Skip to main content

What the NYAG Oath COPPA Action Means for Ad Buyers and What You Should Do

In early December, the New York State Attorney General (NYAG) announced a $4.95 million settlement with Oath Inc. resulting from an investigation into violations of the Children’s Online Privacy Protection Act (COPPA).

The NYAG found that Oath’s ad exchanges transferred persistent identifiers and geolocation from website users to DSP bidders in its automated auction process.  While that may be fine for websites directed to grown-up audiences, COPPA includes persistent identifiers and geolocation in its definition of “personal information.”  Under the law, companies must obtain verifiable parental consent before collecting or using children’s personal information. However, Oath treated all websites (and therefore all user information) the same, despite knowledge that some of its website inventory was directed to children under age 13 and subject to COPPA. Oath’s ad exchanges allowed advertisers to collect information on children and display ads on sites targeting children —which led to the largest-ever penalty under COPPA and an enormous settlement.

What is so remarkable about this case, which has the largest fine in COPPA history, is the fact that it did not come from the FTC, but the NYAG. This is the third major COPPA enforcement action in three years from the NYAG, which announced “Operation Child Tracker” in 2016 and a settlement with TRUSTe in 2017. With this record settlement, the NYAG solidifies its role as COPPA’s chief enforcer.

The enforcement is also notable because generally, responsibility for ensuring compliance with COPPA falls to the website or mobile app publisher, but here, the NYAG targeted the ad exchange. This is a departure from practice, as publishers are held strictly liable for any improper collection that occurs through their sites.

Under COPPA, an ad exchange is liable only if it acquires actual knowledge that its ads are collecting personal information (i.e., persistent identifiers or geolocation) from children under 13. This rule recognizes that many ad networks operate on millions of websites, making it impossible for them to know the content of those sites – unless, that is, they are notified in some way that the site services children and is therefore subject to COPPA.  Here, the NYAG found that Oath not only acquired, but deliberately ignored, three different types of notice: client disclosures that provided notice their websites were subject to COPPA, its own COPPA-compliant tool for internal review, and a configuration system intended to sell inventory on sites subject to COPPA using a system capable of placing contextual advertising instead of targeted ads.

The lesson here is clear:  If you acquire knowledge that you are serving children and subject to COPPA, be prepared to take action to comply.

If you are interested in learning more about staying in compliance with COPPA and other international privacy laws, or hearing specifically what happened with Oath to receive such a massive penalty and how to avoid a repeat, please join CARU at the Children’s Advertising Review Unit 2019 Conference on March 6, 2019 in Los Angeles, CA. Daniel M. Goldberg (Frankfurt Kurnit) and Kate O’Loughlin (COO, SuperAwesome) will give valuable insights into how COPPA is playing out in the ad ecosystem. They’ll discuss what the Oath action means for ad buyers, how it moves COPPA beyond publishers, and solutions advertisers and their partners can adopt.

Keynotes will be given by Chief Civil Deputy for Attorney General Hector Balderas of New Mexico, Tania Maestas, and Mattel’s Chief Information Security Officer, Fares Alraie. Other discussions will include the impact of COPPA, GDPR, and the California Consumer Privacy Act (CCPA) on companies; privacy concerns in mobile apps and smart gadgets; and the impact on children’s advertising by demographic shifts.

For more information, visit the CARU conference website online.

This article is repurposed with permission from Amy Lawrence & Jeremy Goldman, AdTech Provider Hit with Record COPPA Fine, Frankfurt Kurnit Klein + Selz (Dec. 6, 2018),

Popular posts from this blog

5 Key Takeaways from IAPP's #GPS18 Conference

The Children's Advertising Review Unit (CARU) attended the International Association of Data and Privacy Professionals' (IAPP) Data Privacy Summit in Washington D.C. last week. It was a great opportunity to spend time with important folks in the privacy industry. Panelists ranged from regulators to specialists on topics like GDPR, ethical data use and new technologies like facial recognition. It was a great event.

Here are CARU's key takeaways from IAPP's Data Privacy Summit.

1. GDPR was the Star
GDPR was paid a lot of attention--and with good reason. One panel answered a very serious question--will there be a grace period? According to Andrea Jelinek (current head of the Article 29 Working Party), there will be a two-day grace period because GDPR goes into effect on a Friday. So essentially, take the weekend, but they'll see you bright and early Monday morning. Other questions linger about whether GDPR principles become the norm because easier than parsing o…

Safety Tips for Parents Buying Smart and Connected Toys This Holiday Season

Teddy bears once filled with stuffing are now hard-wired with smart technology. Internet-connected toys can be fun but they can also put your family at risk if proper care is not taken when buying and using these devices.

Now, more than ever before, The Children’s Advertising Review Unit (CARU) encounters toys that may collect personal information (e.g. name, email address) from children. Unfortunately, this may be done without parents knowing it’s happening. Much like many offline experiences where parent’s permission is required before collecting or using your child’s information, the online world is the same: parental permission is required! These connected toys aren’t inherently bad; in fact, they can be highly educational and fun as long as parents are well-informed and choose wisely. But if you choose the wrong toy, there can be consequences (check out our issues we had with a recent smart toy here) Santa checks his list twice and responsible parents should too-- you may be surpr…

CARU to Host its First Conference in San Francisco on May 2, 2018

Join The Children's Advertising Review Unit (CARU) on May 2, 2018 at its first-ever San Francisco Conference. CARU typically hosts an annual conference on the East Coast but is looking forward to connecting the major players in the children’s advertising industry with the tech industries to examine the complex issues that arise when marketing to children. The conference will examine legal trends and review the latest developments in advertising and online privacy. Our dynamic panels will offer unique perspectives on privacy issues worldwide, adapting to new technology, social media, working with influencers and even why corporate social responsibility is good for your bottom line.

This can’t-miss conference will examine the latest innovations and trends, and explore strategies and solutions to drive your business forward whilst still complying with CARU’s guidelines and relevant laws. Leave with inspiration and practical advice about connected toys, social media marketing and com…