In December 2018, the office of the New York Attorney-General issued the largest ever US penalty for the violation of the Children’s Online Privacy Protection Act (COPPA), to Oath Inc, the Verizon-owned company formerly known as AOL. In addition to the penalty amount of 4.95 Million USD, Oath Inc, agreed to adopt extensive COPPA compliant measures as well as destroy all improperly collected personal data belonging to children.

The Children’s Online Privacy Protection Act (COPPA) was introduced in 2000 with a subsequent amendment taking effect in July 2013.

COPPA Violations by Oath

According to the New York Attorney General, between October 2015 and February 2017, Oath committed several egregious violations of the COPPA related to its display ad exchanges which collected and processed the personal information of children under the age of 13 without the prior verifiable consent of their parents, in violation of COPPA provisions.

Display ad exchanges function as virtual real time auctions where the web browser information of a web page user is transmitted to several entities in order to obtain advertising bids. Oath, as the operator of the exchange would assess the bids and select a winner, permitting them to deliver their ads to the web page user.

COPPA prohibits the collection, use, disclosure or transfer of personal information of children under the age of 13, without parental consent.  The term “personal information” includes cookies, geolocation data, and other persistent identifiers (browser data, IP address) that can be used to recognize a user over time and across websites.  The COPPA parental consent requirements apply not only to operators of websites and online services directed to children under 13 but also to operators of websites or online services—including operators of ad networks or exchanges which while targeted at a general audience, have “actual knowledge” that it is collecting personal information from children under 13.

The NY AG determined that Oath had actual knowledge that the ads were targeted to children as it had received notice from several of its customers informing them that their websites were subject to COPPA.  Oath had also identified other COPPA covered websites through its internal review of their content and privacy policies.

Despite knowledge of its obligations under COPPA and its own company policy which prohibited the use of its display ad exchange to auction ad space on COPPA covered websites to third parties, Oath continued to conduct billions of ad space auctions, fully aware that it was unable to prevent the collected personal information, including that belonging to children under 13, from being transmitted to third parties.

Oath further violated the COPPA in its use of other ad exchanges to bid for ad space for its clients. The company willfully ignored child-directed website notices sent by the exchanges, failing to implement COPPA requirements upon winning the advertising bids.

COPPA and the GDPR

The Children’s Online Privacy Protection Act which is managed by the Federal Trade Commission (FTC) was amended in 2013, substantially broadening the definition of “personal information” to include not only the basic information such as first and last name; contact information such as telephone number, home or other physical address (including street name and name of a city or town), social security number but also:

  • A photograph, video, or audio file, where such file contains a child’s image or voice;
  • Online contact information;
  • A screen or user name that functions as online contact information;
  • A persistent identifier that can be used to recognize a user over time and across different websites or online services;
  • Geolocation information sufficient to identify street name and name of a city or town; or
  • Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above.

One major difference between COPPA and the GDPR is found in their scope. COPPA is concerned singularly with the protection of the personal information of children and not with the personal data of all individuals in general as seen in the GDPR.

COPPA also provides a precise age requirement for consent, stating that it applies to children under the age of 13.  In contrast, the GDPR does not prescribe an EU wide age for consent, instead in Article 8 GDPR, requiring parental consent for the processing of personal data of persons under the age of 16, while permitting member states to mandate a lower consent age, provided that it is not lower than 13.

Noteworthy is that COPPA only applies to personal information collected online from the children themselves (including personal information about themselves, their parents, friends, or other persons) unlike the GDPR which also applies to personal data about an individual collected by indirect means.

However, like the GDPR, COPPA has extra-territorial effect, also applying to foreign websites or services where those services “are directed to children in the US or knowingly collect information from children in the US”.

Other similarities include the requirement for the implementation of reasonable security measures to protect the personal information, provision of clear and understandable information to the data subject on the intended uses of the data as well as reasonable data retention and deletion routines.

Conclusion

Operators of website and apps targeted at children or young teenagers or even those who may be aware that children use their services are advised to be cognizant of the applicable regulations – depending on the relevant jurisdictions where their services are offered.

The growing market for child or child – adjacent websites, apps and other social media platforms is expanding exponentially, with traditionally adult focused apps such as Snapchat, Instagram and You-tube now being used by younger individuals.

As the EU and the US still differ with regards to the age for the requirement of parental consent, it remains to be seen whether EU member states will adopt the more stringent US standards and how this affects websites and app operators.

Further information regarding COPPA and GDPR compliance, parental consent and access will be covered in subsequent installations of this CHILD PRIVACY series.