August 23, 2019

August 22, 2019

Subscribe to Latest Legal News and Analysis

August 21, 2019

Subscribe to Latest Legal News and Analysis

August 20, 2019

Subscribe to Latest Legal News and Analysis

Oath (f/k/a AOL) Agrees to Pay Record Settlement over COPPA Violations

Recently, Oath, a wholly-owned subsidiary of Verizon Communications agreed to pay $4.95 million to settle charges from the New York attorney general’s office that the company’s online advertising business was violating federal law.  This represents the largest penalty ever in a Children’s Online Privacy Protection Act (“COPPA”) enforcement matter.  This settlement underscores that COPPA compliance remains an important issue with real penalties for non-compliance since being enacted in 1998.  As a reminder, companies that target U.S. children must comply with U.S. privacy laws, including COPPA, regardless of where they are based. 

Oath, which until June 2017 was known as AOL Inc. (“AOL”), ran services that enabled what is known as targeted advertising, the serving of specific ads to sets of individuals, based on information collected about these individuals.  Advertisers are interested in serving ads to those they believe are most likely to be interested in their products, which makes this practice very lucrative.  Companies that can allow advertisers to filter by their desired demographic characteristics, including specific interests as expressed through browsing history, can charge more per ad than they would be able to otherwise. 

Companies that operate targeted advertising often do so in part through the use of small text files placed on the computers of users, called cookies.  These cookies may be updated with information based on actions users take online, including which websites are visited.  Companies can then use this information to run an ad exchange, effectively allowing companies to bid on advertising space based on collected characteristics, and demographic information.  The use of such cookies became more problematic for companies when the definition of “personal information” protected under COPPA was revised to include persistent identifiers, including those present within cookies, and Internet Protocol (“IP”) addresses in 2013. 

Oath, then AOL, operated ad exchanges that collected personal information from children by running its ad exchanges on websites that it knew to be directed to children, such as and AOL received knowledge that these websites were directed to children both from their own clients, and by making its own determination, conducting not less than 750 million auctions of display ad space from these websites.  Prior to November 2017, AOL’s systems ignored any information that it had that the website was subject to COPPA. 

In addition to paying the $4.95 million fine, as part of the settlement, Oath agreed to adopt comprehensive reforms, including designating an individual to oversee the program, annual training, implementing and monitoring appropriate controls, and retaining an objective third-party to assess the implemented controls.  Further, it must make its ad exchange COPPA compliant by implementing and maintaining appropriate functionality, and disclose to each bidder that the ad space at issue is subject to COPPA.  Additionally it must destroy all personal information it has collected from children unless it is legally required to maintain the information. 

Companies in this space would be wise to consider whether their existing COPPA compliance programs meet regulatory requirements and are being enforced at the corporate level.  Unfortunately for AOL, although it had policies prohibiting non-compliant use of ad exchanges on COPPA covered websites in a non-compliant manner, these policies were not observed. 

©1994-2019 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.


About this Author

Brian H. Lam, Mintz Levin, software licensing lawyer, vendor agreements attorney

Brian has extensive experience in patent litigation and intellectual property matters, as well as privacy and data protection matters, particularly as to data aggregation, network security, and technology transactions. Beyond counseling on compliance, incident response, and data privacy and protection, Brian has advised on technology-centric agreements, licensing issues, open source software licensing, vendor agreements, and hosting agreements, and analyzed patent portfolios for potential assertion or freedom to operate. He is a Certified Information Privacy Professional...

Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer
Member / Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-demand media commentator and speaker on privacy and cybersecurity issues.

Cynthia is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E).

She represents companies in information, communications, and technology, including e-commerce and other electronic transactions. She counsels clients through all stages of the “corporate lifecycle,” from start-ups through mid- and later-stage financings to IPO, and has broad experience in technology and business law, including online contracting issues, licensing, domain name issues, software development, and complex outsourcing transactions. She is also a key contributor to MintzEdge, an online resource for entrepreneurs that includes useful tools and information for starting and growing a company.

Cynthia has extensive experience in privacy, data security, and information management matters, including state, federal, and international laws and regulations on the use and transfer of information, behavioral advertising, data security breach compliance and incident response, data breach incident response planning, as well as data transfers in the context of mergers and acquisitions and technology transactions.

She conducts privacy audits and risk assessments to determine data and transaction flow and to assess privacy practices, and assists with drafting and implementation of privacy policies and information security policies and procedures and monitoring of privacy “best practices” across all levels of the enterprise.

She is a frequent speaker on privacy issues at conferences and media appearances and presents privacy awareness and compliance training seminars to client companies.

During law school, she was editor-in-chief of the Probate Law Journal.