In what is believed to be the largest Children’s Online Privacy Protection Act (COPPA) settlement to date, Verizon will pay $4.95 million to the New York Attorney General’s Office based on violations allegedly committed by AOL.
According to AG Barbara Underwood, AOL ran afoul of COPPA by collecting, using and disclosing children’s personal information when it conducted online auctions for advertising placements. Pursuant to COPPA—which applies to the operators of websites and online services directed to children under the age of 13—the definition of “personal information” includes persistent identifiers that can be used to recognize a user over time and across websites.
According to the AG, AOL conducted “billions” of auctions for ad space on websites that it knew were directed to children under the age of 13 and subject to COPPA, by using a noncompliant exchange system that automatically collected persistent identifiers from users and disclosed the information to third parties.
The attorney general said AOL was well aware that COPPA applied. An internal review revealed that certain websites were directed to children and that multiple clients put AOL on notice that their websites were subject to COPPA, the AG alleged. One AOL client reported that even when it informed AOL its site was subject to the requirements of the statute, an AOL account manager “intentionally configured” the account in a way that violated COPPA in order to increase ad revenue.
To settle the charges, AOL—which was purchased by Verizon in June 2017 and had its name changed to Oath—will pay the almost $5 million fine, and institute a COPPA compliance program through which it will designate an executive or officer to oversee the program, conduct annual COPPA training for relevant personnel, schedule audits by outside professionals and destroy any retained personal information collected from children.
“COPPA is meant to protect young children from being tracked and targeted by advertisers online,” AG Barbara Underwood said in a statement. “AOL flagrantly violated the law—and children’s privacy—and will now pay the largest ever penalty under COPPA.”
Why it matters: The deal—and the record-setting fine—provides an important reminder that COPPA oversight comes not just from the Federal Trade Commission (FTC), but state regulators as well. The New York Attorney General’s Office has been particularly vigilant about COPPA enforcement, by conducting an ongoing investigation dubbed “Operation Child Tracker.” In its first case, four companies paid a total of $835,000 and adopted reforms on dozens of popular children’s websites that the AG found contained third-party tracking technology in violation of the statute. A second case involved a $100,000 fine for TRUSTe after the AG determined that the FTC-approved safe harbor program had failed to adequately evaluate whether sites operated by its TRUSTe customers were in compliance with COPPA.