The New York Attorney General has announced a record settlement with Oath, Inc., formerly known as AOL, for allegedly violating the Children’s Online Privacy Protection Act. Oath Inc. is a wholly-owned subsidiary of Verizon Communications Inc. Until June 2017, Oath was known as AOL Inc.
The Children’s Online Privacy Protection Act
Congress enacted COPPA to protect the safety and privacy of young children online. COPPA prohibits operators of certain websites from collecting, using, or disclosing personal information of children under the age of 13 without first obtaining parental consent. Operators of websites and online services directed to children under the age of 13, and the operators of websites and online services that have actual knowledge that they are collecting personal information from a child under the age of 13, are subject to COPPA.
In 2013, the definition of “personal information” was amended to include persistent identifiers that can be used to recognize a user over time and across websites, such as the ID found in a web browser cookie or an Internet Protocol address. The revision effectively prohibits covered operators from using cookies, IP addresses and other persistent identifiers to track users across websites for most advertising purposes, amassing profiles on individual users and serving online behavioral advertisements on COPPA-covered websites.
Ads Directed to Children
According to the NY OAG, AOL conducted billions of auctions for ad space on hundreds of websites the company knew were directed to children under the age of 13. Through these auctions, the OAG alleges, AOL collected, used, and disclosed personal information from the websites’ users in violation of COPPA, enabling advertisers to track and serve targeted ads to children.
As part of the settlements, the company has agreed to adopt comprehensive reforms to protect children from improper tracking and pay $4.95 million in penalties. The settlement is the largest-ever penalty in a COPPA enforcement matter in U.S. history.
“COPPA is meant to protect young children from being tracked and targeted by advertisers online. AOL flagrantly violated the law – and children’s privacy – and will now pay the largest-ever penalty under COPPA,” said Attorney General Barbara Underwood. “My office remains committed to protecting children online and will continue to hold accountable those who violate the law.”
Advertisements for a product that seems to follow website users from website to website are known as online behavioral advertisements. OBA is a form of targeted advertising that selects an advertisement to serve to an individual based on previously collected information about that individual, such as the individual’s Internet browsing history, demographic information or personal interests. OBA ads are often placed through online marketplaces known as ad exchanges. An ad exchange enables websites to sell, and advertisers to buy, advertising space through an auction process. Auctions take place in real-time, after a user opens a webpage that contains ad space.
When a user opens a webpage on a website that works with an ad exchange, the exchange retrieves a small text file stored on the user’s computer known as a web browser cookie. The exchange typically transmits information from that cookie to entities that may be interested in purchasing ad space on behalf of advertisers. These entities use the information the exchange provides to help determine whether to place a bid for the ad space on behalf of an advertiser. The exchange collects bids, selects a winner, and then permits the winning bidder to serve an advertisement, usually an OBA ad, to the user. The entire auction process takes place in a fraction of a second.
AOL’s Display Ad Exchange Allegedly Conducted Billions of Unlawful Auctions
According to the New York Attorney General, AOL operates several ad exchanges, including an exchange for image-based ads, referred to as “display” ads. Until recently, AOL’s ad exchange for display ads was not capable of conducting a COPPA-compliant auction that involved third-party bidders because AOL’s systems would necessarily collect information from users and disclose that information to the third-parties. AOL policies therefore prohibited the use of its display ad exchange to auction ad space on COPPA-covered websites to third-parties.
The OAG alleges that despite these policies, AOL used its display ad exchange to conduct billions of auctions for ad space on websites that it knew to be directed to children under the age of 13 and subject to COPPA.
The OAG states that AOL obtained this knowledge in two ways. First, several AOL clients provided notice to AOL that their websites were subject to COPPA. These clients identified more than a dozen COPPA-covered websites to AOL. AOL conducted at least 1.3 billion auctions of display ad space from these websites.
Second, according to the OAG, AOL itself determined that certain websites were directed to children under the age of 13 when it conducted a review of the content and privacy policies of client websites. Through these reviews, AOL purportedly identified hundreds of additional websites that were subject to COPPA. The OAG states that AOL conducted at least 750 million auctions of display ad space from these websites.
