No More Child's Play: The Regulatory Assault on Digital Advertising Continues

It has been a particularly rough time for the digital advertising industry recently. In September 2018, complaints were submitted to the Irish Data Protection Commission and the UK Information Commissioner's Office seeking a declaration that the two most widely-used real-time bidding protocols are “mass data broadcast mechanisms” that violate the GDPR. Then, in late October, the French supervisory authority, CNIL, declared that French ad tech startup, VECTAURY, violated the GDPR by not obtaining valid consent for its collection and use of geolocation data from its partners' apps and real-time bid requests for targeted advertising and profiling purposes. Most recently, on December 3, the Office of the New York Attorney General (NYAG) announced a record settlement with Oath, formerly known as AOL, for violating the Children's Online Privacy Protection Act (COPPA).

What makes the Oath settlement so newsworthy isn't simply that Oath has agreed to pay a record-setting amount—almost $5 million—to settle allegations that, as AOL, it violated the federal privacy statute. This settlement is significant because it has established a new standard for notification under COPPA, with wide-reaching ramifications for the broader digital advertising ecosystem.

For background, COPPA mandates, among other things, that no personal information may be collected, used, or disclosed from children who are under 13 years of age without verifiable parental consent. Typically, COPPA applies to those websites and mobile applications designed primarily for such children audiences, such as the very popular Roblox website mentioned by the NYAG in its announcement. As of 2013, COPPA expanded the traditional definition of personal information to include persistent identifiers, such as device and location information, which have historically not been considered as requiring protection in the United States. COPPA is a strict liability statue that applies to any “operator” of a website or “online service” “directed to children,” or any operator that has actual knowledge that it is collecting or maintaining personal information from a child Both the FTC and state attorneys general have the authority to enforce COPPA.

Traditionally, COPPA enforcement at the federal and state level has focused on website operators and app developers whose users fall directly in the under-13 demographic. In June 2016, the FTC announced a then-record $4 million settlement (which was suspended to $950,000 based upon the company's financial condition) with InMobi for deceptively tracking users without their permission contrary to representations to do just the opposite and, importantly, for deceptively tracking users under 13 years of age who had explicitly flagged that fact for the company. And, in September 2016, the NYAG announced the results of “Operation Child Tracker,” which focused on violations of COPPA by some of the most popular children's websites. In both instances, however, the focus of law enforcement was on the website or application that was directly servicing the customer. In those cases, the notice to the companies that content was COPPA protected was simply a matter of evaluating the content of the companies themselves.

The most recent NYAG COPPA enforcement against Oath changes what notice means for a company operating in a COPPA-protected environment. According to the NYAG, AOL's offending conduct was rooted in its operation of ad exchanges to conduct business and serve online behavioral advertising (otherwise known as targeted advertising) on websites that AOL knew were subject to COPPA.

The most significant aspect of this settlement involves what the NYAG asserted to be actual knowledge in this instance. First, as described by the NYAG, AOL received information directly from its customers that its websites were subject to COPPA and nevertheless served targeted ads to those users. Second, AOL conducted independent reviews of the content and privacy policies of websites, made a determination that those websites were subject to COPPA, and nevertheless served targeted advertising. Finally, AOL disregarded notifications it received from other ad exchanges during the bid process that particular ad inventory was subject to COPPA. In some instances, according to the NYAG, this disregard for COPPA flags was done purposefully to increase revenue. In short, notice was imputed based upon COPPA flags or identifiers passed along from one part of the ad tech stack to another. And, AOL disregarded those flags at its peril.

Companies across the digital advertising ecosystem, from publishers and SSPs to advertisers, DSPs, and exchanges, should pay special attention to this recent COPPA settlement and evaluate their own systems for COPPA compliance. Given that COPPA is a strict liability statute, it is possible that even unintentionally passing along targeting information when a COPPA flag is in place could result in liability. More broadly, with the recent decisions and guidance relating to GDPR and the impending implementation of the California Consumer Privacy Act, such companies should evaluate their data collection, use, and disclosures policies and procedures to ensure that they are complying with these myriad and complex regulatory requirements.

Companies should consider reviewing contractual terms and the implementation of individual contracts for compliance and consistency. And, companies should consider training line agents in how to identify potentially improper transactions before those transactions are made. Given the increased attention by regulators in this space, industry members should contemplate adopting a comprehensive compliance system to manage their risk.

Matthew Savare is a partner at Lowenstein Sandler, where he practices privacy, digital advertising, blockchain, and technology law. Kathleen McGee is counsel at Lowenstein Sandler, where she focuses on regulatory matters for tech companies and white collar criminal defense. Previously, Kathleen was the Chief of the Bureau of Internet and Technology for the New York Attorney General's Office, where she spearheaded enforcement, policy and legislative efforts including privacy, data protection, and consumer protection issues.