News from the New York Attorney General's Office
FOR IMMEDIATE RELEASE Attorney General's Office Press Office / 212-416-8060
December 4, 2018
Attorney General's Office Press Office / 212-416-8060
A.G.UNDERWOOD ANNOUNCES RECORD COPPASETTLEMENT WITH OATH – FORMERLY AOL – FOR VIOLATING CHILDREN’S PRIVACY
CompanyConductedBillions ofAuctions forTargetedAdson Hundreds ofChildren’sWebsitesin Violation of COPPA
Company Agrees To Pay $4.95 Million – the LargestPenalty Everin a COPPA Enforcement Matter in U.S. History – and Adopt Comprehensive ReformstoProtect ChildrenfromImproper Tracking
NEW YORK – Attorney General Barbara D. Underwood today announced a record settlement with Oath, Inc., formerly known as AOL, for violatingthe Children’s Online Privacy Protection Act (COPPA), marking the largest-ever penalty in a COPPA enforcement matter in U.S. history.
The Attorney General’s Office found thatAOL conducted billions of auctionsforad spaceonhundreds ofwebsites the company knew were directed to children under the age of 13.Through these auctions, AOL collected, used, and disclosed personal information from the websites’ users in violation of COPPA, enabling advertisers to track and serve targeted ads to young children.The company has agreed to adopt comprehensive reforms to protect children from improper tracking and pay a record $4.95 million in penalties, the largest penalty everina COPPAenforcement matter in U.S. history.
Oath Inc. is a wholly-owned subsidiary of Verizon Communications Inc.Until June 2017, Oath was known as AOL Inc. (“AOL”).
“COPPA is meant to protectyoungchildren frombeing trackedandtargeted by advertisers online. AOL flagrantly violated the law – and children’s privacy – and will now pay the largest-ever penalty under COPPA,” saidAttorney General Barbara Underwood.“My office remains committed to protecting children online and will continue to hold accountable those who violate the law.”
The Children’s Online Privacy Protection Act
In 1998, Congress enacted COPPA to protect the safety and privacy of young children online.COPPA prohibits operators of certain websites from collecting, using, or disclosing personal information (e.g., first and last name, e-mail address) of children under the age of 13 without first obtaining parental consent.Operators of websitesand online servicesdirected to children under the age of 13, and the operators ofwebsites andonline services that have actual knowledge that they are collecting personal information from a child under the age of 13, are subject to COPPA.
In July 2013, the definition of “personal information” was revised to include persistent identifiers that can be used to recognize a user over time and across websites, such as the ID found in a web browser cookie or an Internet Protocol (“IP”) address.The revision effectively prohibits covered operators from using cookies, IP addresses, and other persistent identifiers to track users across websites for most advertising purposes, amassing profiles on individual users, and serving online behavioral advertisements on COPPA-covered websites.
How Targeted Advertising Works
Most online shoppers have encountered advertisements for a product that seems to follow them from website to website.These advertisements are known as online behavioral advertisements or OBA, a form of targeted advertising that selects an advertisement to serve to an individual based on previously collected information about that individual, such as the individual’s Internet browsing history, demographic information, or personal interests.
OBAadsareoftenplaced through online marketplaces known as ad exchanges. An ad exchange enables websitesto sell, and advertisers to buy, advertising space through an auction process.Auctions take placeinreal-time, after a user opens a webpage that contains ad space.
Whenauser opensawebpageon a sitethatworks withan ad exchange, the exchangeretrievesa small text file stored on the user’s computer known as a web browser cookie.The exchangetypicallytransmits informationfrom that cookieto entitiesthat may be interested in purchasing ad spaceon behalf of advertisers.These entitiesusetheinformationthe exchange providesto help determine whether to place a bidfor the ad spaceon behalf of an advertiser.The exchange collects bids, selects a winner, and then permits the winning bidder to serve an advertisement, usually an OBA ad,to the user. The entire auction process takes place in a fraction of a second.
AOL’s Display Ad Exchange Conducted Billions of Auctions in Violation of COPPA
AOL operatesseveraladexchanges, including an exchange forimage-based ads, referred to as“display” ads.Until recently, AOL’s ad exchangefor display adswas not capable of conducting a COPPA-compliant auctionthat involved third-party biddersbecauseAOL’ssystems wouldnecessarilycollect information from users and disclosethat information to the third-parties. AOLpoliciesthereforeprohibitedthe use of its display ad exchange to auctionad spaceonCOPPA-covered websitestothird-parties.
Despite these policies,AOL neverthelessused its display ad exchange toconduct billions of auctions for ad spaceon websitesthat itknewto be directed to children under the age of 13 andsubject to COPPA.