Ad Placement Through Other Exchanges in Violation of COPPA
AOL also operates a business that bids on ad space in auctions conducted by other ad exchanges. The OAG asserts that several of the exchanges that AOL has worked with have the capability to auction ad space on child-directed websites in a COPPA-compliant manner. In its press release, the OAG states that when one of these exchanges conducts an auction for ad space on a child-directed website, the exchange passes information to bidders indicating that it is subject to COPPA. Bidders that receive this information are expected to comply with COPPA as well.
Prior to November 2017, according to the OAG, AOL’s systems ignored any information that it received from an ad exchange indicating that the ad space was subject to COPPA. Thus, whenever AOL participated in and won an auction for COPPA-covered ad space, its systems purportedly behaved as they normally did. In these cases, the company is alleged to have used user information supplied by the exchange and information the company could collect directly from the user to select and serve a targeted advertisement to the user.
Knowingly COPPA Violations to Increase Revenue
The New York OAG alleges that an AOL account manager based in New York intentionally configured at least one client accounts in a manner that she knew would violate COPPA in order to increase advertising revenue. According to the OAG, the account manager repeatedly represented to at least this client that AOL’s display ad exchange could be used to sell ad space to third-parties in a COPPA compliant manner. As a result of these alleged misstatements, the client used AOL’s display ad exchange to place more than a billion advertisements on COPPA-covered inventory.
AOL has agreed to adopt comprehensive reforms to its policies and procedures to protect children’s privacy. The agreement requires that AOL establish and maintain a comprehensive COPPA compliance program that includes: the designation of an executive or officer to oversee the program; annual COPPA training for relevant AOL personnel; the identification of risks that could result in AOL’s violation of COPPA; the design and implementation of reasonable controls to address the identified risks, as well as regular monitoring of the effectiveness of those controls; and development and use of reasonable steps to select and retain service providers that can comply with COPPA. The agreement also requires that AOL retain an objective, third-party professional to assess the privacy controls that the company has implemented.
AOL has also agreed to implement and maintain functionality that enables website operators that sell ad inventory through AOL systems to indicate each website or portion of a website that is subject to COPPA. AOL will maintain this information in a database or similar system, and disclose to each third-party bidder that relevant ad space is subject to COPPA.
AOL has also agreed to destroy all personal information collected from children that is in its possession, custody, or control, unless such personal information is required to be maintained by law, regulation, or court order.
Operation Child Tracker
The New York Attorney General’s office has been quite active when it comes to protecting children’s privacy. In September 2016, the Attorney General’s office announced settlements with four companies that had violated COPPA by allowing illegal third-party tracking technologies on some of the nation’s most popular kids’ websites, including websites for Barbie, Nick Jr., My Little Pony, American Girl, Hot Wheels, and dozens of others. Those companies agreed to pay penalties totaling $835,000 and to adopt comprehensive reforms to protect children from improper tracking and the collection of children’s personal information in the future. In April 2017, the Attorney General’s office announced a settlement with the operator of a COPPA safe harbor program for flawed privacy assessments that left children visiting popular children’s websites vulnerable to illegal tracking. As part of that settlement, the company paid a penalty of $100,000 and agreed to adopt new measures to strengthen its privacy assessments.
FTC Also Empowered to Enforce COPPA
FTC attorneys also aggressively enforce COPPA. Recent COPPA settlements include, without limitation, matters in which developers utilized third-party ad networks to deliver advertisements to users of mobile applications targeted at children. App developers failed to provide adequate notice and obtain verifiable consent with respect to information collected, how it would be used and with whom it would be shared.
In the first enforcement action protecting children’s privacy and security involving connected toys, the settlement included a $650,000 slap on the wrist for alleged COPPA and FTC Act violations, including lack of adequate safeguards and security measures to protect transmitted and stored information.
An $4 million fine was imposed on an ad network in 2016 for COPPA violations when, according to the FTC, misrepresentations were made about its advertising software, to wit, that it did not track consumers’ location information unless they opted in to the functionality. However, according to the FTC, the software tracked consumers’ locations whether or not a consumer opted in, and when consumers refused to allow access to device location.
Richard Newman is an FTC investigation attorney and member of the International Association of Privacy Professionals. Contact the author at firstname.lastname@example.org to discuss FTC data privacy compliance requirements.
Informational purposes only. Not legal advice. Previous case results do not guarantee similar future result. Advertising Material.