Blog: VLP Speaks

Add to Portfolio

$5 Million Settlement over Children’s Online Privacy

Posted on Jan 15, 2019 in Privacy, Blog by Charulata B. Pagar

Oath, which is owned by Verizon and was formerly known as AOL, recently agreed to pay almost $5 million to settle the New York Attorney General’s allegations that its online advertising business violated the Children’s Online Privacy Protection Act (“COPPA”). This settlement represents the largest civil penalty to date in a COPPA case.

According to the New York Attorney General, AOL’s ad exchange helped advertisers place targeted display ads on websites directed to children under 13 years of age. The New York Attorney General’s Office asserted that Oath used children’s personal data, including data from cookies, to place those ads in violation of COPPA.

Targeted advertising occurs when advertisers use demographic characteristics (like gender, age, education, income level, interests, etc.) and/or behavioral variables (like purchase history, browser history, etc.) to target audiences with their ads.  Targeted advertising is valuable to many advertisers because it allows them to place their ads in front of users who they believe are more likely to be interested in their products than the general population. Such advertising often relies upon the placement of small text files called cookies on a user’s device to track the user’s activities across websites and make inferences about the user’s interests based on those activities. Advertisers are often willing to pay more for targeted ads than for non-targeted ads. 

COPPA, which is one of the relatively few federal privacy laws in place in the United States, requires companies to obtain parental permission before collecting personal information online from children under 13, including via cookies and IP addresses.  COPPA applies not only to advertisers, but to ad exchanges, which are businesses that connect publisher websites with advertisers, when the ad exchanges know a publisher’s website is directed to children under 13. 

In this case, AOL’s policies prohibited the use of its ad exchange to auction ad space on children’s websites. The New York Attorney General’s Office asserted that the company auctioned space on children’s websites despite the existence of those policies.

According to the New York Attorney General’s Office, Oath’s clients and its own internal review made the company aware that some of the publishers’ websites that participated in its ad exchange were directed to children. Nevertheless, according to the New York Attorney General’s Office, Oath conducted billions of non-COPPA-compliant display space ad auctions on those websites.  Moreover, the New York Attorney General’s Office alleged, one of the company’s account managers assured a client that the auctions were COPPA-compliant, even though they were not.    

The New York Attorney General’s Office further alleged that Oath placed ads through third party ad exchanges in a noncompliant manner. The third-party ad exchanges conducted COPPA-compliant ad space auctions by identifying whether particular websites were directed to children and contractually requiring only COPPA-compliant advertisers to bid for ad space on such sites.  According to the New York Attorney General’s Office, Oath’s bidding system improperly placed bids from non-COPPA-compliant advertisers on websites that the third-party ad exchanges identified as COPPA-covered ad space.   

To settle the matter, Oath agreed to pay a fine of $4.95 million and to adopt a COPPA compliance program, including executive oversight and annual training elements.  Oath also agreed to destroy the personal information that it collected online from children under 13. 

This settlement is a high-profile and high-dollar reminder to companies to review their COPPA compliance programs.  Even if a company has appropriate compliance policies in place – as Oath apparently did – it may be prudent to review whether the company’s real-world practices are consistent with its written policies.  In addition, this enforcement action is a timely reminder that the Federal Trade Commission is not the only entity that is authorized to enforce COPPA.  Each state is also authorized to enforce COPPA – as demonstrated by the New York Attorney General’s Office in this matter as well as in its prior COPPA settlements.    

The VLP Speaks blog is made available for educational purposes only, to give you general information and a general understanding of the law, not to provide specific legal advice. By using this blog site, you understand and acknowledge that no attorney-client relationship is formed between you and VLP Law Group LLP, nor should any such relationship be implied. This blog should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.