New York Attorney General Barbara D. Underwood announced via a press release on Tuesday that Verizon-owned Oath, which in turn owns AOL and Yahoo, agreed to pay a settlement of $4.95 million for violating a federal children’s privacy law.
An investigation into AOL’s ad space practices between October 2015 and February 2017 uncovered that AOL had conducted at least 1.3 billion auctions for ad spaces targeted at children under the age of 13.
The Children’s Online Privacy Protection Act, or COPPA, was enacted in the United States Congress in 1998 as a way to protect the online privacy of children under the age of 13. The law expressly forbids online tracking and targeting of children for advertising purposes. Websites are prohibited from collecting the personal information of children under 13 without direct parental consent. In 2013, the law was amended to include cookies and IP addresses as “personal information” due to websites’ ability to track visitors via such data.
The AG’s investigation determined that AOL was in direct violation of the law because it had knowingly auctioned off ad space to advertisers on hundreds of different websites aimed at children under the age of 13. The press release explains, “Through these auctions, AOL collected, used, and disclosed personal information from the websites’ users in violation of COPPA, enabling advertisers to track and serve targeted ads to young children.” As a result of the violation, the company must now pay a record-setting penalty of $4.95 million, the largest penalty for a COPPA violation to date.
Websites often serve targeted ads to visitors through what is known as an ad exchange. This essentially works as an auction whereby advertisers bid on ad space on a particular website. The ad exchanges use tracking cookies embedded in the visitor’s browser that can contain valuable personal information such as browsing history, personal interests, and demographic information. The exchanges then pass on this information to advertisers, who are then able to place bids on ads targeted directly at the website visitor based on the data contained in the tracking cookie. The auction is automated and takes place in a fraction of a second, thereby allowing the advertisements to be displayed to the website visitor in real-time.
Websites that are directed explicitly at children are covered under COPPA, and this type of tracking and ad targeting is not permitted on such websites as per the law. AOL, however, repeatedly and continually engaged in these practices in direct violation of COPPA. The Attorney General's press release explains, “AOL operates several ad exchanges, including an exchange for image-based ads, referred to as “display” ads. Until recently, AOL’s ad exchange for display ads was not capable of conducting a COPPA-compliant auction that involved third-party bidders because AOL’s systems would necessarily collect information from users and disclose that information to the third-parties. AOL policies, therefore, prohibited the use of its display ad exchange to auction ad space on COPPA-covered websites to third-parties.” The press release goes on to state that, “Despite these policies, AOL nevertheless used its display ad exchange to conduct billions of auctions for ad space on websites that it knew to be directed to children under the age of 13 and subject to COPPA.”
In another violation of the law, AOL was also found to be placing bids for ad space via other ad exchanges and ignoring their responsibility to comply with COPPA while bidding on ads displayed on websites targeted at children. “When one of these exchanges conducts an auction for ad space on a child-directed website, the exchange passes information to bidders indicating that it is subject to COPPA. Bidders that receive this information are expected to comply with COPPA as well. Prior to November 2017, AOL’s systems ignored any information that it received from an ad exchange indicating that the ad space was subject to COPPA. Thus, whenever AOL participated in and won an auction for COPPA-covered ad space, its systems behaved as they normally did.”
This means that AOL completely and knowingly ignored the notices that they were obligated to comply with the law on certain websites on which they placed bids. AOL was in violation of the law because whenever it won a bid on a COPPA-protected website, it was still using the children’s data as if the visitor were an adult visiting the website.
On top of all that, investigators discovered that an AOL account manager in New York knowingly violated COPPA in an attempt to increase advertising revenues. The account manager allegedly set up a client’s account intentionally in a way that would violate the law in a misguided effort to help the company. Furthermore, the account manager also knowingly misinformed the client that the ad exchange that AOL was running was in compliance with COPPA when in fact it was not.
All of this adds up to a hefty fine for the company, as well as the implementation of other corrective measures to ensure future compliance with the law. For instance, prt of the settlement requires AOL to “establish and maintain a comprehensive COPPA compliance program that includes: the designation of an executive or officer to oversee the program; annual COPPA training for relevant AOL personnel; the identification of risks that could result in AOL’s violation of COPPA; the design and implementation of reasonable controls to address the identified risks, as well as regular monitoring of the effectiveness of those controls; and development and use of reasonable steps to select and retain service providers that can comply with COPPA. The agreement also requires that AOL retain an objective, third-party professional to assess the privacy controls that the company has implemented.”
AOL has also agreed to develop the functionality that allows website operators to clearly specify COPPA-protected websites and web pages through its ad exchange. Additionally, AOL will go through the process of permanently deleting any children’s data it has in its possession as long as the retention of that data is not required by law.
In the end, what this investigation uncovered is a sobering reminder that children can easily be illegally targeted and tracked online. Protecting the online privacy of children is of paramount importance, and one of the best ways to do so is by using a virtual private network (VPN) whenever using the internet.
A top VPN can be used to fully encrypt any and all of a user’s online communications in a way that makes it impossible for this type of tracking and targeting to take place. A VPN can be easily installed and used on any device individually or can be set up on a VPN router that will protect all devices connected through the router automatically without having to configure the software on each device. A VPN makes secure and private online browsing easy and is a great way for parents to ensure their children’s privacy online.
When all is said and done, the fact remains that the invasion of children’s privacy in the name of profit is unquestionably low, and something that deserves to be punished heavily. Perhaps this settlement will drive home the message that companies have a moral and legal obligation to protect the privacy of children, and that obligation takes precedence over any other business interest.