Last year marked 20 years since Congress passed the Children's Online Privacy Protection Act (COPPA). Fittingly, the Federal Trade Commission (FTC) kicked off 2018 by settling two back-to-back cases with companies alleged to have violated COPPA. While the FTC spent the remainder of 2018 focusing on outreach and education, holding workshops and providing guidance on COPPA, the state attorneys general flexed their enforcement authority by bringing notable COPPA actions against companies that violated the law.

The New York Attorney General shocked the privacy world when it announced its settlement with Oath, Inc. (Oath), formerly AOL Inc., for its alleged violations of COPPA, totaling $4.95 million — the then-largest COPPA penalty to date. Oath operated several ad exchanges for display ads, conducting billions of auctions for ad space on hundreds of websites the company allegedly knew were directed to children under the age of 13. The Attorney General claimed that Oath violated its own policies by knowingly auctioning display ads on child-directed websites, and by knowingly setting up certain client accounts in a way that would violate COPPA in order to increase ad revenue.

The New Mexico Attorney General similarly made waves after filing a lawsuit against app maker Tiny Lab Productions, alleging that the company failed to give notice of the app's data collecting and processing practices, and did not obtain verifiable parental consent when collecting children's personal data, including geolocation data. The Attorney General alleged that the company built detailed profiles of its child users and sold the data to numerous third parties in violation of COPPA. The Children's Advertising Review Unit (CARU), the children's arm of self-regulation, brought an inquiry last year against Musical.ly, Inc. (now known as TikTok), a video-sharing app, claiming that the app violated COPPA. According to CARU, the app is immensely popular among teenagers and tweens, and many account profiles and user videos posted on the app feature children who appear to be under 13. Despite its popularity with children, the app's registration process did not require users to disclose their age, and CARU determined that, even though the app was primarily intended for use by a teenage audience, several characteristics of the app demonstrated that it also was directed to children under 13 years of age. CARU recommended that the app implement an age-gate to limit content served to children under 13 and that parental consent be secured prior to the collection of any personal information from those children. Because Musical.ly declined to adhere to all of CARU's recommendations, CARU referred the matter to the FTC which announced its own COPPA action against the app in February 2019. The FTC's action resulted in a $5.7 million settlement with the app — as of this writing, the largest civil penalty to date in a COPPA case.

Notably, a coalition of consumer protection organizations filed a complaint with the FTC last spring alleging that YouTube violated COPPA in much the same way as Musical.ly — by knowingly offering its services to, and collecting the data generated by, children under 13 without parental consent. According to the complaint, despite YouTube's introduction of the COPPA-compliant YouTube Kids service in 2015, most of the under-13 demographic still use the same general audience version of the platform as adults. Teenagers and children under 13 are increasingly using mobile video platforms as their primary source of entertainment, and as this trend continues to grow over the coming years, YouTube and other digital content providers will face mounting pressure to bring their services into compliance with COPPA in a meaningful way.

Key Takeaways:

  • Despite the FTC bringing only a few COPPA enforcement actions in 2018, companies should not relax their COPPA compliance efforts as the FTC maintains that COPPA is still one of its top priorities, particularly with the emergence of connected toys and the Internet of Everything.
  • The state attorneys general and CARU continue to aggressively monitor and enforce COPPA. The New York and New Mexico Attorneys General appear to be particularly vigilant in this area.
  • As children increasingly use mobile entertainment platforms, regulators and self-regulators will more closely scrutinize websites and digital platforms with significant child audiences to ensure COPPA compliance, as part of a larger cultural shift toward protecting user privacy online.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.