On December 4, 2018, the New York Attorney General (NYAG) announced that Oath Inc., which was known until June 2017 as AOL Inc. (AOL), has agreed to pay a $4.95 million civil penalty to settle allegations that AOL’s ad exchange practices violated the Children’s Online Privacy Protection Act (COPPA). The $4.95 million penalty is the largest ever assessed by any regulator in a COPPA enforcement matter.
The NYAG alleged that AOL used its display ad exchange to help advertisers track and serve targeted display ads to children on hundreds of websites that the company knew were directed to children under the age of 13. Ad exchanges enable websites to sell, and advertisers to buy, advertising space through an auction process that takes place in real time after a user visits a webpage that contains ad space. To facilitate its online auctions, AOL allegedly collected, used, and disclosed to advertisers the personal information from child-directed websites’ users without first obtaining verifiable parental consent as required by COPPA.
COPPA requires operators of websites and online services directed to children under 13 to obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children who use those websites or online services. COPPA also applies to operators of websites or online services—including operators of ad networks or exchanges—targeted at a general audience (i.e., of all ages) if such operator has actual knowledge that it is collecting personal information from children under 13.
In 2013, the Federal Trade Commission (FTC) updated COPPA’s definition of personal information to include persistent identifiers such as cookies and IP addresses, which are commonly collected and used for behavioral advertising purposes. In its COPPA FAQs and 2012 Statement of Basis and Purpose, the FTC expressly described two cases where it believes that an ad network will likely meet the actual knowledge standard: (1) where a child-directed content provider (i.e., an operator of a website or online service directed to children under 13) directly communicates the child-directed nature of its content to the ad network; or (2) where a representative of the ad network recognizes the child-directed nature of the content.
The NYAG alleged that AOL’s ad exchange for display ads was not capable of offering a COPPA-compliant auction because the ad exchange would necessarily collect and share with third party advertisers personal information about website users on websites that it knew to be directed at children under 13 and subject to COPPA. The NYAG claimed that actual knowledge existed because (1) several AOL clients provided the company with notice that their websites were subject to COPPA, and (2) the company itself conducted reviews of the content and privacy policies of client websites that revealed they were subject to COPPA. According to the NYAG, AOL had internal policies that prohibited the use of its display ad exchange to auction ad space on COPPA-covered websites but did not strictly adhere to those policies.
In addition to conducting its own auctions, the NYAG alleged that AOL participated in auctions hosted by other ad exchanges through which the company was notified of auctions for ad space on child-directed websites. The NYAG alleged that when AOL participated in and won such auctions, its systems would nonetheless collect and use personal information from those child-directed website users in violation of COPPA.
As part of its settlement with the NYAG, Oath has agreed to adopt substantial internal reforms aimed at protecting children’s privacy and complying with COPPA, including:
- Establishing and maintaining a comprehensive COPPA compliance program that includes a designated executive or officer to oversee the program, annual COPPA training for relevant personnel, risk assessment and implementation and regular monitoring of reasonable controls to address COPPA risks, and a process for selecting and retaining service providers that can comply with COPPA.
- Retaining an objective, third party professional to assess the COPPA controls that the company has implemented.
- Implementing and maintaining functionality that enables website operators that sell display space through AOL’s ad exchange to indicate each website or portion of a website that is subject to COPPA. AOL will track this information in a database and disclose to each bidder that relevant ad space is subject to COPPA.
- Destroying all personal information it has collected from children.