The Bottom Line
- The AOL settlement – which requires AOL to pay the largest COPPA penalty ever to date — is the most recent instance in which the New York Attorney General’s Office has sought to enforce COPPA. While most ad tech industry members have long known that behavioral advertising cannot be targeted to children under 13, problems obviously still exist.
- In announcing the settlement, New York Attorney General Barbara Underwood said her office “remains committed to protecting children online and will continue to hold accountable those who violate the law.” Her statement should serve as a forceful reminder of the need for operators, advertisers and ad networks to comply with COPPA or risk becoming the subject of an expensive enforcement action.
Oath, Inc. (Oath), formerly known as AOL Inc., agreed to pay $4.95 million to settle allegations brought by the New York State Attorney General’s Office that AOL violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children to serve them targeted advertisements.
Notably, this is the largest penalty ever imposed in a COPPA enforcement action. However, the violation is based upon activity that is generally understood in the ad tech industry to be impermissible.
Background on COPPA
COPPA prohibits operators of online services directed to children under the age of 13 and the operators of online services that have actual knowledge that they are collecting personal information from a child under the age of 13 from collecting, using, or disclosing personal information of children under the age of 13 without first obtaining parental consent.
In July 2013, the FTC revised the definition of “personal information” to include persistent identifiers that can be used to recognize a user over time and across websites. The revision effectively prohibits covered operators from using tracking cookies and other persistent identifiers to track children across websites for most advertising purposes and to serve online behaviorally targeted advertisements on COPPA-covered websites.
Both the Self-Regulatory Principles for Online Behavioral Advertising set forth by the Digital Advertising Alliance and the NAI Code of Conduct set forth by the Network Advertising Initiative have long prohibited behavioral advertising to children under 13 in violation of COPPA.
Allegations Relating to AOL’s Ad Exchange
The New York Attorney General’s Office asserted that AOL, the operator of several ad exchanges for display ads, conducted billions of auctions for ad space on hundreds of websites the company knew were directed to children under the age of 13. Through these auctions, AOL allegedly collected, used, and disclosed personal information from users in violation of COPPA, enabling advertisers to track and serve targeted ads to young children.
According to the Attorney General, AOL operated several ad exchanges which, until recently, were not capable of conducting COPPA-compliant third-party bidding auctions because AOL’s systems collected personal information from users and disclosed that information to third parties. AOL’s policies actually prohibited the use of its display ad exchange to auction ad space on COPPA-covered websites to third-parties.
Despite these policies, however, the Attorney General claimed that AOL “flagrantly violated the law” because it used its display ad exchange to conduct billions of auctions for ad space on websites that it knew to be directed to children under the age of 13 and subject to COPPA. AOL allegedly obtained this knowledge because:
- several AOL clients provided AOL with notice that their websites were subject to COPPA (and AOL conducted at least 1.3 billion auctions of display ad space from these websites); and
- AOL itself determined that certain websites were directed to children under the age of 13 when it conducted a review of the content and privacy policies of client websites (AOL conducted at least 750 million auctions of display ad space from these websites).
Allegations Relating to AOL’s Placed Ads Through Other Exchanges
AOL also operated a business that bid on ad space in auctions conducted by other ad exchanges. According to the Attorney General, several of the exchanges that AOL worked with had the ability to auction ad space on child-directed websites in a COPPA-compliant manner. When one of these exchanges conducted an auction for ad space on a child-directed website, the exchange passed information to bidders indicating that it was subject to COPPA. Bidders that received this information were expected to comply with COPPA as well.
However, the Attorney General claimed that prior to November 2017, AOL’s systems ignored any information that it received from an ad exchange indicating that the ad space was subject to COPPA. Thus, whenever AOL won an auction for COPPA-covered ad space, its systems behaved as they normally did by collecting personal information directly from the user to serve a targeted advertisement to the user in violation of COPPA.
Allegations Relating to AOL’s Account Manager
The Attorney General contended that an AOL account manager based in New York intentionally configured at least one client’s accounts in a manner that she knew would violate COPPA in order to increase advertising revenue. In addition, the Attorney General claimed that AOL’s documents showed that the New York account manager repeatedly represented to at least this client that AOL’s display ad exchange could be used to sell ad space to third-parties in a COPPA compliant manner, which was not the case at that time. As a result of these misstatements, the client allegedly utilized AOL’s display ad exchange to place more than a billion advertisements on COPPA-covered inventory.
In settling with the Attorney General, Oath agreed to pay a record $4.95 million in penalties and adopt comprehensive reforms intended to protect children from improper tracking.
In particular, the company agreed to establish and maintain a COPPA compliance program including:
- The designation of an executive or officer to oversee the program;
- Annual COPPA training for relevant personnel;
- The identification of risks that could result in its violation of COPPA;
- The design and implementation of reasonable controls to address the identified risks, as well as regular monitoring of the effectiveness of those controls; and
- The development and use of reasonable steps to select and retain service providers that can comply with COPPA.
The settlement also requires that the company:
- Retain an objective, third-party professional to assess the privacy controls that it implements.
- Implement and maintain functionality that enables website operators that sell ad inventory through its systems to indicate each website or portion of a website subject to COPPA. The company must maintain this information in a database or similar system, and must disclose to each third-party bidder that relevant ad space is subject to COPPA.
- Destroy all personal information collected from children in its possession, custody, or control, unless such personal information is required to be maintained by law, regulation, or court order.