The Federal Trade Commission (FTC) and the New York Attorney General filed a complaint against Google LLC and its subsidiary, YouTube LLC, for alleged violations of the Children’s Online Privacy Protection Act (COPPA). Google and YouTube will be required to pay a monetary penalty of $170m in addition to the implementation of compliance measures to address the alleged violations. The complaint and consent decree have been filed in the U.S. District Court for the District of Columbia and is pending approval. Once the consent decree has been approved, it will have the force of law.
The background to this complaint
The COPPA is a federal law in the United States. It was enacted in 1998 to protect the safety and privacy of children when online. The law prohibits unauthorized or unnecessary collection of children’s personal information by operators of internet websites or online services.
The COPPA’s definition of ‘personal information’ specifically includes persistent identifiers used for behavioural advertising. The key requirements imposed by COPPA are as follows
- An operator of an internet website or online services directed to children or an operator of other websites or online services that have actual knowledge that they are collecting personal information from a child must give clear notice on its site of the information it collects from children, how it uses such information and the disclosure practices surrounding such information.
- In addition to the above, a direct notice must also be given to parents of their practices about the collection, use or disclosure of personal information from children.
- Before starting the collection of personal information from children under the age of 13, companies within the scope of COPPA must get verifiable parental consent.
Where does YouTube stand in relation to the above?
To address this point, let us consider YouTube’s business model and its alleged business practices.
YouTube provides a video-sharing platform on the internet and on mobile applications on which, among other things, consumers can view videos or upload video content for sharing. To upload content on YouTube, users must create a channel to display their content (‘Channel Owners’). Eligible Channel Owners, which also include commercial entities, can monetise their channel by allowing YouTube to serve ads to viewers, for which the Channel Owners and YouTube can earn revenue.
When a Channel Owner monetises a channel, YouTube collects information associated with a viewer’s cookie or mobile ad identifier to track the viewer’s online activities and serve ads that are specifically tailored to the viewer’s inferred interests.
FTC’s complaint is that YouTube has used this model across its platform, i.e., channels for a general audience and channels that YouTube apparently knew were directed to children under 13 years of old. Channel Owners had apparently made YouTube aware that their content was directed to children and in some cases, content was categorised as children-directed based on YouTube’s own rating system. Even though YouTube had knowledge, YouTube employed persistent identifiers on channels directed to children to track the children online, delivering them targeted ads without disclosing that practice and getting parents’ verifiable consent.
This had led to the violation of the above 3 enumerated COPPA rules.
So, what are the key implications for similar platforms and content creators?
- If you upload content directed to children on platforms like YouTube, you need to ensure compliance with the COPPA rules to avoid liability. Do you properly designate child-directed content? Do you allow the collection of personal information from children that view your content?
- If a platform hosting third-party content knows that content is directed to children, it’s illegal to collect personal information from child viewers without getting verifiable parental consent.
- If your commercial website has a children’s corner and you collect information from them, you need to re-assess your COPPA obligations.
The step taken by the FTC might just be the beginning.
It is quite clear that privacy regulators have got their eyes set on the online use of children’s data. The director of the FTC’s Bureau of Consumer Protection, Andrew Smith, has just announced that the other issue they are planning to look at is the collection and use of audio files; and the Irish Privacy Regulator is also scoping some children’s privacy enforcement actions.
Are you doing enough to protect children’s personal information online? Is your company covered by the COPPA rule? And what must you do to comply with the Rule?
If you would like assistance on a step-by-step plan and practical implementation solutions, please get in touch with our team by filling out the form at the bottom of this page..