No More Child's Play: The Regulatory Assault on Digital Advertising Continues
A recent Oath settlement is significant because it has established a new standard for notification under COPPA, with wide-reaching ramifications for the broader digital advertising ecosystem.
December 27, 2018 at 07:00 AM
5 minute read
It has been a particularly rough time for the digital advertising industry recently. In September 2018, complaints were submitted to the Irish Data Protection Commission and the UK Information Commissioner's Office seeking a declaration that the two most widely-used real-time bidding protocols are “mass data broadcast mechanisms” that violate the GDPR. Then, in late October, the French supervisory authority, CNIL, declared that French ad tech startup, VECTAURY, violated the GDPR by not obtaining valid consent for its collection and use of geolocation data from its partners' apps and real-time bid requests for targeted advertising and profiling purposes. Most recently, on December 3, the Office of the New York Attorney General (NYAG) announced a record settlement with Oath, formerly known as AOL, for violating the Children's Online Privacy Protection Act (COPPA).
What makes the Oath settlement so newsworthy isn't simply that Oath has agreed to pay a record-setting amount—almost $5 million—to settle allegations that, as AOL, it violated the federal privacy statute. This settlement is significant because it has established a new standard for notification under COPPA, with wide-reaching ramifications for the broader digital advertising ecosystem.
For background, COPPA mandates, among other things, that no personal information may be collected, used, or disclosed from children who are under 13 years of age without verifiable parental consent. Typically, COPPA applies to those websites and mobile applications designed primarily for such children audiences, such as the very popular Roblox website mentioned by the NYAG in its announcement. As of 2013, COPPA expanded the traditional definition of personal information to include persistent identifiers, such as device and location information, which have historically not been considered as requiring protection in the United States. COPPA is a strict liability statue that applies to any “operator” of a website or “online service” “directed to children,” or any operator that has actual knowledge that it is collecting or maintaining personal information from a child Both the FTC and state attorneys general have the authority to enforce COPPA.
Traditionally, COPPA enforcement at the federal and state level has focused on website operators and app developers whose users fall directly in the under-13 demographic. In June 2016, the FTC announced a then-record $4 million settlement (which was suspended to $950,000 based upon the company's financial condition) with InMobi for deceptively tracking users without their permission contrary to representations to do just the opposite and, importantly, for deceptively tracking users under 13 years of age who had explicitly flagged that fact for the company. And, in September 2016, the NYAG announced the results of “Operation Child Tracker,” which focused on violations of COPPA by some of the most popular children's websites. In both instances, however, the focus of law enforcement was on the website or application that was directly servicing the customer. In those cases, the notice to the companies that content was COPPA protected was simply a matter of evaluating the content of the companies themselves.
The most recent NYAG COPPA enforcement against Oath changes what notice means for a company operating in a COPPA-protected environment. According to the NYAG, AOL's offending conduct was rooted in its operation of ad exchanges to conduct business and serve online behavioral advertising (otherwise known as targeted advertising) on websites that AOL knew were subject to COPPA.
The most significant aspect of this settlement involves what the NYAG asserted to be actual knowledge in this instance. First, as described by the NYAG, AOL received information directly from its customers that its websites were subject to COPPA and nevertheless served targeted ads to those users. Second, AOL conducted independent reviews of the content and privacy policies of websites, made a determination that those websites were subject to COPPA, and nevertheless served targeted advertising. Finally, AOL disregarded notifications it received from other ad exchanges during the bid process that particular ad inventory was subject to COPPA. In some instances, according to the NYAG, this disregard for COPPA flags was done purposefully to increase revenue. In short, notice was imputed based upon COPPA flags or identifiers passed along from one part of the ad tech stack to another. And, AOL disregarded those flags at its peril.
Companies across the digital advertising ecosystem, from publishers and SSPs to advertisers, DSPs, and exchanges, should pay special attention to this recent COPPA settlement and evaluate their own systems for COPPA compliance. Given that COPPA is a strict liability statute, it is possible that even unintentionally passing along targeting information when a COPPA flag is in place could result in liability. More broadly, with the recent decisions and guidance relating to GDPR and the impending implementation of the California Consumer Privacy Act, such companies should evaluate their data collection, use, and disclosures policies and procedures to ensure that they are complying with these myriad and complex regulatory requirements.
Companies should consider reviewing contractual terms and the implementation of individual contracts for compliance and consistency. And, companies should consider training line agents in how to identify potentially improper transactions before those transactions are made. Given the increased attention by regulators in this space, industry members should contemplate adopting a comprehensive compliance system to manage their risk.
Matthew Savare is a partner at Lowenstein Sandler, where he practices privacy, digital advertising, blockchain, and technology law. Kathleen McGee is counsel at Lowenstein Sandler, where she focuses on regulatory matters for tech companies and white collar criminal defense. Previously, Kathleen was the Chief of the Bureau of Internet and Technology for the New York Attorney General's Office, where she spearheaded enforcement, policy and legislative efforts including privacy, data protection, and consumer protection issues.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250