The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

Following $170M Fine of Google, FTC to Review, Update COPPA Rule

by Chris Brook on Thursday September 5, 2019

Contact Us
Free Demo
Chat

Many privacy advocates, including the FTC's own commissioner, say the FTC's record $170 million fine that it violated COPPA, isn't enough.

Upset with the standard that big tech companies are held to when they violate the privacy of children, the Federal Trade Commission is looking to fine tune how it enforces Children's Online Privacy Protection Act, or COPPA, violations.

The FTC made its stance clear earlier this summer, when it published a request for comment on a regulatory review to its enforcement policy to the Federal Register, but it resurfaced this week following a fine by the agency against Google for privacy violations stemming from YouTube.

The fine, $170 million, is tied to allegations that Google knowingly and illegally collected the personal data of children and used that information to funnel them advertisements.

Google agreed to settle the charges, which were brought against the company jointly by the FTC and New York’s attorney general. As a result of the settlement, $136 million of the $170 million will go to the FTC, while $34 million will go to the state of New York.

In wake of the settlement, privacy advocates and even the FTC's own commissioner, Rohit Chopra, are contending the fine is tantamount to a drop in the bucket for the company and that the agency needs to be able to do more in order to better protect children.

Chopra on Wednesday morning called the settlement “a giveaway to Google” and that by imposing it, the FTC is repeating mistakes from its July $5 billion settlement with Facebook, calling it "a penalty that barely bites, [with] no individual accountability, and insufficient fixes to flawed incentives."

Chopra went as far Wednesday as to issue a formal dissent (.PDF) around the fine, arguing that the way the FTC approached the settlement is inconsistent with how it handles other violators of COPPA.

"When small players and upstarts violate COPPA, the companies pay dearly and the executives are investigated and, if liable, held personally accountable. Here, where a dominant incumbent engaged in widespread violations, the company is paying a slice of their profits from wrongdoing and executives avoid scrutiny," Chopra wrote.

COPPA, which was enacted in 1998 but didn't go into effect until 2000, requires websites that direct content to children to disclose their data practices and obtain parental consent for information it collects for children under age 13.

Chopra agreed with part of a dissenting statement by a co-worker, FTC Commissioner Rebecca Slaughter, who suggested (.PDF) that the agency's actions this week are insufficient. Slaughter points out that Google and YouTube knew what it was doing by allowing for behavioral advertising without human review and that barring an acknowledgement by Google that it’s going to change its business practices, one assumes children will still be at risk.

Slaughter suggested implementing a sort of mechanism that could at least keep YouTube honest as to whether or not its purposefully directing content towards children.

“When it comes to fencing-in relief, the current order looks like a fence but one with only three sides,” Slaughter wrote, “The missing fourth side is a mechanism to ensure that content creators are telling the truth when they designate their content as not child-directed. And such a mechanism is surely within YouTube’s mighty technological capacity. It already algorithmically classifies videos into age categories, as the complaint details with respect to “Y”-rated videos for ages 0–7. Applying the same or similar classifier to identify mis-designated child-directed content would provide an important technological backstop to the relief already in the order.”

The agency obviously has its hands full when it comes to protecting the privacy of Americans but in order to better protect children, Chopra says the Commission needs to enact meaningful financial penalties for violators, shift towards civil penalties that are easier for agencies, courts, and attorney generals to pursue, and address how mass surveillance and privacy intrusions can harm competition.

The FTC specifically cited the rapid evolution of technology - voice-enabled connected devices and platforms that host child-directed third-party content - in its unanimous decision to review the rule last month.

While the settlement, which was approved by a 3 to 2 vote, was downplayed by Chopra and Slaughter it still serves as a sizeable win for the agency.

Previously, the largest fine the FTC had imposed on a company until this week was $5.7 million, a fine against developers of TikTok, a video social media app, for illegally collecting names, email addresses, photos, and locations of children under the age of 13.

Tags: Government, Privacy

Recommended Resources


  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • How to simplify the classification process
  • Why classification is important to your firm's security
  • How automation can expedite data classification

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.