Skip to main content

What the NYAG Oath COPPA Action Means for Ad Buyers and What You Should Do


In early December, the New York State Attorney General (NYAG) announced a $4.95 million settlement with Oath Inc. resulting from an investigation into violations of the Children’s Online Privacy Protection Act (COPPA).

The NYAG found that Oath’s ad exchanges transferred persistent identifiers and geolocation from website users to DSP bidders in its automated auction process.  While that may be fine for websites directed to grown-up audiences, COPPA includes persistent identifiers and geolocation in its definition of “personal information.”  Under the law, companies must obtain verifiable parental consent before collecting or using children’s personal information. However, Oath treated all websites (and therefore all user information) the same, despite knowledge that some of its website inventory was directed to children under age 13 and subject to COPPA. Oath’s ad exchanges allowed advertisers to collect information on children and display ads on sites targeting children —which led to the largest-ever penalty under COPPA and an enormous settlement.

What is so remarkable about this case, which has the largest fine in COPPA history, is the fact that it did not come from the FTC, but the NYAG. This is the third major COPPA enforcement action in three years from the NYAG, which announced “Operation Child Tracker” in 2016 and a settlement with TRUSTe in 2017. With this record settlement, the NYAG solidifies its role as COPPA’s chief enforcer.

The enforcement is also notable because generally, responsibility for ensuring compliance with COPPA falls to the website or mobile app publisher, but here, the NYAG targeted the ad exchange. This is a departure from practice, as publishers are held strictly liable for any improper collection that occurs through their sites.

Under COPPA, an ad exchange is liable only if it acquires actual knowledge that its ads are collecting personal information (i.e., persistent identifiers or geolocation) from children under 13. This rule recognizes that many ad networks operate on millions of websites, making it impossible for them to know the content of those sites – unless, that is, they are notified in some way that the site services children and is therefore subject to COPPA.  Here, the NYAG found that Oath not only acquired, but deliberately ignored, three different types of notice: client disclosures that provided notice their websites were subject to COPPA, its own COPPA-compliant tool for internal review, and a configuration system intended to sell inventory on sites subject to COPPA using a system capable of placing contextual advertising instead of targeted ads.

The lesson here is clear:  If you acquire knowledge that you are serving children and subject to COPPA, be prepared to take action to comply.

If you are interested in learning more about staying in compliance with COPPA and other international privacy laws, or hearing specifically what happened with Oath to receive such a massive penalty and how to avoid a repeat, please join CARU at the Children’s Advertising Review Unit 2019 Conference on March 6, 2019 in Los Angeles, CA. Daniel M. Goldberg (Frankfurt Kurnit) and Kate O’Loughlin (COO, SuperAwesome) will give valuable insights into how COPPA is playing out in the ad ecosystem. They’ll discuss what the Oath action means for ad buyers, how it moves COPPA beyond publishers, and solutions advertisers and their partners can adopt.

Keynotes will be given by Chief Civil Deputy for Attorney General Hector Balderas of New Mexico, Tania Maestas, and Mattel’s Chief Information Security Officer, Fares Alraie. Other discussions will include the impact of COPPA, GDPR, and the California Consumer Privacy Act (CCPA) on companies; privacy concerns in mobile apps and smart gadgets; and the impact on children’s advertising by demographic shifts.

For more information, visit the CARU conference website online.



This article is repurposed with permission from Amy Lawrence & Jeremy Goldman, AdTech Provider Hit with Record COPPA Fine, Frankfurt Kurnit Klein + Selz (Dec. 6, 2018), https://www.focusonthedata.com/2018/12/adtech-provider-hit-record-coppa-fine/.

Popular posts from this blog

CARU Speaks at Community Board in Manhattan

CARU staff attorney Andra Dallas gave a presentation to Community Board 1, serving lower Manhattan on Monday, December 7 th .  Andra spoke to the Board’s Youth Committee about the importance of teaching children about understanding advertising and safe online practices.  District Manager Noah Pfefferblit remarked, “thank you for your informative presentation to our Youth Committee members,” and offered the Board’s assistance if they “can be helpful to the important efforts at the Children's Advertising Review Unit.” Are you interested in having a CARU staff member visit your community board? Contact adallas@caru.bbb.org.

i-Dressup Shuts Down in Wake of Privacy Breach and COPPA Violation

I-Dressup, a fashion-themed social website for teens, has completely shut down as part of a settlement with the New Jersey Department of Consumer Affairs, following a massive privacy breach and violations of the federal Children's Online Privacy Protection Act (COPPA) and New Jersey state law. In September 2016, a hacker sent 2.2 million i-Dressup account credentials to technology blog Arstechnica as well as to haveibeenpwned.com, a searchable online database of data breaches. Responding to the news, New Jersey investigators discovered that 2,519 of the compromised accounts belonged to New Jersey children below age 13. I-Dressup, allegedly aware that it had child users, had violated COPPA by failing to obtain verifiable parental consent prior to collecting and processing personal information from the children, including first and last names and email addresses. In a consent decree with the New Jersey Attorney General Gurbir Gerwal, parent company Unixiz has closed i-Dressup,

Kids Internet Design and Safety Act Seeks to Protect Children from Harmful Online Content

United States Senators, Mr. Richard Blumenthal from Connecticut and Mr. Edward Markey from Massachusetts, introduced a new bill referred to as the Kids Internet Design and Safety Act (the “KIDS Act”). One of the Senator’s introducing the KIDS Act, Mr. Edward Markey, was the co-author of the Children’s Online Privacy Protection Act (“COPPA”). The KIDS Act seeks to include noteworthy advertising rules and create new protections for children online, specifically for online users under the age of 16. The proposed advertising rules within the KIDS Act are to ban websites from: (1) exposing young online users to advertisements “with embedded interactive elements”; (2) recommending any content involving alcohol, nicotine, or tobacco to young online users; and (3) recommending content that includes influencer marketing, like unboxing videos, or host-selling to young online users. Additionally, the KIDS Act seeks to prohibit certain online features to protect children, like prohibiting