In a record-setting deal with the Federal Trade Commission (FTC) and the New York State Office of the Attorney General, YouTube agreed to pay a total of $170 million to settle charges of violations of the Children’s Online Privacy Protection Act (COPPA) as well as the FTC Act.
According to the complaint, YouTube collected personal information (in the form of persistent identifiers that were used to track users across the Internet) from viewers of child-directed channels without first notifying parents and obtaining their consent as required by COPPA. The proposed settlement with YouTube imposes numerous obligations. In particular, it requires:
- The development, implementation and maintenance of a system for YouTube channel owners to designate whether their content is directed to children, so YouTube can ensure that it complies with COPPA with respect to those channels;
- Notifying channel owners that their child-directed content may be subject to COPPA’s obligations;
- Providing annual COPPA compliance training for employees who manage YouTube channels;
- Providing a COPPA-compliant notice to parents about the data collection practices of channel owners, and obtaining verifiable parental consent before collecting, using or disclosing personal information from children;
- Posting prominently a link to that COPPA notice on any area of the site that collects children’s personal information; and
- Satisfying certain recordkeeping and reporting requirements to verify their ongoing compliance with COPPA.
Children’s privacy issues are lurking in many digital marketing campaigns, whether or not the campaign is directed to children. Back in 2013, the FTC last updated COPPA, which requires a company to obtain parental consent prior to collecting—whether online or via mobile apps—personal information from a child under the age of 13, with limited exceptions. The updated COPPA regulations greatly expand the kind of data that requires verified parental consent before being collected from a child under 13 years of age, and now is defined to include persistent identifiers (i.e., an identifier used to recognize a user, browser, or device over time and across sites and services, such as an IP address). COPPA’s regulations created a new category of so-called mixed-use sites and apps that may be directed to children in part but not primarily so. These sites and services are required to age screen users in a neutral manner and treat them differently based on self-reported age. Mixed-use sites cannot block children under 13 completely, but must offer them COPPA-compliant services.
The FTC has made it clear that once any operator (even if their site is directed to adults) has notice that a persistent identifier belongs to a child under 13, that operator must immediately take action to prevent a violation of COPPA. This includes ensuring that behavioral advertising is not served to children, that social media plug-ins and tools where children can submit publicly available content are not made available to them, and that analytics providers and other vendors do not use children’s identifiers or other personal information except pursuant to certain narrow exceptions.
Even if an operator could employ a cookie or another device to identify users it learns are under the age of 13, given all the third parties affected (e.g., in the advertising ecosystem), real challenges remain to be solved before effective differentiation can become reality. In the meantime, other workarounds can be employed to minimize risk. Digital marketing campaigns that are clearly required to comply with COPPA because they are targeted to children, even in material part, often make basic mistakes, such as not posting a COPPA-compliant privacy policy (or any privacy policy at all), making the policy hard to find, assuming that it is okay to collect information from children so long as the site does not do anything with it, or failing to properly secure parental consent before a child’s personal information is collected.
It is perhaps no coincidence that the latest COPPA settlement was announced only weeks before the FTC’s upcoming public workshop on COPPA where, among other things, the FTC will consider whether COPPA should be updated or otherwise modified. The FTC is requesting public comments on the COPPA Rule. In particular, the FTC is seeking feedback on the effectiveness of its 2013 amendments to the COPPA Rule and on whether additional changes are needed. Comments are due on October 23, 2019, and the workshop will take place on October 7, 2019.
To read the complaint, the stipulated order and statements of the commissioners in FTC v. Google, click here.
Why it matters: Although not specifically required by the settlement, YouTube also recently publicly announced that it will be creating a site specifically for children’s content. Parents will be able to filter videos based on a child’s age and to track their children’s viewing history, and the site will not use behavioral advertising. Previously, the kids’ content was available only via mobile app. Thus, the settlement has important implications for both content creators and hosting platforms. Notably, content creators should ensure compliance with COPPA to avoid COPPA violations. YouTube content creators should be especially vigilant, as FTC Chairman Joe Simons announced that the FTC “intends to conduct a sweep of the YouTube platform to determine whether child-directed content is being properly designated as such in order to ensure that the channels themselves are complying with COPPA.”
Further, online platforms that provide services of which portions are directed to kids need to assess their COPPA obligations. Even where child-directed portions of a platform consist of third-party user-generated content (UGC), the platform operator is responsible for COPPA compliance to the extent it knows it is collecting personal information through a portion of the platform containing child-directed UGC. Platforms and third-party providers collecting personal information from other services should consider whether they are at risk of obtaining actual knowledge (inadvertently or otherwise) that such services are child-directed, and should consider whether risk mitigation strategies such as signaling are appropriate for their business. The key steps companies should be taking now in light of the FTC’s largest COPPA settlement ever include:
- Re-review any content directed to children posted online (including in mobile apps), and determine what (if any) information is being collected in connection with the distribution of that content;
- Carefully reconsider the content they designate as “child-directed” (especially posted on YouTube), and re-evaluate whether they want to change their designation in light of the settlement and the increased risk of enforcement;
- Ensure that they are not inadvertently collecting personal information (applying the broad definition under COPPA) through third-party platforms or on their own platforms;
- Audit what vendors they are using to collect data, and confirm that the data-collection practices of their third-party service providers are COPPA-compliant;
- Take a close look at their channels and other content to determine whether these could be considered child-directed; and
- Make changes to their production practices so content posted on YouTube will be less likely to be considered targeted to children.