On Tuesday, the New York Attorney General’s office announced a $4.95 million settlement with Oath (formerly AOL) to settle violations of the Children’s Online Privacy Protection Act. The settlement represents the largest ever enforcement penalty for a COPPA violation from any enforcement agency. The company’s violations rise beyond the conduct underlying previous COPPA violations — which often involve a company utilizing third-party tracking software and inadvertently tracking children on a website, in addition to adults. Here, AOL operated an online ad exchange that was incapable of complying with COPPA, placed advertisements on other exchanges while ignoring relevant COPPA information shared by the other ad exchanges to enable compliance with the law, and in at least one instance knowingly violated COPPA to increase advertising revenue. A review of recent New York Attorney General’s office and FTC COPPA settlements reveals that the large fine is a result of the egregious nature of AOL’s conduct.

New York Attorney General’s settlement

The Attorney General’s office determined that AOL (the company changed its name to Oath in June 2017) was in violation of COPPA for various practices surrounding AOL’s operation of, and participation in, online ad exchanges. The NYAG found, in particular, that AOL operated an image-based, or “display,” ad exchange that was incapable of conducting COPPA-compliant auctions. The exchange “would necessarily collect information from users and disclose that information to . . . third[]parties.”

AOL was aware of this issue for COPPA compliance — its policies prohibited the use of the display ad exchange on COPPA-covered websites — but nevertheless it used the exchange to facilitate “billions of auctions for ad space on websites that it knew to be directed to children under the age of 13 and subject to COPPA” (emphasis in Attorney General’s office’s press release). Such knowledge was obtained in two ways: First, AOL clients provided notice to AOL that their websites were subject to COPPA, and, second, AOL self-identified hundreds of clients’ websites subject to COPPA through a review of the websites’ content and privacy policies. In addition, in at least one instance an account manager knowingly violated COPPA to increase ad revenue. The manager configured a client’s account for the display ad exchange in a way she “knew” would violate COPPA and represented to the client that the exchange “could” sell ad space in a COPPA-compliant manner (emphases in press release), despite knowledge that, again, the display ad exchange was incapable of conducting COPPA-compliant auctions.

AOL also placed ads through other exchanges in a manner that violated COPPA. The company would bid on ad space in auctions on other ad networks on behalf of clients. These other exchanges were capable of conducting COPPA-compliant auctions by passing information to the bidders that the ad space being offered in a particular auction was for a child-directed website. Bidders were expected to comply with COPPA. AOL’s bidding system ignored the child-directed website notice sent by the exchanges. When the system won an auction, it failed to treat the ad space any differently than it would ad space on a website that was not subject to COPPA.

In addition to the $5 million monetary portion of the settlement, AOL has also agreed to the following:

  • Comprehensive reform of its policies and procedures surrounding the protection of children's privacy. 
  • Designation of an executive or officer to oversee the COPPA compliance program.
  • Annual COPPA training.
  • Design and implementation of new controls to identify risks to children's privacy identified by the COPPA program.
  • A new vendor assessment program that will ensure service providers comply with COPPA. 
  • Retention of a third-party to assess new COPPA and other privacy controls.
  • Destruction of "all personal information collected from children that is in its possession, custody, or control, unless such personal information is required to be maintained by law, regulation, or court order."

Operation Child Tracker

This settlement is the third announcement from the New York Attorney General’s Operation Child Tracker, “an ongoing investigation into illegal tracking of children’s online activity by marketers, advertising companies, and others in violation of COPPA.” It is, however, the largest penalty the operation has produced to this point.

The first round of settlements was announced in September 2016 and involved Viacom, Mattel, JumpStart Games, and Hasbro. Each company owned child-directed websites that enabled third-party vendors to track children’s online activity, in violation of COPPA. Total fines amounted to $835,000, with Viacom facing the largest penalty, $500,000. In each instance, the company’s use of third-party tracking technologies to track children’s activity was inadvertent, causing the Attorney General’s office to conclude:

  • Website operators are not sufficiently vetting advertisers, advertising networks and other third parties that they allow on their websites to determine whether third parties collect person information from users or allow others to do so.
  • Website operators are not monitoring their websites for unexpected third-party tracking technologies that are inadvertently introduced or piggy-back off of other third parties.
  • Website operators are having difficulty keeping up with rapidly changing ad technology to ensure COPPA compliance.

The second announcement, in April 2017, was for a $100,000 settlement with TRUSTe, an operator of a COPPA “safe harbor program” — a certification “designed to assess website operators’ compliance with COPPA.” In its investigation, the Attorney General’s office found that TRUSTe failed to adequately assess its customers’ websites for compliance with COPPA and failed to provide its customers with the relevant electronic scans that would have enabled the customers to identify violative tracking technologies.