AOLobtained this knowledgeintwo ways. First, severalAOL clients provided notice to AOL that their websites were subject to COPPA. These clients identified more than a dozen COPPA-covered websitesto AOL. AOL conducted at least 1.3 billion auctions of display ad spacefromthese websites.
Second,AOLitself determinedthat certainwebsites were directed to children underthe age of13when it conducted a reviewofthe content and privacy policies of client websites.Through thesereviews, AOL identified hundreds ofadditional websitesthat were subject to COPPA. AOLconducted at least 750 million auctions of display ad spacefromthese websites.
AOLPlaced AdsThrough Other Exchangesin Violation of COPPA
AOL alsooperates a business thatbids on adspacein auctions conducted by otherad exchanges.Several of the exchanges thatAOLhas worked with have the capability to auction ad space on child-directed websites in a COPPA-compliant manner. When one of theseexchanges conducts an auction for ad space on a child-directed website, the exchange passes information to bidders indicating that it is subject to COPPA. Bidders that receive this information are expected to comply with COPPA as well.
Prior to November 2017, AOL’s systems ignored anyinformationthat it received from an ad exchangeindicatingthatthe ad space was subject to COPPA.Thus, whenever AOLparticipated in and won an auction for COPPA-coveredad space, its systems behaved as they normally did.In these cases, the company typically useduser information supplied by the exchangeand informationthe company could collect directly from the userto select and serve a targeted advertisement to the user.AOL’s collection and use of this information from users on COPPA-covered websites violated COPPA.
AnAOL Account Manager Knowingly Violated COPPA to Increase Revenue
As described above, AOL permitted clients to use its display ad exchange to selladspaceon COPPA-covered sites, even though the exchange was not capable of conducting a COPPA-compliant auctionthat involved third-party bidders.AOL documents show thatanAOL account manager based in New York intentionally configuredat least one of these client’s accountsin a manner thatsheknewwould violateCOPPA in order to increase advertising revenue.In addition, AOL documents show that the NY account manager repeatedly represented to at leastthisclient thatAOL’s display ad exchangecouldbe usedto sell ad space to third-partiesin a COPPA compliant manner.As a result of these misstatements,the clientused AOL’s display ad exchange to place more than a billion advertisements on COPPA-covered inventory.
Company Must Adopt Comprehensive Reforms to Protect Kids Privacy
AOL has agreed to adopt comprehensive reforms to its policies and proceduresto protect children’s privacy.The agreement requires that AOLestablish and maintaina comprehensive COPPA compliance programthatincludes:the designation of an executive or officerto oversee the program; annual COPPA training for relevant AOL personnel; the identification of risks that could result in AOL’s violation of COPPA; the design and implementation of reasonable controls to address the identified risks, as well as regular monitoring of the effectiveness of those controls; and development and use of reasonable steps to select and retain service providers that can comply with COPPA.The agreement also requires that AOL retain an objective, third-party professional toassess the privacy controls that the company has implemented.
In addition,AOLhasagreed to implement and maintainfunctionalitythat enableswebsite operatorsthat sell ad inventory throughAOLsystems to indicate each websiteorportion of a website that is subject to COPPA.AOL will maintain this information in a database or similar system, anddisclose toeach third-party bidder thatrelevant ad space is subject to COPPA.
Finally,AOL has also agreed to destroy all personal information collected from children that is in its possession, custody, or control, unless such personal information is required to be maintained by law, regulation, or court order.
Operation Child Tracker
Today’s announcement builds on theAttorney General’s office’sprior work protecting children’s privacythroughOperation Child Tracker,an ongoing investigation into illegal tracking of children’s online activity by marketers, advertising companies, and others in violation of COPPA.In September 2016, the Attorney General’s office announcedsettlements with four companies that had violated COPPA by allowing illegal third-party tracking technologies on some of the nation’s most popular kids’ websites, including websites for Barbie, Nick Jr., My Little Pony, American Girl, Hot Wheels, and dozens of others. Those companies agreed to pay penalties totaling $835,000 and to adopt comprehensive reforms to protect children from improper tracking and the collection of children’s personal information in the future.Then inApril2017, the Attorney General’s office announced a settlement withthe operator of aCOPPA safe harbor program forflawed privacy assessmentsthatleft childrenvisiting popular children’swebsites vulnerable to illegal tracking.As part of that settlement,the companypaid a penalty of $100,000 andagreed to adoptnew measures to strengthen its privacy assessments.
This case was handled by Bureau of Internet and Technology Assistant Attorney General Jordan Adler and Deputy Bureau Chief Clark Russell, under the supervision of Bureau Chief Kim Berger.The Bureau of Internet and Technology is overseen by Executive Deputy Attorney General for Economic Justice Manisha M. Sheth.