Data Innovation, Privacy & Cybersecurity
With innovation in data collection and monetization continuing to accelerate and concerns about data protection, privacy and cybersecurity prompting ever-greater global scrutiny, boards and senior executives require sophisticated counsel to assess and navigate risks around the use of customer, business partner or employee data. We help clients establish oversight and compliance frameworks that reduce the potential for large-scale data breaches or cyber incidents, manage and mitigate fast-moving crises when they occur, and respond to related litigation.
Google and YouTube Pay Record $170 Million Fine for Allegedly Violating Children’s Privacy Law in Settlement with the FTC and the New York Attorney General
September 9, 2019 Download PDF
On September 4, 2019, the Federal Trade Commission (the “FTC”) and the New York Attorney General’s Office (the “NYAG”) reached a record $170 million settlement with Google and YouTube for alleged violations of the Children’s Online Privacy Protection Act (“COPPA”), a federal law that prohibits companies from collecting children’s personal information online without first notifying parents and obtaining their consent. This settlement, which resulted in part from a NYAG investigation, is yet another instance of the continuing uptick in privacy-related enforcement actions against technology and media companies initiated by both federal and state regulators. It is a reminder for senior management and directors to ensure compliance policies are in place that identify and address COPPA issues as part of a broader privacy and data collection framework.
The Children’s Online Privacy Protection Act
Enacted in 1998, COPPA is the most robust federal consumer privacy statute in the United States. COPPA prohibits operators of internet websites and online services directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, from collecting a child’s personal information without first obtaining parental consent. The FTC issued a regulation (“the COPPA Rule”) that implemented the statute and, among other things, expansively defined a child’s “personal information” as any screen or username, any email address or any “persistent identifier” that can be used to recognize an individual over time across different websites or online services, such as a customer number held in a cookie or an Internet Protocol (“IP”) address.
COPPA does not set out the methods by which an operator may obtain verifiable parental consent, but the FTC has approved certain processes for obtaining consent. Under the COPPA Rule, an operator may obtain consent from a parent by, among other ways: having a parent contact trained personnel by a toll-free call or video-conference, or verifying a government-issued identification against the relevant database, such as the verification of a parent’s Social Security Number. The FTC has also approved two other methods for obtaining verifiable parental consent: a knowledge-based authentication (“KBA”) process whereby the parent’s identity is verified by correctly answering a series of multiple-choice questions, and a two-step verification process where a parent submits both an image of his or her photo identification (e.g., passport or driver’s license) and a photo of the parent’s own face that is run through facial recognition software.
The FTC and the NYAG’s Settlement with YouTube and Google
The Bureau of Internet and Technology at the NYAG has conducted multiple investigations into violations of COPPA and the tracking of children’s online activity by marketers and advertising companies. In the course of one such investigation, the NYAG discovered alleged conduct by Google and YouTube that ran afoul of COPPA and notified the FTC. On September 4, 2019, the FTC and the NYAG filed a joint complaint against Google and YouTube, along with a proposed settlement, in the U.S. District Court for the District of Columbia.
According to the complaint, Google and YouTube prohibit users under the age of 13 from creating user accounts on the platform, but do not require users to register or create an account in order to view videos on the site. Certain activities, such as commenting on videos, are limited, however, to users with an account. YouTube allegedly hosts numerous channels that are “directed to children” under the age of 13 and contain a range of videos regarding children’s toys, cartoons, and movies. In presentations to toy brands and marketers, Google and YouTube allegedly touted the site’s popularity with children, noting that “YouTube is today’s leader in reaching children age 6-11 against top TV channels” and that the site was “unanimously voted as the favorite website for kids 2-12.” Despite doing so, YouTube and Google allegedly failed to acknowledge that YouTube was obligated to comply with COPPA, as it hosted numerous channels directed at children. According to the complaint, when an advertising company asked about YouTube’s compliance with COPPA, a Google employee allegedly stated: “[W]e don’t have users that are below 13 on YouTube and platform/site is general audience, so there is no channel/content that is child-directed and no COPPA compliance is needed.”
The complaint further alleged that while YouTube hosted child-directed channels and touted its popularity to children, it also maintained a practice of behavioral advertising for these child-focused channels, whereby it tracked a viewer’s cookies and IP address to target advertisements to that viewer, in violation of COPPA. Google and YouTube allegedly earned almost $50 million from this practice. Under the record settlement, Google and YouTube will pay a $136 million penalty to the FTC, the largest amount the agency has ever obtained in a COPPA case, and a $34 million penalty to the NYAG.