What stands out when comparing the first two settlement announcements from the Attorney General’s office with the most recent announcement involving AOL is the difference in COPPA-violative behavior. The first two settlements resulted from what can be described as negligent behavior — a lack of awareness of activities occurring on a website or a lack of adequate assessment to understand activities occurring on a website. In the case of AOL, the violative conduct moved beyond negligence into knowingly violating COPPA. The importance of this distinction is underscored by the Attorney General’s office’s emphasis of precisely this term — “knowing” — in its press release announcing the AOL settlement.

A fair assessment after this latest settlement is that the New York Attorney General will impose a larger fine in circumstances where a company knows it is violating COPPA than for circumstances where the violation is mere negligence.

Recent FTC Enforcement Actions Show a Similar Tendency to Increase Fines for COPPA Violations that Move Beyond Negligence

Of course, enforcement is not reserved for state attorneys general; the FTC is also empowered to enforce COPPA and levy fines. The same tendency to increase the amount of a fine for conduct that goes beyond negligence is seen in recent FTC COPPA enforcement actions as well. It's worth noting, as well, that the first fine levied in Germany under the General Data Protection Regulation was significantly reduced because of the “exemplary cooperation” of the company and, though there was a determination that the company "knowingly violated" the GDPR, the company's immediate moves to remedy the situation, even before the regulator came knocking.

Stipulated orders involving Retro Dreamer and LAI Systems in 2015 resulted in fines of $300,000 and $60,000 respectfully. The alleged facts in both cases are like those in the first round of settlements under Operation Child Tracker: Developers utilized third-party ad networks to deliver advertisements to users of their mobile applications targeted at children. The app developers failed to provide notice that described the children’s information collected and failed to provide direct notice to parents of the information collected, how the information would be used, and the company’s disclosure practices. They also allegedly failed to obtain verifiable parental consent before collection or use of the information collected. The size of the fine for each company was calculated as $16,000 per violation.

Describing the same violations for slightly different practices, the FTC alleged that Prime Sites violated COPPA while doing business as Explore Talent, which offered professional acting services for children. Here too the alleged conduct was violative for failure to provide notice and obtain verifiable parental consent. Some of the collected information was publicly available in users’ profiles on the company’s website. In addition, Explore Talent allegedly misrepresented the benefits of upgrading to “pro membership” and stated in its privacy policy that it did not knowingly collect personal information from children under age 13, in violation of the FTC Act. Acting FTC Chairman Maureen K. Ohlhausen explained that, “Explore Talent collected the personal information of more than 100,000 children, but failed to adhere to the safeguards required by law.” Subsequently the FTC imposed a $500,000 civil penalty, in a February 2018 settlement, that was suspended when Prime Sites paid $235,000.

In the first enforcement action protecting children’s privacy and security involving connected toys, the FTC and VTech Electronics Ltd. agreed to a $650,000 settlement in January 2018 for alleged COPPA and FTC Act violations. Again, the COPPA violations were for failure to provide notice, failure to disclose, and failure to obtain verifiable parental consent. The FTC was particularly concerned about VTech’s alleged failure to implement “adequate safeguards and security measures to protect transmitted and stored information,” which is an FTC Act concern and seems to play a role in higher fines, as compared to pure COPPA violations, because similar reasoning was seen in the Prime Sites settlement.

An initial $4 million fine was imposed on InMobi in 2016 solely for alleged COPPA violations. InMobi owns and operates an ad network utilized by thousands of popular mobile applications. The FTC alleged that InMobi misrepresented that its advertising software did not track consumers’ location information unless they opted in to the functionality. In reality, the software tracked consumers’ locations whether or not a consumer opted in, and even when the consumer had denied the software permission to access the device’s location data. InMobi’s ad network operated on more than one billion devices worldwide: “InMobi tracked the locations of hundreds of millions of consumers, including children, without their consent, in many cases totally ignoring consumers’ express privacy preferences.” The FTC imposed a $4 million fine for InMobi’s COPPA violations, but suspended the larger amount to $950,000 due to the company’s poor financial situation.

Clearly, a hierarchy for the size of penalty can be seen in the FTC’s COPPA enforcement actions: Purposeful violations result in larger fines than violations of notice, disclosure, and consent requirements; and, FTC Act violations for failure to provide “adequate safeguards and security measures” may increase the fine imposed. InMobi’s initial $4 million fine was higher than any of the other discussed penalties imposed by the FTC, but the conduct was also more purposeful and egregious in the FTC’s eyes. Like the New York Attorney General’s office’s tendency to punish beyond-negligent conduct more than merely negligent conduct, it appears safe to assume that knowing or purposefully violative conduct will result in higher COPPA fines than negligent violations.

Photo credit: Onasill ~ Bill Badzo- - Returning Comments New York State Capitol ~ Albany New York ~ Million Dollar Staircase via photopin (license)