Under COPPA personal information includes, among other data, persistent identifiers that can be used to recognize a user over time and across different websites, such as cookie or device identifiers, IP addresses, and geolocation information. COPPA applies to websites and online services directed at children under 13 as well as those that are directed at a general audience if the operator of the site or service has actual knowledge it is collecting information from these children. COPPA also applies to advertising networks that collect personal information on third-party sites directed towards children under 13. The AG alleged that AOL knew the ad space auctions were for websites AOL knew were directed to children under 13. So when AOL collected persistent identifiers and geolocation information related to these children without getting prior parental consent and shared it with advertisers during OBA auctions, AOL violated COPPA and the AG stepped in.
In addition to the fine, under the terms of the settlement, Oath is required to take a number of steps. Specifically, it must: (i) destroy all personal information regarding children younger than 13; (ii) implement a functionality that enablers website operators that sell ad inventory through Oath systems to indicate each site or portion of a site that is subject to COPPA and maintain this information in a database and disclose to each third-party bidder that relevant ad space is subject to COPPA; (iii) create and implement a comprehensive COPPA compliance program that includes designating an executive or officer to oversee the program; (iv) conduct annual employee training; (v) design and implement controls to address identified risks and regularly monitor the effectiveness of the controls; and (vi) select and retain service providers that are COPPA compliant.
- The amount of the settlement, the largest ever under COPPA, demonstrates the continued interest among consumer protection authorities, including, significantly, those at the state level, in enforcing COPPA and protecting children from the exploitation of their personal information in the increasingly crowded advertising ecosystem.
- In addition to the fine, the terms of the settlement demonstrate that the costs of non-compliance can be more costly than conducting a COPPA assessment and implementing measures to avoid triggering COPPA.
Operators of websites and online services should be aware that COPPA that empowers state Attorneys General to initiate COPPA actions. With the FTC’s increased focus on competition, state attorneys general may prioritize COPPA enforcement. Since 2007 AGs in California, New York, and Texas have brought COPPA actions on behalf of their citizens.
To learn more about how Goodwin can help your company address privacy and cybersecurity, contact Brenda R. Sharton, Chair of the Privacy & Cybersecurity practice.
Goodwin’s Privacy & Cybersecurity practice is one of the longest-standing privacy practices of any global 50 firm and has been ranked among leading law firms for privacy and cybersecurity, including by Legal 500 and Chambers. It fully integrates and leverages the firm's core strengths, with the group's lawyers coming from the technology, financial industry, licensing, litigation and regulatory practices. The team has handled hundreds of data breach investigations, litigated landmark privacy cases, and defended clients in investigations and enforcement actions brought by state attorneys general and federal data protection regulators. Goodwin provides clients practical advice on all aspects of information-related management, including the establishment of comprehensive privacy programs, audits, transactional due diligence and compliance with domestic and international privacy laws.