2018 leaves us with the largest COPPA settlement to date, so what may be in store for 2019?

On December 4, 2018, the New York Attorney General announced that Oath Inc. (formerly known as AOL Inc.) agreed to pay nearly $5 million for violation of the Children’s Online Privacy and Protection Act (“COPPA”).  This followed allegations that Oath Inc. violated COPPA by collecting and disclosing children’s personal information when conducting online auctions for advertising placement.  This is the largest ever settlement for a COPPA violation, and leaves businesses questioning, “what’s next”? 

COPPA was enacted to protect children under the age of 13 from having their personal information collected unknowingly or unwillingly.  COPPA aims to have parents control whether personal information is collected from their children.  COPPA applies to businesses whose websites or mobile applications are directed to children (or directed to a general audience, but the business knows that it collects personal information from children under 13).

How do you know if COPPA applies to your business?  

Businesses must consider all reasonable interpretations of their website or mobile application to determine whether they are targeting children, whether they intended to or not.  Interpretation of a business’s advertising also plays a role.  Some factors to consider are:   

  1. Who is featured on the website, mobile application, or in the ad (e.g., young children, animated characters, celebrities that are popular with children)?

  2. What is depicted on the website, mobile application, or in the ad (e.g., children’s meal, toys)?

  3. Are your business’s products and/or services for children?

  4. Who are the advertisements “speaking to” (e.g., a voiceover that says “hey kids” or “ask your parents”)?  

When and where is your business advertised (e.g., during children’s program, in a kid’s magazine or publication)?

If you determine your business’s website and/or mobile application is directed at children, then what?

 Your business should establish and maintain a comprehensive COPPA compliance program to maintain the confidentiality, security, and integrity of information they collect from children.  This includes posting a clear and comprehensive online privacy policy and establishing a process to obtain verifiable parental consent before collecting personal information from children, among other requirements. 

 The New York Attorney General provided some additional helpful guidance in the Oath Inc. case, recommending that businesses also:

        1. Implement a COPPA training program for employees;

        2. Establish a process for destruction of personal information collected from children;

       3. Create a consistent monitoring program for COPPA compliance; and

       4. Retain a third-party professional to assess the business’s privacy controls.

 What’s next?

 Everyone is watching!  Enforcement of COPPA is done by the Federal Trade Commission and State Attorney Generals, but it is not uncommon to see plaintiff’s actions as well.  It will be interesting to see what transpires in 2019 … we’ll be watching, too!