hands-keyboard typing, computer, laptop peshkova – Fotolia

AOL, now known as Oath Inc., has agreed to pay $4.95 million in penalties under violations of a federal law intended to protect the personal data of children on the internet—the largest settlement under that statute in U.S. history.

New York Attorney General Barbara Underwood said in a news release announcing the settlement that AOL violated the Children’s Online Privacy Protection Act by conducting billions of auctions for ad space on hundreds of websites that it knew were aimed at young children.

The company, according to Underwood, collected, used and disclosed the personal information of individuals who used those websites. That allowed advertisers to place targeted ads to young children. The practice of collecting the personal data of children younger than 13 years old is a violation of COPPA, Underwood said.

“COPPA is meant to protect young children from being tracked and targeted by advertisers online. AOL flagrantly violated the law—and children’s privacy—and will now pay the largest-ever penalty under COPPA,” Underwood said. “My office remains committed to protecting children online and will continue to hold accountable those who violate the law.”

Oath, which is owned by Verizon, is the main brand name for a conglomerate of internet companies, including AOL and Yahoo. A spokesman for the company said they were pleased to have the matter be resolved.

“We are pleased to see this matter resolved and remain wholly committed to protecting children’s privacy online,” the spokesman said.

The violations have to do with several ad exchanges that AOL operates and other exchanges the company used to place ads.

Those exchanges conduct what could be described as a virtual auction. When a user opens a web page, information that’s stored in their web browser is immediately sent to entities that can place a bid on ad space on behalf of an advertiser. The exchange collects several bids, selects a winner, and then allows the advertiser to serve an ad to the user. That entire process happens in a fraction of a second, allowing ads to be immediately placed based on a user’s information.

Those ad exchanges are not allowed to use browser data, a user’s Internet Protocol address, or other identifiers for advertising purposes on websites covered under COPPA, according to Underwood’s office. Despite that rule, Oath is alleged to have done just that.

The company used its ad exchange to conduct billions of auctions for ad space on websites that it knew to be targeted toward users under the age of 13 and therefore subject to COPPA, Underwood’s office said. Until recently, the company’s exchange was apparently not capable of conducting a COPPA-compliant auction because its systems would collect information from users and disclose it to third parties.

Several AOL clients had informed the company that their websites were subject to the law. AOL had also determined on its own that certain websites were subject to COPPA. The company also had a policy prohibiting the use of its exchange to auction ad space on COPPA-covered websites to third parties, Underwood’s office said.

Despite that policy, AOL continued to conduct at least 2 billion ad display auctions on those websites, according to Underwood’s office.

The company also violated COPPA when it participated in auctions conducted by other ad exchanges. AOL operates a business that places bids through those exchanges, which are able to auction space in a manner compliant with COPPA. When information is passed to bidders through one of those auctions, the advertisers are expected not to use it when serving ads on COPPA-covered websites.

The systems at AOL, instead, ignored information that those websites were covered under COPPA and served ads like they usually would, Underwood’s office said. A manager at the company based in New York is also said to have intentionally configured a client’s account in a way that would violate COPPA in order to increase ad revenue. The manager also falsely told the client on more than one occasion that AOL’s ad exchange could be used to sell ad space to third parties in a COPPA-compliant manner, Underwood’s office said.

AOL has since agreed to destroy any personal information it’s collected from children that is either in its possession or that it controls unless its required to be maintained by law. The company will also have to establish a new program to ensure its compliance with COPPA under the settlement, according to Underwood’s office.

The settlement was handled within the internet and technology bureau at the Attorney General’s Office by Assistant Attorney General Jordan Adler and Deputy Bureau Chief Clark Russell, under the supervision of Bureau Chief Kim Berger.


NY AG Announces Probe of Marriott Data Breach and Its Failure to Report Incident

Federal Data Privacy Legislation Is Likely Next Year, Tech Lawyers Say

Equifax Agrees to New Data Breach Safeguards in Consent Order With State Regulators