Company Conducted Billions of Auctions for Targeted Ads on Hundreds of Children’s Websites in Violation of COPPA.
New York, NY - December 4, 2018 - Attorney General Barbara D. Underwood today announced a record settlement with Oath, Inc., formerly known as AOL, for violating the Children’s Online Privacy Protection Act (COPPA), marking the largest-ever penalty in a COPPA enforcement matter in U.S. history.
The Attorney General’s Office found that AOL conducted billions of auctions for ad space on hundreds of websites the company knew were directed to children under the age of 13. Through these auctions, AOL collected, used, and disclosed personal information from the websites’ users in violation of COPPA, enabling advertisers to track and serve targeted ads to young children. The company has agreed to adopt comprehensive reforms to protect children from improper tracking and pay a record $4.95 million in penalties, the largest penalty ever in a COPPA enforcement matter in U.S. history.
Oath Inc. is a wholly-owned subsidiary of Verizon Communications Inc. Until June 2017, Oath was known as AOL Inc. (“AOL”).
“COPPA is meant to protect young children from being tracked and targeted by advertisers online. AOL flagrantly violated the law – and children’s privacy – and will now pay the largest-ever penalty under COPPA,” said Attorney General Barbara Underwood. “My office remains committed to protecting children online and will continue to hold accountable those who violate the law.”
The Children’s Online Privacy Protection Act
In 1998, Congress enacted COPPA to protect the safety and privacy of young children online. COPPA prohibits operators of certain websites from collecting, using, or disclosing personal information (e.g., first and last name, e-mail address) of children under the age of 13 without first obtaining parental consent. Operators of websites and online services directed to children under the age of 13, and the operators of websites and online services that have actual knowledge that they are collecting personal information from a child under the age of 13, are subject to COPPA.
In July 2013, the definition of “personal information” was revised to include persistent identifiers that can be used to recognize a user over time and across websites, such as the ID found in a web browser cookie or an Internet Protocol (“IP”) address. The revision effectively prohibits covered operators from using cookies, IP addresses, and other persistent identifiers to track users across websites for most advertising purposes, amassing profiles on individual users, and serving online behavioral advertisements on COPPA-covered websites.
How Targeted Advertising Works
Most online shoppers have encountered advertisements for a product that seems to follow them from website to website. These advertisements are known as online behavioral advertisements or OBA, a form of targeted advertising that selects an advertisement to serve to an individual based on previously collected information about that individual, such as the individual’s Internet browsing history, demographic information, or personal interests.
OBA ads are often placed through online marketplaces known as ad exchanges. An ad exchange enables websites to sell, and advertisers to buy, advertising space through an auction process. Auctions take place in real-time, after a user opens a webpage that contains ad space.
When a user opens a webpage on a site that works with an ad exchange, the exchange retrieves a small text file stored on the user’s computer known as a web browser cookie. The exchange typically transmits information from that cookie to entities that may be interested in purchasing ad space on behalf of advertisers. These entities use the information the exchange provides to help determine whether to place a bid for the ad space on behalf of an advertiser. The exchange collects bids, selects a winner, and then permits the winning bidder to serve an advertisement, usually an OBA ad, to the user. The entire auction process takes place in a fraction of a second.
AOL’s Display Ad Exchange Conducted Billions of Auctions in Violation of COPPA
AOL operates several ad exchanges, including an exchange for image-based ads, referred to as “display” ads. Until recently, AOL’s ad exchange for display ads was not capable of conducting a COPPA-compliant auction that involved third-party bidders because AOL’s systems would necessarily collect information from users and disclose that information to the third-parties. AOL policies therefore prohibited the use of its display ad exchange to auction ad space on COPPA-covered websites to third-parties.
Despite these policies, AOL nevertheless used its display ad exchange to conduct billions of auctions for ad space on websites that it knew to be directed to children under the age of 13 and subject to COPPA.
AOL obtained this knowledge in two ways. First, several AOL clients provided notice to AOL that their websites were subject to COPPA. These clients identified more than a dozen COPPA-covered websites to AOL. AOL conducted at least 1.3 billion auctions of display ad space from these websites.
