing their enforcement muscles as well. As recently as September of this year, the New Mexico AG filed a lawsuit for alleged COPPA violations against a children's game app company, Tiny Lab Productions, and the online ad companies that work within Tiny Lab's, including those run by Google and Twitter, and other state AGs have likewise previously acted in response to potential COPPA violations. The Federal Trade Commission (FTC) continues to vigorously enforce COPPA, closing out investigations of alleged COPPA violations against smart toy manufacturer VTech and online talent search company Explore Talent just this year. This means there have been a total of 28 enforcement proceedings since the COPPA rule was issued in 2000.

In general, the level of compliance with COPPA requirements is high. Nevertheless, all businesses that direct their online services to children should evaluate their compliance processes to maintain their commitments to safeguard children's privacy. And, it will be important for them to keep an eye on the evolving privacy landscape in 2019.

© 2019 Keller and Heckman LLP


About this Author

Tracy Marshall, Keller Heckman, regulatory attorney, for-profit company lawyer

Tracy Marshall joined Keller and Heckman in 2002. She assists clients with a range of business and regulatory matters.

In the business and transactional area, Ms. Marshall advises for-profit and non-profit clients on corporate organization, operations, and governance matters, and assists clients with structuring and negotiating a variety of transactions, including purchase and sale, marketing, outsourcing, and e-commerce agreements.


Sheila Millar, Keller Heckman, advertising lawyer, privacy attorney

Sheila A. Millar counsels corporate and association clients on advertising, privacy, product safety, and other public policy and regulatory compliance issues.

Ms. Millar advises clients on an array of advertising and marketing issues.  She represents clients in legislative, rulemaking and self-regulatory actions, advises on claims, and assists in developing and evaluating substantiation for claims. She also has extensive experience in privacy, data security and cybersecurity matters.  She helps clients develop website and app privacy policies, data security and access procedures, manage trans-border data flows, respond to data breaches and create training programs. She assists clients on digital media issues, helping them develop social media, blogging and user-generated content policies, and to understand advertising technology and online behavioral advertising issues.  Ms. Millar also works with clients to navigate the array of federal and state requirements governing contests and sweepstakes, and advises on gift cards, coupons and rebates.  She represents clients on advertising and privacy matters before the Federal Trade Commission (FTC), the Children’s Advertising Review Unit (CARU), the National Advertising Division (NAD), as well as in connection with investigations by state regulatory bodies and Attorneys General.