NY Attorney General Announces COPPA Violation Settlements with Four Companies | Practical Law

NY Attorney General Announces COPPA Violation Settlements with Four Companies | Practical Law

The New York Attorney General's Office has settled four investigations into alleged violations of the federal Children's Online Privacy Protection Act (COPPA) by Viacom, Inc., Mattel, Inc., Hasbro Inc., and JumpStart Games, Inc. The investigations revealed that these companies' websites used tracking technologies that illegally enabled third-party vendors to track children's online activity in violation of COPPA.

NY Attorney General Announces COPPA Violation Settlements with Four Companies

Practical Law Legal Update w-003-4757 (Approx. 5 pages)

NY Attorney General Announces COPPA Violation Settlements with Four Companies

by Practical Law Intellectual Property & Technology
Published on 16 Sep 2016USA (National/Federal)
The New York Attorney General's Office has settled four investigations into alleged violations of the federal Children's Online Privacy Protection Act (COPPA) by Viacom, Inc., Mattel, Inc., Hasbro Inc., and JumpStart Games, Inc. The investigations revealed that these companies' websites used tracking technologies that illegally enabled third-party vendors to track children's online activity in violation of COPPA.
On September 13, 2016, the New York Attorney General issued a press release, announcing that it reached a settlement with four companies that have agreed to pay penalties totaling $835,000 and adopt comprehensive reforms to protect children from improper online activity tracking. Operation Child Tracker, as the two-year investigation was called, investigated the most popular children's websites for unauthorized tracking, and revealed that websites owned by Viacom, Inc., Mattel, Inc., Hasbro Inc., and JumpStart Games, Inc. allegedly allowed third-party vendors to track children's online activity without parental consent.

Viacom, Inc.

Viacom operates the Nick Jr. and Nickelodeon websites, which feature content associated with animated and live-action children's shows from the Nick Jr. and Nickelodeon television networks. The investigation revealed a variety of improper tracking, including allowing:
  • Advertisers and agencies to place website advertisements that introduced tracking, profiling, and targeted advertising technologies prohibited by COPPA. While Viacom considered different ways to mitigate the risk of COPPA violations by these third parties, it did not take a timely approach or implement sufficient safeguards for its users.
  • A third-party advertising platform to serve behavioral advertising to and track the activity of some Nick Jr. homepage website visitors. Despite Viacom's belief that the Nick Jr. website's homepage was not subject to COPPA because it directed its contents to parents, the Attorney General noted that the homepage also contained content that appealed to children. COPPA classifies mixed audience webpages that do not screen for age as child-directed and subject to COPPA.

Mattel, Inc.

Mattel operates websites associated with many of its toy brands. In particular, its websites feature content for young children, including online games, animated cartoons, and downloadable content. The Attorney General found that these websites violated COPPA by using a variety of improper third-party tracking, including:
  • Employing a tracking technology supplied by a third-party data broker across its websites. While Mattel intended to use the tracker for measuring website metrics, the data broker's technology also introduced other third-party tracking technologies, known as piggybacking, which engaged in the type of tracking, profiling, and targeted advertising prohibited by COPPA.
  • Inadvertently deploying a tracking technology meant for certain e-commerce webpages, that were not directed towards children, to certain child-directed portions of the site.
  • Uploading videos to YouTube and embedding them into the child-directed webpages. Playing the embedded videos triggered Google tracking technologies used for behavioral advertising.

JumpStart, Inc.

JumpStart is a developer of educational and entertainment software and websites for children. In particular, the company operates the Neopets website, which enables users to create and care for virtual pets. Although anyone can navigate the site and play games with or without an account, those who choose to register must provide a date of birth. After the investigation, the Attorney General discovered that JumpStart used third-party tracking technologies for both logged-in users under the age of 13 and users who were not logged in, including:
  • An improperly configured advertising platform that served behavioral advertising to users under the age of 13.
  • A Facebook website plug-in, without notifying Facebook that the site was directed towards children.

Hasbro, Inc.

Hasbro operates websites associated with many of its popular toy brands, featuring content for young children including online games, animated cartoons, and downloadable content. The investigation revealed that Hasbro's child-directed websites contained improper third-party tracking technologies, including:
  • A retargeting advertising campaign that tracked visitors to certain website pages to serve ads to those same visitors when they later browsed other websites.
  • Integration of a third-party plug-in on many of its websites that allowed cross-website tracking. The plug-in also introduced other third-party tracking technologies, which engaged in the type of tracking, profiling, and targeted advertising prohibited by COPPA.
Although Hasbro participated in a safe harbor program, the company failed to disclose the existence of the retargeting advertising campaigns, which violated COPPA.

Settlement Agreements

Each company has entered into a settlement agreement with the Attorney General requiring them to adopt comprehensive reforms, including:
  • Regular electronic scans to monitor for unexpected third-party tracking technologies.
  • Adopting procedures for vetting how third-party technologies use, collect, and disclose personal information before the company allows those technologies onto its child-directed websites.
  • Notifying third-parties that collect, use, and disclose personal information which of the company's websites, or portions of websites, are child-directed.
  • Updating website privacy policies with either:
    • sufficient information for parents to identify which websites or portions of websites are directed towards children; or
    • a way for parents to contact the company to request information on child-directed websites or portions of websites.

Practical Implications

Operation Child Tracker is notable for revealing that website operators have not done enough to ensure children's websites are free from impermissible third-party tracking technologies. In particular, the investigation highlights that website operators must:
  • Vet advertisers, advertising networks, and other third-parties to determine whether they collect personal information and how they will use it.
  • Monitor their websites for unexpected third-party tracking technologies that may be introduced.
  • Keep up with changing ad technologies to ensure COPPA compliance.