Second, AOL itself determined that certain websites were directed to children under the age of 13 when it conducted a review of the content and privacy policies of client websites. Through these reviews, AOL identified hundreds of additional websites that were subject to COPPA. AOL conducted at least 750 million auctions of display ad space from these websites.
AOL Placed Ads Through Other Exchanges in Violation of COPPA
AOL also operates a business that bids on ad space in auctions conducted by other ad exchanges. Several of the exchanges that AOL has worked with have the capability to auction ad space on child-directed websites in a COPPA-compliant manner. When one of these exchanges conducts an auction for ad space on a child-directed website, the exchange passes information to bidders indicating that it is subject to COPPA. Bidders that receive this information are expected to comply with COPPA as well.
Prior to November 2017, AOL’s systems ignored any information that it received from an ad exchange indicating that the ad space was subject to COPPA. Thus, whenever AOL participated in and won an auction for COPPA-covered ad space, its systems behaved as they normally did. In these cases, the company typically used user information supplied by the exchange and information the company could collect directly from the user to select and serve a targeted advertisement to the user. AOL’s collection and use of this information from users on COPPA-covered websites violated COPPA.
An AOL Account Manager Knowingly Violated COPPA to Increase Revenue
As described above, AOL permitted clients to use its display ad exchange to sell ad space on COPPA-covered sites, even though the exchange was not capable of conducting a COPPA-compliant auction that involved third-party bidders. AOL documents show that an AOL account manager based in New York intentionally configured at least one of these client’s accounts in a manner that she knew would violate COPPA in order to increase advertising revenue. In addition, AOL documents show that the NY account manager repeatedly represented to at least this client that AOL’s display ad exchange could be used to sell ad space to third-parties in a COPPA compliant manner. As a result of these misstatements, the client used AOL’s display ad exchange to place more than a billion advertisements on COPPA-covered inventory.
Company Must Adopt Comprehensive Reforms to Protect Kids Privacy
AOL has agreed to adopt comprehensive reforms to its policies and procedures to protect children’s privacy. The agreement requires that AOL establish and maintain a comprehensive COPPA compliance program that includes: the designation of an executive or officer to oversee the program; annual COPPA training for relevant AOL personnel; the identification of risks that could result in AOL’s violation of COPPA; the design and implementation of reasonable controls to address the identified risks, as well as regular monitoring of the effectiveness of those controls; and development and use of reasonable steps to select and retain service providers that can comply with COPPA. The agreement also requires that AOL retain an objective, third-party professional to assess the privacy controls that the company has implemented.
In addition, AOL has agreed to implement and maintain functionality that enables website operators that sell ad inventory through AOL systems to indicate each website or portion of a website that is subject to COPPA. AOL will maintain this information in a database or similar system, and disclose to each third-party bidder that relevant ad space is subject to COPPA.
Finally, AOL has also agreed to destroy all personal information collected from children that is in its possession, custody, or control, unless such personal information is required to be maintained by law, regulation, or court order.
Operation Child Tracker
Today’s announcement builds on the Attorney General’s office’s prior work protecting children’s privacy through Operation Child Tracker, an ongoing investigation into illegal tracking of children’s online activity by marketers, advertising companies, and others in violation of COPPA. In September 2016, the Attorney General’s office announced settlements with four companies that had violated COPPA by allowing illegal third-party tracking technologies on some of the nation’s most popular kids’ websites, including websites for Barbie, Nick Jr., My Little Pony, American Girl, Hot Wheels, and dozens of others. Those companies agreed to pay penalties totaling $835,000 and to adopt comprehensive reforms to protect children from improper tracking and the collection of children’s personal information in the future. Then in April 2017, the Attorney General’s office announced a settlement with the operator of a COPPA safe harbor program for flawed privacy assessments that left children visiting popular children’s websites vulnerable to illegal tracking. As part of that settlement, the company paid a penalty of $100,000 and agreed to adopt new measures to strengthen its privacy assessments.
This case was handled by Bureau of Internet and Technology Assistant Attorney General Jordan Adler and Deputy Bureau Chief Clark Russell, under the supervision of Bureau Chief Kim Berger. The Bureau of Internet and Technology is overseen by Executive Deputy Attorney General for Economic Justice Manisha M. Sheth.