October 22, 2021

Volume XI, Number 295

Advertisement
Advertisement

October 21, 2021

Subscribe to Latest Legal News and Analysis

October 20, 2021

Subscribe to Latest Legal News and Analysis

October 19, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

Oath (f/k/a AOL) Agrees to Pay Record Settlement over COPPA Violations

Recently, Oath, a wholly-owned subsidiary of Verizon Communications agreed to pay $4.95 million to settle charges from the New York attorney general’s office that the company’s online advertising business was violating federal law.  This represents the largest penalty ever in a Children’s Online Privacy Protection Act (“COPPA”) enforcement matter.  This settlement underscores that COPPA compliance remains an important issue with real penalties for non-compliance since being enacted in 1998.  As a reminder, companies that target U.S. children must comply with U.S. privacy laws, including COPPA, regardless of where they are based. 

Oath, which until June 2017 was known as AOL Inc. (“AOL”), ran services that enabled what is known as targeted advertising, the serving of specific ads to sets of individuals, based on information collected about these individuals.  Advertisers are interested in serving ads to those they believe are most likely to be interested in their products, which makes this practice very lucrative.  Companies that can allow advertisers to filter by their desired demographic characteristics, including specific interests as expressed through browsing history, can charge more per ad than they would be able to otherwise. 

Companies that operate targeted advertising often do so in part through the use of small text files placed on the computers of users, called cookies.  These cookies may be updated with information based on actions users take online, including which websites are visited.  Companies can then use this information to run an ad exchange, effectively allowing companies to bid on advertising space based on collected characteristics, and demographic information.  The use of such cookies became more problematic for companies when the definition of “personal information” protected under COPPA was revised to include persistent identifiers, including those present within cookies, and Internet Protocol (“IP”) addresses in 2013. 

Oath, then AOL, operated ad exchanges that collected personal information from children by running its ad exchanges on websites that it knew to be directed to children, such as Roblox.com and Sweetyhigh.com. AOL received knowledge that these websites were directed to children both from their own clients, and by making its own determination, conducting not less than 750 million auctions of display ad space from these websites.  Prior to November 2017, AOL’s systems ignored any information that it had that the website was subject to COPPA. 

In addition to paying the $4.95 million fine, as part of the settlement, Oath agreed to adopt comprehensive reforms, including designating an individual to oversee the program, annual training, implementing and monitoring appropriate controls, and retaining an objective third-party to assess the implemented controls.  Further, it must make its ad exchange COPPA compliant by implementing and maintaining appropriate functionality, and disclose to each bidder that the ad space at issue is subject to COPPA.  Additionally it must destroy all personal information it has collected from children unless it is legally required to maintain the information. 

Companies in this space would be wise to consider whether their existing COPPA compliance programs meet regulatory requirements and are being enforced at the corporate level.  Unfortunately for AOL, although it had policies prohibiting non-compliant use of ad exchanges on COPPA covered websites in a non-compliant manner, these policies were not observed. 

©1994-2021 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume VIII, Number 346
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Brian H. Lam, Mintz Levin, software licensing lawyer, vendor agreements attorney
Associate

Brian Lam is a member of Mintz’s Privacy & Security Practice and Technology Transactions Practice. Brian focuses his practice on providing practical advice that enables companies to pursue their business in a competitive environment while reducing risk associated with the collection, use, storage, transfer, and potential loss of data. He frequently negotiates complex data-centric information technology agreements, and designs policies and corresponding controls for the implementation of best practices, compliance with state and federal law, and international considerations. He often...

858.314.1583
Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer
Member / Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-...

617-348-1732
Advertisement
Advertisement
Advertisement