In early
December, the New York State Attorney General (NYAG) announced a $4.95 million
settlement with Oath Inc. resulting from an investigation into violations of
the Children’s Online Privacy Protection Act (COPPA).
The NYAG
found that Oath’s ad exchanges transferred persistent identifiers and
geolocation from website users to DSP bidders in its automated auction
process. While that may be fine for
websites directed to grown-up audiences, COPPA includes persistent identifiers
and geolocation in its definition of “personal information.” Under the law, companies must obtain
verifiable parental consent before collecting or using children’s personal
information. However, Oath treated all websites (and therefore all user
information) the same, despite knowledge that some of its website inventory was
directed to children under age 13 and subject to COPPA. Oath’s ad exchanges
allowed advertisers to collect information on children and display ads on sites
targeting children —which led to the largest-ever penalty under COPPA and an
enormous settlement.
What is so
remarkable about this case, which has the largest fine in COPPA history, is the
fact that it did not come from the FTC, but the NYAG. This is the third major
COPPA enforcement action in three years from the NYAG, which announced
“Operation Child Tracker” in 2016 and a settlement with TRUSTe in 2017. With
this record settlement, the NYAG solidifies its role as COPPA’s chief enforcer.
The
enforcement is also notable because generally, responsibility for ensuring
compliance with COPPA falls to the website or mobile app publisher, but here,
the NYAG targeted the ad exchange. This is a departure from practice, as
publishers are held strictly liable for any improper collection that occurs
through their sites.
Under
COPPA, an ad exchange is liable only if it acquires actual knowledge that its
ads are collecting personal information (i.e., persistent identifiers or
geolocation) from children under 13. This rule recognizes that many ad networks
operate on millions of websites, making it impossible for them to know the
content of those sites – unless, that is, they are notified in some way that
the site services children and is therefore subject to COPPA. Here, the NYAG found that Oath not only
acquired, but deliberately ignored, three different types of notice: client
disclosures that provided notice their websites were subject to COPPA, its own
COPPA-compliant tool for internal review, and a configuration system intended to
sell inventory on sites subject to COPPA using a system capable of placing
contextual advertising instead of targeted ads.
The lesson
here is clear: If you acquire knowledge
that you are serving children and subject to COPPA, be prepared to take action
to comply.
If you are
interested in learning more about staying in compliance with COPPA and other
international privacy laws, or hearing specifically what happened with Oath to
receive such a massive penalty and how to avoid a repeat, please join CARU at
the Children’s
Advertising Review Unit 2019 Conference on March 6, 2019 in Los
Angeles, CA. Daniel M. Goldberg (Frankfurt Kurnit) and Kate O’Loughlin (COO,
SuperAwesome) will give valuable insights into how COPPA is playing out in the
ad ecosystem. They’ll discuss what the Oath action means for ad buyers, how it
moves COPPA beyond publishers, and solutions advertisers and their partners can
adopt.
Keynotes
will be given by Chief Civil Deputy for Attorney General Hector Balderas of New
Mexico, Tania Maestas, and Mattel’s Chief Information Security Officer, Fares
Alraie. Other discussions will include the impact of COPPA, GDPR, and the
California Consumer Privacy Act (CCPA) on companies; privacy concerns in mobile
apps and smart gadgets; and the impact on children’s advertising by demographic
shifts.
For more
information, visit the CARU
conference website online.
This
article is repurposed with permission from Amy Lawrence & Jeremy Goldman, AdTech Provider Hit with Record COPPA Fine,
Frankfurt Kurnit Klein + Selz
(Dec. 6, 2018), https://www.focusonthedata.com/2018/12/adtech-provider-hit-record-coppa-fine/.