In addition to the monetary settlement, Google and YouTube agreed to implement numerous changes to their advertising policies and procedures for these child-focused channels. YouTube agreed to develop, implement and maintain a system for users to designate whether a video they uploaded was directed to children so YouTube could ensure it complied with COPPA. YouTube will also notify channel owners that their uploaded content may be subject to COPPA, and provide annual training about complying with COPPA for employees who work with channel owners.
Additionally, YouTube agreed to obtain verifiable parent consent before collecting, using or disclosing children’s personal information. YouTube said it would no longer collect personal data about any user watching videos directed at children, even if the company believed the viewer is an adult, and disable other features on children’s videos that require the use of personal information. This may be a tacit acknowledgment of the difficulties of implementing a regulator-approved method for obtaining verifiable parental consent on a site that does not require viewers to log-in to an account for access.
The FTC voted 3-2 to authorize the filing of the complaint and proposed settlement, with the two Democratic-appointed commissioners dissenting. Commissioner Rohit Chopra voted against the settlement, citing numerous shortcomings, including “no individual accountability, insufficient remedies to address the company’s financial incentives, and a fine that still allows the company to profit from its lawbreaking.” Commissioner Rebecca Kelly Slaughter acknowledged that the settlement “includes the largest financial penalty ever paid for COPPA violations and contains injunctive provisions that materially remake the YouTube platform,” but ultimately voted against it because of concerns “that it does not go far enough to ensure that child-directed content on YouTube will be treated in a COPPA-compliant manner.” Commissioner Slaughter took issue with the settlement’s failure to “require YouTube to police the channels that deceive by mis-designating their content,” as such a requirement would be “critical to changing YouTube’s incentives,” as “YouTube profits off of behavioral advertising proportionally with its content creators.”
This action, which was initially investigated by the NYAG, is further confirmation that state attorneys general are increasingly flexing their enforcement muscles and actively investigating violations of both federal and state laws in the data privacy field. Indeed, states have begun coordinated investigations into recent data breaches and have played a crucial role in settlements concerning the Equifax breach. States have also recently resorted to using federal data privacy statutes, like COPPA and the Health Insurance Portability and Accountability Act (“HIPAA”), to pursue data privacy violations. COPPA in particular is a boon for states seeking to enforce data privacy laws, as it authorizes state attorneys general to file actions in federal court to enjoin COPPA violations within their respective jurisdictions. Prior to filing any action, however, state attorneys general must provide the FTC with notice of the action and a copy of the complaint.
The FTC has also stepped up its enforcement of COPPA by bringing more cases, seeking larger fines and expanding its powers under the Act. Earlier this year, the FTC reached a $5.7 million settlement with social networking app TikTok, previously known as Musical.ly, which is owned by Chinese internet company ByteDance, for TikTok’s alleged violation of COPPA. The agreement included the largest fine ever obtained by the FTC for COPPA violations, a record held by TikTok until the YouTube settlement. Commissioners Chopra and Slaughter voted to approve the TikTok settlement, but issued a separate statement that said “[e]xecutives of big companies who call the shots as companies break the law should be held accountable.” The FTC is evidently willing to pursue COPPA violations by both U.S. and non-U.S. companies, and the Commission has also warned that “third parties, such as advertising networks, are also subject to COPPA where they have actual knowledge they are collecting personal information directly from users of child-directed websites and online services.”
Regulators and lawmakers alike have turned their attention to COPPA. In July 2019, the FTC proposed a review of the COPPA Rule that could expand the FTC’s enforcement powers. Regarding those updates, Chairman Joe Simons has stated that “[i]n light of rapid technological changes that impact the online children’s marketplace, we must ensure COPPA remains effective,” and that the FTC is “committed to strong COPPA enforcement.” And Senators Edward J. Markey and Josh Hawley recently introduced bipartisan legislation to expand COPPA to cover children up to age 15 and broaden the definition of covered companies to include those with demonstrably large numbers of underage users, even if those companies do not have actual knowledge about a particular person’s age.
The Google and YouTube settlement is yet another reminder for directors and senior management to ensure the implementation of privacy and data collection compliance frameworks that identify and address COPPA-related issues.
* * *
 Press Release, FTC, Google and YouTube Will Pay Record $170 Million for Alleged Violations of Children’s Privacy Law (Sept. 4, 2019), https://www.ftc.gov/news-events/press-releases/2019/09/google-youtube-will-pay-record-170-million-alleged-violations; Press Release, N.Y. Attorney Gen., Google and YouTube to Pay Record Figure for Illegally Tracking and Collecting Personal Information from Children (Sept. 4, 2019), https://ag.ny.gov/press-release/ag-james-google-and-youtube-pay-record-figure-illegally-tracking-and-collecting.
