This week, the New York State Attorney General announced a $4.95 million settlement with Oath Inc., the result of an investigation into violations of the Children’s Online Privacy Protection Act (“COPPA”).
The NYAG found that Oath’s ad exchanges transferred persistent identifiers and geolocation from website users to DSP bidders in its automated auction process. While that may be fine for websites directed to grown-up audiences, COPPA includes persistent identifiers and geolocation in its definition of “personal information.” And under the law, companies must obtain verifiable parental consent before collecting or using children’s personal information.
But instead of seeking verifiable parental consent, Oath treated all websites (and therefore all user information) the same, despite knowledge that some website inventory on its exchange was directed to children under 13 and subject to COPPA. And instead of using available technology to avoid the use of children’s information altogether, Oath’s ad exchanges allowed advertisers to collect information on children and display ads on sites targeting children. The “flagrant” violations of the law led to the largest-ever penalty under COPPA and a settlement agreement provided some remarkable takeaways:
The Cop on the Beat
This is the largest COPPA fine to date, but it didn’t come from the FTC. Instead, it is the NYAG making history. This is the third major COPPA enforcement action in as many years from the NYAG, which announced “Operation Child Tracker” in 2016 and a settlement with TRUSTe in 2017. Although COPPA deputizes both the FTC and state attorneys general to regulate COPPA, few state attorneys general have assumed the mantle. With this record settlement, the NYAG solidifies its role as COPPA’s chief enforcer.
The enforcement is also very notable because it comes against an ad exchange. As a general matter, responsibility for ensuring compliance with COPPA falls to the website or mobile app publisher, not the ad exchanges. After all, who would know the site’s audience best? The FTC acknowledged as much in its 2012 Statement of Basis and Purpose: “The Commission also noted that the primary content provider is in the best position to know that its site or service is directed to children, and is appropriately positioned to give notice and obtain consent.” Almost all COPPA enforcement has therefore focused on the publisher.
But here, the NYAG targets the ad exchange. Perhaps just as important, NYAG does not appear to have gone after the publishers who deployed Oath trackers on their pages, even though under COPPA those publishers are strictly liable for any improper collection that occurs through their sites. The Assurance of Discontinuance gives a few clues as to why in the outline of the investigation’s findings.
Under COPPA, an ad exchange is liable only if it acquires actual knowledge that its ads are collecting personal information (i.e., persistent identifiers or geolocation) from children under 13. 16 CFR § 312.2 (“A Web site or online service shall be deemed directed to children when it has actual knowledge that it is collecting personal information directly from users of another Web site or online service directed to children.”). This rule recognizes that many ad networks operate on millions of websites, making it impossible for them to know the content of those sites – unless, that is, they are notified in some way that the site services children and is therefore subject to COPPA. Here, the NYAG found that Oath not only acquired, but deliberately ignored three different type of notice:
- Client Disclosures
At least three different clients provided Oath (then AOL) with notice that their websites were subject to COPPA, and specifically identified more than a dozen sites as child-directed. And yet, Oath authorized sale of ad inventory for those sites through its display ad exchange, which was not (until recently) capable of conducting a COPPA-compliant auction. Oath conducted over a billion auctions of display ad space from those websites from 2015-2017, in a scenario lifted directly from the COPPA FAQs (#10).
This provides an important lesson for publishers: give notice to ad exchanges! The FTC’s 2012 Statement of Basis and Purposes noted that “in applying its prosecutorial discretion,” the FTC “will consider the level of due diligence a primary-content site exercises.” The fact that these publishers conducted due diligence and gave notice to the ad networks with whom they were working very well may have exculpated them from a COPPA enforcement action.
- Internal Review
In 2016, Oath’s video ad exchange introduced functionality to make the product COPPA compliant. Employees began to manually review content and privacy policies of websites whose inventory had recently run on the video ad exchange, making a determination on whether the site was directed to children and should be running through the new COPPA compliant tool. But Oath never used the tool until contacted by the NYAG in 2017; it ran at least 750 million auctions on sites it had determined to be subject to COPPA, without using its own COPPA compliant tool.
Similarly on the display ad exchange, Oath employees were instructed to configure the exchange to sell inventory on sites subject to COPPA using a system capable of placing contextual advertising instead of targeted ads. But employees often failed to check the list of sites subject to COPPA, or configured the system incorrectly, allowing tens of thousands of auctions to occur through the regular (not COPPA compliant) display ad exchange.
These findings by the NYAG are somewhat troublesome because it appears that Oath is being penalized for conducting its own due diligence of its client base. But the lesson is clear: If you acquire knowledge that you are serving children and subject to COPPA, be prepared to take action to comply.
- COPPA Flags
Oath also operates a demand side platform (DSPs are the bidders on an ad exchange, ususally bidding on site ad inventory on behalf of advertisers). Some exchanges have COPPA-compliant auctions, alerting DSPs with a “COPPA flag” – a bit of metadata indicating that a site is deemed to be child-directed and its inventory subject to COPPA. Passing a COPPA flag directs the DSP that no online behavioral advertising (OBA) should occur through that site. But the NYAG found in its investigation that Oath’s DSP ignored those signals passed from other ad exchanges.
With this settlement, the NYAG is penalizing Oath for ignoring the COPPA flags. This is somewhat analogous to the “Do Not Track” flags that some browsers tried to implement several years ago, but most websites ended up ignoring. COPPA flags have been treated similarly by many ad networks, with some honoring them, and others ignoring them. Since at least 2015, the NYAG has been promoting the widespread adoption and standardization of COPPA flags as a technical means to push liability up the chain away from publishers to ad networks. This massive penalty sends a very strong signal to the ad industry that you need to have systems in place to read and honor COPPA flags, or suffer the consequences.
- The Penalty
Statement of Basis and Purpose, 78 Fed. Reg. at 3977.