It has been a particularly rough time for the digital advertising industry recently. In September 2018, complaints were submitted to the Irish Data Protection Commission and the UK Information Commissioner’s Office seeking a declaration that the two most widely-used real-time bidding protocols are “mass data broadcast mechanisms” that violate the GDPR. Then, in late October, the French supervisory authority, CNIL, declared that French ad tech startup, VECTAURY, violated the GDPR by not obtaining valid consent for its collection and use of geolocation data from its partners’ apps and real-time bid requests for targeted advertising and profiling purposes. Most recently, on December 3, the Office of the New York Attorney General (NYAG) announced a record settlement with Oath, formerly known as AOL, for violating the Children’s Online Privacy Protection Act (COPPA).

What makes the Oath settlement so newsworthy isn’t simply that Oath has agreed to pay a record-setting amount—almost $5 million—to settle allegations that, as AOL, it violated the federal privacy statute. This settlement is significant because it has established a new standard for notification under COPPA, with wide-reaching ramifications for the broader digital advertising ecosystem.