The Federal Trade Commission (FTC) announced that Google LLC and its subsidiary YouTube, LLC have settled with the FTC and New York Attorney General over allegations that YouTube illegally collected personal information from children without their parents’ consent in violation of the Children’s Online Privacy Protection Act (COPPA). The complaint alleges the personal information collected was from viewers of child-directed channels in the form of persistent identifiers used to track internet usage, commonly known as cookies. According to the complaint, use of these cookies to deliver targeted ads to viewers of these channels resulted in YouTube earning millions of dollars.
Per the settlement Google and YouTube:
- Will pay a total of $170 million to settle the complaint; $136 million will be paid to the FTC and $34 million will be paid the state of New York;
- Will Implement and maintain a system that permits channel owners to identify their child-directed content on the YouTube platform so that YouTube can ensure it is complying with COPPA;
- Will Notify channel owners that their child-directed content may be subject to the COPPA Rule’s obligations and provide annual training about complying with COPPA for employees who deal with YouTube channel owners; and
- Will provide notice about their data collection practices and obtain verifiable parental consent before collection personal information from children.
What is the COPPA Rule?
Congress enacted COPPA in 1998 and the FTC imposed the COPPA Rule effective April 21, 2000. As noted in the FTC’s press release, “[t]he COPPA Rule requires that child-directed websites and online services provide notice of their information practices and obtain parental consent prior to collecting personal information from children under 13, including the use of persistent identifiers to track a user’s internet browsing habits for targeted advertising. In addition, third parties, such as advertising networks, are also subject to COPPA where they have actual knowledge they are collecting personal information directly from users of child-directed websites and online services.”
COPPA requires operators of commercial websites directed to children 12 and under that collect or maintain personal information, as well as other websites that have actual knowledge that they are collecting or maintaining personal information from a child 12 and under to:
- Notice: In certain circumstances, websites must send direct notice to a parent of the site’s information practices and give parents the opportunity to opt out on behalf of their child;
- Consent: Obtain verifiable parental consent before collecting, using or disclosing personal information about a child or before allowing children to open an email account or post messages in a chatroom or on a bulletin board;
- Review: Allow parents to review personal information collected from their children;
- Revoke: Allow parents to revoke their consent, and delete information collected from their children at the parents’ request.
- Procedures: Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of children’s personal information.
- Conditional Participation Prohibited: Not condition a child’s participation in certain activities on collection of more personal information than is reasonably necessary.
In order to attract the next generation of customers, financial institutions may direct content on their website or other online service toward, or may knowingly collect or maintain personal information from, children 12 and under. If a financial institutions is engaging in either of these practices, it should verify compliance with the COPPA Rule.
The FTC’s press release is available here: https://www.ftc.gov/news-events/press-releases/2019/09/google-youtube-will-pay-record-170-million-alleged-violations.
The COPPA Rule is available here: https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule.