Skip to main content

What the NYAG Oath COPPA Action Means for Ad Buyers and What You Should Do

In early December, the New York State Attorney General (NYAG) announced a $4.95 million settlement with Oath Inc. resulting from an investigation into violations of the Children’s Online Privacy Protection Act (COPPA).

The NYAG found that Oath’s ad exchanges transferred persistent identifiers and geolocation from website users to DSP bidders in its automated auction process.  While that may be fine for websites directed to grown-up audiences, COPPA includes persistent identifiers and geolocation in its definition of “personal information.”  Under the law, companies must obtain verifiable parental consent before collecting or using children’s personal information. However, Oath treated all websites (and therefore all user information) the same, despite knowledge that some of its website inventory was directed to children under age 13 and subject to COPPA. Oath’s ad exchanges allowed advertisers to collect information on children and display ads on sites targeting children —which led to the largest-ever penalty under COPPA and an enormous settlement.

What is so remarkable about this case, which has the largest fine in COPPA history, is the fact that it did not come from the FTC, but the NYAG. This is the third major COPPA enforcement action in three years from the NYAG, which announced “Operation Child Tracker” in 2016 and a settlement with TRUSTe in 2017. With this record settlement, the NYAG solidifies its role as COPPA’s chief enforcer.

The enforcement is also notable because generally, responsibility for ensuring compliance with COPPA falls to the website or mobile app publisher, but here, the NYAG targeted the ad exchange. This is a departure from practice, as publishers are held strictly liable for any improper collection that occurs through their sites.

Under COPPA, an ad exchange is liable only if it acquires actual knowledge that its ads are collecting personal information (i.e., persistent identifiers or geolocation) from children under 13. This rule recognizes that many ad networks operate on millions of websites, making it impossible for them to know the content of those sites – unless, that is, they are notified in some way that the site services children and is therefore subject to COPPA.  Here, the NYAG found that Oath not only acquired, but deliberately ignored, three different types of notice: client disclosures that provided notice their websites were subject to COPPA, its own COPPA-compliant tool for internal review, and a configuration system intended to sell inventory on sites subject to COPPA using a system capable of placing contextual advertising instead of targeted ads.

The lesson here is clear:  If you acquire knowledge that you are serving children and subject to COPPA, be prepared to take action to comply.

If you are interested in learning more about staying in compliance with COPPA and other international privacy laws, or hearing specifically what happened with Oath to receive such a massive penalty and how to avoid a repeat, please join CARU at the Children’s Advertising Review Unit 2019 Conference on March 6, 2019 in Los Angeles, CA. Daniel M. Goldberg (Frankfurt Kurnit) and Kate O’Loughlin (COO, SuperAwesome) will give valuable insights into how COPPA is playing out in the ad ecosystem. They’ll discuss what the Oath action means for ad buyers, how it moves COPPA beyond publishers, and solutions advertisers and their partners can adopt.

Keynotes will be given by Chief Civil Deputy for Attorney General Hector Balderas of New Mexico, Tania Maestas, and Mattel’s Chief Information Security Officer, Fares Alraie. Other discussions will include the impact of COPPA, GDPR, and the California Consumer Privacy Act (CCPA) on companies; privacy concerns in mobile apps and smart gadgets; and the impact on children’s advertising by demographic shifts.

For more information, visit the CARU conference website online.

This article is repurposed with permission from Amy Lawrence & Jeremy Goldman, AdTech Provider Hit with Record COPPA Fine, Frankfurt Kurnit Klein + Selz (Dec. 6, 2018),

Popular posts from this blog

20 Years Young: The History and Maturing of COPPA in a Privacy-Conscious Age

1998: A Concern for Children’s Privacy Was BornFrom the moment home computers had the capacity to connect to the Internet, children had the ability to use these technologies to access online websites and services. In the 1990s, concerns about children’s privacy and safety online arose amid fears of marketing practices around selling children’s personal information and exposing children’s information to predators.

The Children’s Advertising Review Unit (CARU), founded in 1974, has always been on the forefront of safeguarding children’s privacy. CARU is the self-regulatory arm of the children’s advertising industry, tasked with promoting truth in children’s advertising by reviewing and evaluating child-directed ads in all media to ensure they are truthful, accurate and appropriate. CARU also monitors online privacy practices as they affect children.
Before there was any legislation on the matter, CARU monitored a burgeoning Internet and observed how children’s privacy and safety were be…

Safety Tips for Parents Buying Smart and Connected Toys This Holiday Season

Teddy bears once filled with stuffing are now hard-wired with smart technology. Internet-connected toys can be fun but they can also put your family at risk if proper care is not taken when buying and using these devices.

Now, more than ever before, The Children’s Advertising Review Unit (CARU) encounters toys that may collect personal information (e.g. name, email address) from children. Unfortunately, this may be done without parents knowing it’s happening. Much like many offline experiences where parent’s permission is required before collecting or using your child’s information, the online world is the same: parental permission is required! These connected toys aren’t inherently bad; in fact, they can be highly educational and fun as long as parents are well-informed and choose wisely. But if you choose the wrong toy, there can be consequences (check out our issues we had with a recent smart toy here) Santa checks his list twice and responsible parents should too-- you may be surpr…

Key Takeaways from the 2019 CARU Conference

The CARU Conference was held this year in Marina del Rey, California (just 15 minutes from LAX Airport) at the Ritz-Carlton hotel. We kicked the day off with a movie screening of Screenagers, the award-winning film that explores family life and the struggles over social media, video games and academics. The movie shares challenges of parenting in a digital world and solutions for how to help kids safely navigate the issues. Later in the day, the film’s star and director, Delaney Ruston shared her own messy, personal experiences. While it’s true that too much screen time can have adverse effects on brain development, it’s also true that prosocial games and media can encourage kids’ good behavior as well. Dr. Ruston hopes that her film will spark a movement—that this film will get families talking about how they can aspire to lead more balanced lives. She thinks industry is up to the task and challenged them to create more cool and prosocial content. Our first keynote speaker was the Cho…