In early December, the New York State Attorney General (NYAG) announced a $4.95 million settlement with Oath Inc. resulting from an investigation into violations of the Children’s Online Privacy Protection Act (COPPA).
The NYAG found that Oath’s ad exchanges transferred persistent identifiers and geolocation from website users to DSP bidders in its automated auction process. While that may be fine for websites directed to grown-up audiences, COPPA includes persistent identifiers and geolocation in its definition of “personal information.” Under the law, companies must obtain verifiable parental consent before collecting or using children’s personal information. However, Oath treated all websites (and therefore all user information) the same, despite knowledge that some of its website inventory was directed to children under age 13 and subject to COPPA. Oath’s ad exchanges allowed advertisers to collect information on children and display ads on sites targeting children —which led to the largest-ever penalty under COPPA and an enormous settlement.
What is so remarkable about this case, which has the largest fine in COPPA history, is the fact that it did not come from the FTC, but the NYAG. This is the third major COPPA enforcement action in three years from the NYAG, which announced “Operation Child Tracker” in 2016 and a settlement with TRUSTe in 2017. With this record settlement, the NYAG solidifies its role as COPPA’s chief enforcer.
The enforcement is also notable because generally, responsibility for ensuring compliance with COPPA falls to the website or mobile app publisher, but here, the NYAG targeted the ad exchange. This is a departure from practice, as publishers are held strictly liable for any improper collection that occurs through their sites.
Under COPPA, an ad exchange is liable only if it acquires actual knowledge that its ads are collecting personal information (i.e., persistent identifiers or geolocation) from children under 13. This rule recognizes that many ad networks operate on millions of websites, making it impossible for them to know the content of those sites – unless, that is, they are notified in some way that the site services children and is therefore subject to COPPA. Here, the NYAG found that Oath not only acquired, but deliberately ignored, three different types of notice: client disclosures that provided notice their websites were subject to COPPA, its own COPPA-compliant tool for internal review, and a configuration system intended to sell inventory on sites subject to COPPA using a system capable of placing contextual advertising instead of targeted ads.
The lesson here is clear: If you acquire knowledge that you are serving children and subject to COPPA, be prepared to take action to comply.
If you are interested in learning more about staying in compliance with COPPA and other international privacy laws, or hearing specifically what happened with Oath to receive such a massive penalty and how to avoid a repeat, please join CARU at the Children’s Advertising Review Unit 2019 Conference on March 6, 2019 in Los Angeles, CA. Daniel M. Goldberg (Frankfurt Kurnit) and Kate O’Loughlin (COO, SuperAwesome) will give valuable insights into how COPPA is playing out in the ad ecosystem. They’ll discuss what the Oath action means for ad buyers, how it moves COPPA beyond publishers, and solutions advertisers and their partners can adopt.
Keynotes will be given by Chief Civil Deputy for Attorney General Hector Balderas of New Mexico, Tania Maestas, and Mattel’s Chief Information Security Officer, Fares Alraie. Other discussions will include the impact of COPPA, GDPR, and the California Consumer Privacy Act (CCPA) on companies; privacy concerns in mobile apps and smart gadgets; and the impact on children’s advertising by demographic shifts.
For more information, visit the CARU conference website online.
This article is repurposed with permission from Amy Lawrence & Jeremy Goldman, AdTech Provider Hit with Record COPPA Fine, Frankfurt Kurnit Klein + Selz (Dec. 6, 2018), .