Alert September 13, 2019

FTC Imposes Record Fine on YouTube for Children’s Privacy Violation

The FTC recently announced a record $170 million settlement with Google and its subsidiary YouTube to settle allegations that YouTube illegally collected personal information from children without parental consent, in violation of the Children’s Online Privacy Protection Act (“COPPA”), a 20-year-old law that regulates the collection of personal information from children under 13 on the internet. Of the settlement amount, Google and YouTube are required to pay $136 million to the FTC, and $34 million to the state of New York.

COPPA, by its terms, applies to websites and online services directed to children under 13, as well as operators of general audiences websites or online services with “actual knowledge” that they are collecting personal information from children under 13. The FTC’s Complaint alleges that YouTube had actual knowledge that it collected persistent unique identifiers from children for use in behavioral advertising, from viewers of channels and content directed to children under the age of 13, and did not obtain parental consent prior to doing so. The FTC cited YouTube’s express “touting” of its popularity with children to potential business clients as evidence it knew that it was collecting personal information from children. For example, the FTC alleged that some corporate clients specifically informed YouTube that their content would be directed to children under the age of 13. YouTube also made numerous presentations to kids’ brands highlighting child-directed content, according to the Complaint. In addition to the monetary penalty, the settlement requires Google and YouTube to implement a system for channel owners to designate content as directed to children, to provide annual COPPA training, and to make reasonable efforts to ensure parents receive direct notice of YouTube’s practices regarding collection of personal information from children.

The Google/YouTube settlement signals a shift toward a more aggressive posture of what type of awareness is necessary to meet the “actual knowledge” threshold. Consistent with past scrutiny of the “look and feel” of a site or service and the corresponding likelihood of attracting children, the FTC found actual knowledge as to YouTube based on its actual data collection and promotional and marketing activities. As indicated in past guidance, general statements that services are not directed to children may not suffice. The landmark Google/YouTube settlement clearly puts operators on notice that their marketing practices, and those of their business partners, will be closely scrutinized.

It is now clearer than ever that children’s online privacy is an area that online businesses cannot afford to overlook; in addition to the Google/YouTube settlement, legislation has been proposed to lower COPPA’s “actual knowledge” standard to a “constructive knowledge” standard and to ban targeted advertising directed to children, among other things. The settlement and ongoing focus on COPPA mean any online business that collects personal information should take a close look at whether all or parts of its service could be seen as being directed to children, and what knowledge it may already have about the types of data it collects.

Goodwin’s Privacy & Cybersecurity team includes David S. Kantrowitz, Counsel, Privacy & Cybersecurity practice (Boston).

Goodwin's Chambers and Legal 500 ranked Privacy & Cybersecurity practice offers a fully integrated, multi-disciplinary approach to clients' data protection needs. One of the longest-standing of any AmLaw 50 firm, our global team is uniquely positioned to provide the most innovative solutions to guide clients through the collection, use, processing and protection of their most sensitive information. Our senior lawyers include a former Chief Privacy Officer of the U.S. Department of Homeland Security, a Legal 500 “Leading Lawyer” and a “Next Generation Lawyer” in Cyber Law and Data Breach Response, as well as four other Legal 500 Cyber Law ranked partners, several former federal prosecutors, and multiple GDPR, CCPA, HIPAA, and COPPA experts. We have handled hundreds of data breaches including high profile, global incidents involving everything from ransomware to nation state attacks; have advised on over 700 public and private transactions in the last year alone; and have designed strategic privacy, information security and compliance programs for start-ups, global enterprises, and everything in-between. We have litigated landmark privacy cases and defended against class action and government enforcement actions brought by the FTC, OCR/HHS, state attorneys’ general and regulators across the globe.