Wells Fargo Tries To Do The Right Thing For Its Customers
Massachusetts Regulator Charges Morgan Stanley Bank With Operating 'Unethical' Sales Contests

4 Website Operators Settle With New York State Attorney General For Illegal Tracking of Children

Earlier this month, the Attorney General for the State of New York (NYSAG) announced settlement agreements with the operators of several popular websites for the illegal online tracking of children, which violated the Children's Online Privacy Protection Act (COPPA). The website operators agreed to pay a total of $835,000 in fines, comply with, and implement a comprehensive set of requirements and changes.

COPPA, passed by Congress in 1998 and updated in 2013, prohibits the unauthorized collection, use, and disclosure of children’s personal information (e.g., first name, last name, e-mail address, IP address, etc.) on websites directed to children under the age of 13, including the collection of information for tracking a child’s movements across the Internet. The 2013 update expanded the list of personal information items, and prohibits covered operators from using cookies, IP addresses, and other persistent identifiers to track users across websites for most advertising purposes, amassing profiles on individual users, and serving targeted behavioral advertisements.

The NYSAG operated a program titled "Operation Child Tracker," which analyzed the most popular children’s websites for any unauthorized tracking. The analysis found that four website operators include third-party tracking on their websites -- which is prohibited by COPPA -- and failed to properly evaluate third-party companies, such as advertisers, advertising networks, and marketers. The website operators and their properties included Viacom (websites associated with Nick Jr. and Nickelodeon), Mattel (Barbie, Hot Wheels, and American Girl), JumpStart (Neopets), and Hasbro (My Little Pony, Littlest Pet Shop, and Nerf).

Regular readers of this blog are familiar with the variety of technologies and mechanisms companies have used to track consumers online: web browser cookies, “zombie cookies,” Flash cookies, “zombie e-tags,” super cookies, “zombie databases” on mobile devices, canvas fingerprinting, and augmented reality (which tracks consumers both online and in the physical world). For example, the web browser cookie is a small text file placed by a website on a user’s computer which is stored by the user’s web browser.  Every time a user visits the website, the website retrieves all cookies files stored by that website on the user’s computer. Some website operators shared the information contained in web browser cookies with third-party companies, such as marketing affiliates, advertisers, and tracking companies. This allows web browser cookies to be used to track a user’s browsing history across several websites.

All of this happens in the background without explicit notices in the web browser software, unless the user configures their web browser to provide notice and/or to delete all browser cookies stored. The other technologies represent alternative methods with more technical sophistication and stealth.

The announcement by the NYSAG described each website operator's activities:

"Viacom operates the Nick Jr. website, at www.nickjr.com, and the Nickelodeon website, at www.nick.com... The office of the Attorney General found a variety of improper third party tracking on the Nick Jr. and Nickelodeon websites. These included:

1. Many advertisers and agencies that placed advertisements on Nick Jr. and Nickelodeon websites introduced tracking technologies of third parties that routinely engage in the type of tracking, profiling, and targeted advertising prohibited by COPPA. Viacom considered several approaches to mitigate the risk of COPPA violations from these third parties, including removing adult advertising from a child-directed section of the Nick Jr. website and monitoring advertisements for unexpected tracking... However, Viacom did not timely take either approach and did not implement sufficient safeguards for its users.

2. Some visitors to the homepage of the Nick Jr. website were served behavioral advertising and tracked through a third party advertising platform Viacom used to serve advertisements. Although Viacom considered the homepage of the Nick Jr. website to be parent-directed, and thus not covered by COPPA, the homepage had content that appealed to children. Under COPPA, website operators must treat mixed audience pages as child-directed..."

Mattel logo The NYSAG also found:

"... 26 of Mattel’s websites feature content for young children, including online games, animated cartoons, and downloadable content such as posters, computer desktop wallpaper, and pages for young children to color... The office of the Attorney General found that a variety of improper third party tracking technologies were present on Mattel’s child-directed websites and sections of websites. These included:

1. Mattel deployed a tracking technology supplied by a third party data broker across its Barbie, Hot Wheels, Fisher-Price, Monster High, Ever After High, and Thomas & Friends websites. Mattel used the tracking technology for measuring website metrics, such as the number of visitors to each site, a practice permitted under COPPA. However, the tracking technology supplied by the data broker introduced many other third party tracking technologies in a process known as “piggy backing.” Many of these third parties engage in the type of tracking, profiling, and targeted advertising prohibited by COPPA.

2. A tracking technology that Mattel deployed on the e-commerce portion of the American Girl website, which is not directed to children or covered by COPPA, was inadvertently introduced onto certain child-directed webpages of the American Girl website.

3. Mattel uploaded videos to Google’s YouTube.com, a video hosting platform, and then embedded some of these videos onto the child-directed portion of several Mattel websites, including the Barbie website. When the embedded videos were played by children, it enabled Google tracking technologies, which were used to serve behavioral advertisements.

