Data Security Law Blog

New York AG Intervenes Again to Protect Children’s Online Privacy

   

Protecting children’s online privacy remains a point of focus for the New York Attorney General.  That’s the upshot of the recent record-setting settlement with Oath Inc. – formerly AOL, Inc. – for violating the Children’s Online Privacy Protection Rule (COPPA).

The settlement with the New York Attorney General is the largest in the U.S. for a COPPA violation. And, it is also the Attorney General’s sixth COPPA-related settlement since 2016.

COPPA is a federal law enacted in 1998 to protect the safety and privacy of young children online. Under the law, operators of websites and other online services are prohibited from collecting, using, or disclosing the personal information of children under the age of 13, unless notice is provided together with express parental consent. Personal information includes not only names and physical addresses but also online identifiers, such as web browser cookie IDs and IP addresses. 

According to the Attorney General, Oath ran afoul of COPPA in multiple respects – all involving the use and disclosure of children’s personal information. Oath operated an online ad exchange, which matched websites selling ad space with potential advertisers, that collected and disclosed personal information in violation of COPPA. Also in violation of COPPA, the AG charged, Oath used the personal information of website users to serve advertisements targeted at children across the web. 

As part of its settlement, Oath agreed to pay a $4.95 million penalty and to establish and maintain a comprehensive COPPA compliance program. The program will require:

  • Designation of an executive or officer to oversee the program;
  • Annual COPPA training for relevant Oath personnel;
  • Identification of risks that could result in Oath’s violation of COPPA;
  • Design and implementation of reasonable controls to address identified risks;
  • Regular monitoring of the effectiveness of controls;
  • Development and use of reasonable steps to select and retain service providers that can comply with COPPA; and
  • Retention of an objective, third-party professional to assess the privacy controls that Oath has implemented.

Oath’s settlement is consistent with the Attorney General’s 2016 and 2017 COPPA-related settlements with Viacom, Inc., Mattel, Inc., JumpStart Games, Inc., Hasbro Inc. and True Ultimate Standards Everywhere, Inc. Like the Oath agreement, those settlements required the settling parties to implement reforms with respect to their policies and procedures, in addition to paying penalties. 

This settlement should come as no surprise, nor should future enforcement actions directed at COPPA violations. As New York Attorney General Barbara Underwood warned, the Office of the Attorney General “remains committed to protecting children online and will continue to hold accountable those who violate the law.”