Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

FTC settles with advertising platform for COPPA violations

Federal Issues FTC Enforcement Privacy/Cyber Risk & Data Security COPPA UDAP FTC Act DOJ

Federal Issues

On December 15, the FTC announced a settlement with a California-based online advertising platform for allegedly engaging in deceptive acts of practices and violating the Children’s Online Privacy Protection Act Rule (COPPA). (See also DOJ press release here.) According to the FTC, the defendant operates a programmatic advertising exchange that monetizes websites and mobile apps through the sale of ad space. The defendant also contracts with advertising technology companies that aggregate and sell advertising inventory for publishers and then send the defendant ad requests. The DOJ, on behalf of the FTC, filed a complaint claiming the defendant, among other things, violated COPPA by collecting personal information about children under the age of 13 without notifying their parents and obtaining their consent. Additionally, the FTC claimed that while the defendant’s privacy policy provided users the option to opt-out of the collection of their location data, the defendant still allegedly collected geolocation information from users who specifically asked not to be tracked. The FTC stated that the defendant reviewed hundreds of apps that were directed to children under 13, but did not flag the apps or their data as “child-directed” and permitted the apps to participate in the ad exchange. In addition, the FTC claimed that the defendant allegedly disclosed this personal data to third parties for ads targeted at users of these child-directed apps.

Under the stipulated final order, the defendant must, among other terms, (i) implement a comprehensive privacy program to ensure compliance with COPPA and stop collecting and retaining personal information from children under 13 without verifiable parental consent; (ii) stop misrepresenting a user’s ability to opt-out of the collection of personal information and location information (collectively, “covered information”) and confirm that a user has provided affirmative consent for the collection of location information; (iii) implement safeguards to protect covered information and conduct annual reviews to assess for internal and external risks to the privacy of covered information that could lead to unauthorized access; (iv) engage a third party to conduct biennial privacy assessments; (v) delete all ad request data collected to serve targeted ads prior to the issuance of the order; and (vi) periodically re-review apps to identify those that are directed towards children and ban these apps from its ad exchange. The order also provides for a $7.5 million penalty that will be suspended upon payment of $2 million due to the defendant’s inability to pay the full amount.