JumpStart logo Regarding JumpStart, the NYSAG found:

"... several improper third party tracking technologies were present on the Neopets website, both for logged-in users under the age of 13 and users who were not logged-in. These included:

1. JumpStart failed to configure the advertising platform used to serve ads on the Neopets website in a manner that would comply with COPPA. As a result, users under the age of 13 were served behavioral advertising and tracked through the advertising platform.

2. JumpStart integrated a Facebook plug-in into the Neopets website... Facebook uses the tracking information for serving behavioral advertising, among other things, unless the website operator notifies Facebook with a COPPA flag that the website falls is subject to COPPA. JumpStart did not notify Facebook that the Neopets website was directed to children."

Hasbro logo For Hasbro, the NYSAG found:

"... several improper third party tracking technologies were present on Hasbro’s child-directed websites and sections of websites. These included:

1. Hasbro engaged in an advertising campaign that tracked visitors to the Nerf section of Hasbro’s website in order to serve Hasbro advertisements to those same users as they visited other websites at a later time, a type of online behavioral advertising prohibited by COPPA known as “remarketing.”

2. Hasbro integrated a third-party plug-in into many of its websites, that allowed users to be tracked across websites and introduced other third parties that engaged in the type of tracking, profiling, and targeted advertising prohibited under COPPA.

It is important to note that Hasbro participated in a safe harbor program. A website operator that complies with the rules of an FTC-approved safe harbor program is deemed in compliance with COPPA. However, safe harbor programs rely on full disclosure of the operator’s practices and Hasbro failed to disclose the existence of the remarketing campaign through the Nerf website."

The terms of the settlement agreements require the website operators to:

  1. Conduct regular electronic scans for unexpected third party tracking technologies that may appear on their children’s websites. Three of the companies, Viacom, Mattel, and JumpStart will provide regular reports to the office regarding the results of the scans.
  2. Adopt procedures to evaluate third-party companies before they are introduced onto their children’s websites. the evaluation should determine whether and how the third parties collect, use, and disclose, and allow others to collect, use, and disclose, personal information from users.
  3. Provide notice to third parties that collect, use, or disclose personal information of users with information sufficient to enable the third parties to identify the websites or sections of websites that are child directed pursuant to COPPA.
  4. Update website privacy policies with either, a) information sufficient to enable parents and others to identify the websites and portions of websites that are directed to children under COPPA, or b) a means of contacting the company so that parents and others may request such information.

Kudos to the NYSAG office and staff for a comprehensive analysis and enforcement to protect children's online privacy. This type of analysis and enforcement is critical as companies introduce more Internet-connected toys and products classified as part of the Internet of Things (ioT).

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Chanson de Roland

What is jarringly incongruous is that we protect the privacy and ownership of a subset of children's personal information and authoring activity on the Internet, those who are less than 13 years of age, by COPPA's prohibitions on the acquisition and use of their personal information for the purposes of marketing, tracking, and otherwise trading in their personal information for profit. And we do this in COPPA in a way that implicitly acknowledges that children of less than 13 years on their personal information, which only their parent or legal guardian can negotiate on their behalf. But when you are a child of 13 or more years or when you've reached the age of majority your privacy and ownership rights in your personal information vanish.

That's an extraordinary type of property rights in intangible property, i.e., personal information, that have hitherto been unknown in the law, whereby one's rights in a class of property, his personal information, vanishes not based on particular agreement or instrument or some sui generis personal condition, but substantially vanishes for everyone when he reaches 13 years of age and completely vanishes when one reaches 18, the age of majority.

What can explain this? Well, the answer is venality and greed that has corrupted our courts and our legislators so that they've transferred our rights in our personal information to Google, Facebook, marketers, data aggregators, and their ilk so that they can make fabulous profits by misappropriating our personal information, without any effective license or permission from us. Indeed, most of the websites that I visit have all of the trackers that the Editor discusses, supra, and would do their work, if I didn't take extraordinary measures to stop them, without any notice or request for my license. And that is true for us all, and goes unnoticed because most don't have their web browser configured to detect the trespass on their privacy, the tracking of their actions, and the acquisition of their personal information. And so we are tracked pervasively and comprehensively in everything that we do on the Internet by private firms for the sake of their profits in ways that make the NSA, CIA, and FBI blush with envy.

And so for the sake of Google, Facebook, and their ilk's profits, we deprive everyone, except those under 13, of their rights in their personal information. And we do it because their profits are great, but that is nothing other than decadence, the decadence of a society whose state of decay place it in jeopardy of its life. And it is unnecessary, because it seems clear that most are willing to trade their most precious record of themselves for even the most trivial of the Internet's play things.

So why enable the misappropriation of our personal information, when we are so willing to trade it for so little? I think that it is because it is important that we have no rights in our personal information, that the property rights in our personal information be transferred to others for their profits, because Google and its ilk must have unfettered use, disposition, and control of our personal information so as to be able exploit it fully without any of us having any resort to courts of justice. But that too is an advanced sign of advanced decay.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name and email address are required. Email address will not be displayed with the comment.)