At the end of last week, the media was full of stories that Google had been “Fined $170 Million for Violating Children’s Privacy on YouTube” (that’s a headline from the New York Times; see also, for example, NPR | BBC | RTÉ | Silicon Republic). In this post, I want to sketch the legal background to, and consequences of, this fine; and, at the end, I will say a few words about the equivalent position in Europe.
In the US, the Children’s Online Privacy Protection Act of 1998 (15 USC §§ 6501–6506; hereafter: COPPA), and the Children’s Online Privacy Protection Rule (16 CFR § 312; hereafter: the COPPA Rule) made under it, regulate unfair and deceptive acts and practices in connection with the collection and use of personal information from and about children on the internet. In particular, 15 USC §§ 6502(b)(A) COPPA, and 16 CFR § 312.3 COPPA Rule, require the operator of any website or online service directed to children that collects personal information from children, or the operator of a website or online service that has actual knowledge that it is collecting personal information from a child,
(i) to provide notice on the website of what information is collected from children by the operator, how the operator uses such information, and the operator’s disclosure practices for such information; and
(ii) to obtain verifiable parental consent for the collection, use, or disclosure of personal information from children; …
Giving further effect to the second paragraph here, 16 CFR § 312.5(b)(1) COPPA Rule provides
An operator must make reasonable efforts to obtain verifiable parental consent, taking into consideration available technology. Any method to obtain verifiable parental consent must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.
These provisions can be enforced both by the Federal Trade Commission (the FTC) and by the Attorneys General of the States. Hence, enforcement actions against Google for YouTube’s infringements of COPPA were taken by both the FTC and New York’s Attorney General, and last week’s $170m fine for infringing these provisions was made up of $136m by the former and $34m by the latter. In particular, YouTube knew certain channels on its platform were directed to children and yet tracked visitors to those sites without disclosing that practice. In doing so, it failed to provide clear notice on its site of the information it collected from children, how it used the information, and to whom it disclosed the information. Moreover, it failed to provide direct notice to parents of these practices. Worst of all, it failed to obtain verifiable parental consent to those practices. These were long-lasting, systemic and grave breaches of COPPA, and the record fines reflected that.
This is not the first time that the FTC and NY’s AG have imposed fines for COPPA violations. Thus, for example, in 2014, business recommendation site Yelp paid the FTC a $450,000 civil penalty and TinyCo paid a $300,000 civil penalty for collecting children’s data without parental consent. In 2015, app developers LAI Systems and Retro Dreamer paid a combined $360,000 in civil penalties as part of settlements with the FTC for using persistent identifiers of children without parental consent). In 2016, mobile advertising network InMobi paid $950,000 in civil penalties to settle charges it deceptively tracked the locations of consumers – including children. In 2018, electronic toy maker VTech paid $650,000 as part of a settlement with the FTC for collecting personal information from children without providing direct notice and obtaining their parents’ consent. Earlier this year, in the previous highest civil penalty in a COPPA case, video social networking app Musical.ly (now merged into TikTok, a ByteDance company) paid $5.7 million for collecting personal information from children without their parents’ consent. And, even more recently, following a warning from the FTC, Apple and Google removed from their online stores dating apps that did not verify age and thus allowed children to use them in breach of COPPA.
As to New York’s Attorney General, in 2018, in the highest penalty until the FTC’s Musical.ly fine, internet communications company Oath (formerly AOL, and now a Verizon company) agreed to pay a US$5 million fine to settle charges that AOL’s online advertising business was placing advertisements directed to children under the age of 13 by collecting, using, and disclosing, their personal information in breach of COPPA.
Against this backdrop, it is clear that $170m is by far the highest fine ever imposed in the US for breach of children’s privacy rights. However, this pales almost into insignificance agains the largest fine for breach of privacy imposed by the FTC, which is the US$5bn fine imposed on Facebook earlier this year. And this in turn is a long way short of the highest fines ever imposed by US agencies. In 2014, Bank of America paid $16.65b to the US Department of Justice (DOJ) for financial fraud leading up to and during the mortgage crisis of 2008. And, in 2016, arising out of the explosion of the Deepwater Horizon oil rig in the Gulf of Mexico in 2010, amongst the range of criminal and other penalties imposed on British Petroleum was the payment of a $20.8b fine to the DOJ and 5 affected Gulf States.
Hence, Commissioner Chopra argued that the Commission could and should have imposed a much higher fine. He argued that “when Google pays a fine and still profits from the misconduct, this is not a penalty”. There is much to be said for this view; disgorgement of a defendant’s wrongful gains is an ancient remedy recently reaffirmed by the US Supreme Court; but the majority preferred a more pragmatic approach.
Not only did the FTC and the NY AG impose fines, but they also imposed additional conduct requirements on Google and YouTube. For example, Google and YouTube must notify channel owners that their child-directed content may be subject to the COPPA Rule, and they must develop a system that lets channel owners identify content as child-directed, so that YouTube can ensure that it is complying with COPPA. Most importantly, Google and YouTube undertook to obtain verifiable parental consent before collecting personal information from children. Of course, this is simply undertaking to abide by the key provisions of COPPA; but, given that these provisions had been so grievously infringed by Google and YouTube, it is clear why the FTC and the NY AG felt the need to require this undertaking. Moreover, YouTube immediately announced new data practices for children’s content:
Starting in about four months, we will treat data from anyone watching children’s content on YouTube as coming from a child, regardless of the age of the user. This means that we will limit data collection and use on videos made for kids only to what is needed to support the operation of the service. We will also stop serving personalized ads on this content entirely, and some features will no longer be available on this type of content, like comments and notifications. … And we’re bringing the YouTube Kids experience to the desktop.
Indeed, Google and YouTube may go further. They have a dedicated YouTube Kids app for iPhones, Android devices, and on various other devices. They are going to make it available in desktop browsers as well. And they are considering moving all children’s content to it.
In Europe, Article 83 of the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) provides for the imposition of administrative fines for infringements of the Regulation. Article 6(1)(a) GDPR provides that processing of personal data shall be lawful if “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”. And, in respect of children, Article 8 GDPR goes on to provide
(1) Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
(2) The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
Paragraph (2) here is strikingly similar to 16 CFR § 312.5(b)(1) COPPA Rule, above, though that section has additional detail not found in Article 8(2) GDPR. In any event, the question arises whether, given these similarities, European regulators could reach conclusions similar to those reached by the FTC and the NY AG and impose fines similar to those imposed on Google and YouTube last week. After all, children are spending increasing amounts of time online, and they merit specific protection with regard to their personal data and more generally, so regulators must be astute to protect them, on the eastern side of the Atlantic as much as on the western side.