 15 U.S.C. § 6502(a). COPPA defines “child” as any person below the age of 13. Id. § 6501(1).
 16 C.F.R. § 312.2 (further defining “personal information” to include a home or physical address, telephone number, social security number or a multimedia file containing a child’s image or voice).
 Id. § 312.5(b)(2).
 Letter from the FTC to Imperium LLC (Dec. 23, 2013), https://www.ftc.gov/sites/default/files/attachments/press-releases/ftc-grants-approval-new-coppa-verifiable-parental-consent-method/131223imperiumcoppa-app.pdf.
 Letter from the FTC to Jest8 Limited (Dec. 23, 2013), https://www.ftc.gov/system/files/documents/public_statements/881633/151119riyocoppaletter.pdf.
 Press Release, N.Y. Attorney Gen., supra note 1.
 Complaint, FTC v. Google, No. 16-cv-02642 (D.D.C. Sept. 4, 2019); Stipulated Order, FTC v. Google, No. 16-cv-02642 (D.D.C. Sept. 4, 2019).
 Press Release, FTC, supra note 1.
 Susan Wojcicki, An Update on Kids and Data Protection on YouTube, YouTube: Official Blog (Sept. 4, 2019), https://youtube.googleblog.com/2019/09/an-update-on-kids.html.
 Press Release, FTC, supra note 1.
 Dissenting Statement, Commissioner Rohit Chopra, In the Matter of Google LLC and YouTube LLC 7 (Sept. 4, 2019), https://www.ftc.gov/system/files/documents/public_statements/1542957/chopra_google_youtube_dissent.pdf.
 Dissenting Statement, Commissioner Rebecca Kelly Slaughter, In the Matter of Google LLC and YouTube LLC 4 (Sept. 4, 2019), https://www.ftc.gov/system/files/documents/public_statements/1542971/slaughter_google_youtube_statement.pdf.
 Sara Merken & Daniel R. Stoller, Capital One Data Breach Sparks State Attorney General Probes, Bloomberg Law (July 30, 2019 3:30PM), https://news.bloomberglaw.com/privacy-and-data-security/capital-one-data-breach-draws-state-attorney-general-scrutiny (discussing investigations into the Capital One data breach); Press Release, Connecticut Attorney General, Connecticut and Illinois Open Investigation into Quest Diagnostics, Labcorp Data Breach (June 7, 2019), https://portal.ct.gov/AG/Press-Releases/2019-Press-Releases/CT-AND-IL-OPEN-INVESTIGATION-INTO-QUEST-AND-LABCORP-DATA-BREACH (discussing investigations into data breach of patient information at Quest Diagnostics).
 Press Release, Consumer Financial Protection Bureau, CFPB, FTC and States Announce Settlement with Equifax Over 2017 Data Breach (July 22, 2019), https://www.consumerfinance.gov/about-us/newsroom/cfpb-ftc-states-announce-settlement-with-equifax-over-2017-data-breach/.
 Sue Reisinger, 12 State AGs Sue Electronic Medical Records Company Under HIPAA for Data Breach, a First, Law.com: Corporate Counsel (Dec. 5, 2018 3:38 PM), https://www.law.com/corpcounsel/2018/12/05/12-state-ags-sue-electronic-medical-records-company-under-hipaa-for-data-breach-a-first/.
 15 U.S.C. § 6504(1).
 15 U.S.C. § 6504(2).
 Press Release, FTC, Video Social Networking App Musical.ly Agrees to Settle FTC Allegations that it Violated Children’s Privacy Law (Feb. 27, 2019), https://www.ftc.gov/news-events/press-releases/2019/02/video-social-networking-app-musically-agrees-settle-ftc.
 Joint Statement, Commissioners Rohit Chopra & Rebecca Kelly Slaughter, In the Matter of Musical.ly (now known as TikTok) (Feb. 27, 2019), https://www.ftc.gov/system/files/documents/public_statements/1463167/chopra_and_slaughter_musically_tiktok_joint_statement_2-27-19_0.pdf.
 Press Release, FTC, supra note 1.
 Press Release, FTC, FTC Seeks Comments on Children’s Online Privacy Act Rule (July 25, 2019), https://www.ftc.gov/news-events/press-releases/2019/07/ftc-seeks-comments-childrens-online-privacy-protection-act-rule.
 Press Release, Senator Ed Markey, U.S. Senate, Senators Markey and Hawley Introduce Bipartisan Legislation to Update Children’s Online Privacy Rules (Mar. 12, 2019), https://www.markey.senate.gov/news/press-releases/senators-markey-and-hawley-introduce-bipartisan-legislation-to-update-childrens-online-privacy-rules.