September 9, 2019
On September 4, 2019, Google and its subsidiary, YouTube, agreed to pay a record $170 million fine to settle allegations by the Federal Trade Commission (“FTC”) and New York Attorney General (“AG”) that YouTube harvested children’s personal data in violation of the Children’s Online Privacy Protection Act (“COPPA”) Rule, 16 C.F.R. § 312. The proposed settlement—which will require Google and YouTube to pay $136 million to the FTC and $34 million to the State of New York—represents the largest civil penalty ever imposed under COPPA since the legislation’s enactment in 1998, eclipsing the previous record of $5.7 million paid by video social networking app Musical.ly (now known as TikTok) earlier this year. The settlement is the latest in a string of aggressive, high-stakes enforcement actions against companies alleged to have committed privacy-related violations—a trend we expect to continue in coming years. Moreover, the deal signals a notable expansion in the circumstances in which third-party platforms are considered to be directed to children or to possess actual knowledge that they are collecting personal information from users of a child-directed site or service, thereby potentially expanding COPPA’s reach to businesses that previously may not have considered the need for COPPA compliance.
The FTC’s COPPA Rule imposes certain obligations on operators of websites or online services directed to children under the age of 13 that collect, use, or disclose personal information from children, as well as websites or online services that are deemed to be directed to children because they have actual knowledge that they collect personal information from users of other websites or online services directed at children. Such obligations include providing notice of the operators’ data collection practices and obtaining parental consent prior to the collection of personal information from children. A violation of the Rule constitutes an unfair or deceptive act or practice in or affecting commerce in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), for which the FTC may seek civil penalties.
The FTC and New York AG’s complaint alleges that Google and YouTube violated the COPPA Rule by collecting persistent identifiers—which track users’ actions on the Internet—from viewers of “child-directed channels” without first providing notice to parents and obtaining their consent, and that YouTube then used these identifiers to provide targeted advertising to underage viewers in exchange for nearly $50 million in advertising revenue. The complaint claims that content creators of child-directed channels are “operators” for purposes of the COPPA Rule because they collect children’s personal information, and that YouTube was aware that these channels were directed at children, marketed itself as a kid-friendly platform, used a content rating system that includes categories for children under 13, and specifically curated content for a separate mobile application called “YouTube Kids.” As such, the complaint contends, Google and YouTube had actual knowledge that they collected personal information, including persistent identifiers, from viewers of channels and content directed to children under 13, and thus are deemed to operate an online service directed to children under COPPA.
In addition to the $170 million civil penalty, the settlement will require Google and YouTube to notify channel owners that child-directed content may be subject to the COPPA Rule’s requirements and implement a system for YouTube channel owners to designate whether their content is directed at children. This is significant “fencing in” relief because COPPA does not itself require platforms that host and serve ads on child-directed content, but do not create content themselves, to inquire as to whether content is directed at children. In addition, YouTube and Google must provide annual training to relevant employees regarding COPPA Rule compliance and are enjoined from violating the notice and consent provisions of the Rule in the future. In practice, these measures will place responsibility on YouTube as well as individual content creators to proactively identify any child-directed content on the platform and obtain the requisite notice and consent required under the Rule. YouTube has already publicly stated that it will begin limiting data collection on child-directed content and will no longer offer personalized ads on child-directed videos.
The FTC approved the settlement in a 3-2 vote. In a joint statement, Chairman Joe Simons and Commissioner Christine Wilson characterized the settlement as “a significant victory” that “sends a strong message to children’s content providers and to platforms about their obligations to comply with the COPPA Rule.” In a separate statement, Commissioner Noah Phillips expressed support for the settlement while urging Congress to enact privacy legislation that includes more detailed guidance as to how the FTC should calculate civil penalties in privacy cases, where harm is often difficult to quantify. In their dissenting statements, Commissioners Rohit Chopra and Rebecca Kelly Slaughter criticized the proposed settlement as insufficient because it fails to (i) hold senior executives at Google and YouTube individually accountable, (ii) impose injunctive relief requiring YouTube to “fundamentally change its business practices,” and (iii) impose a monetary penalty of an amount sufficient to deter future misconduct.
The settlement is currently pending judicial approval in the United States District Court for the District of Columbia.
The FTC May Contend that COPPA Applies to Platforms, Ad Networks, and Others that Are Aware (or Reasonably Should Be Aware) that They Collect Personal Information from Users of Child-Directed Sites or Content – Despite the fact that YouTube offers products and services to the general public, requires users to be over the age of 13 for use of most features, and does not itself create content, the FTC and New York AG concluded that YouTube was covered by the COPPA Rule because it allegedly had “actual knowledge” that it was collecting personal information from viewers of channels and content directed to children under 13. Similarly, in December 2018, the New York AG took enforcement action against a non-consumer-facing internet service provider that does not itself operate a child-directed website because it was aware that several of its clients’ websites were directed to children under 13. These cases have potentially far-reaching implications for companies that offer apps, websites, and other services that do not target children or position themselves as serving children, but which, in fact, collect personal information from users of child-directed sites in some manner and have actual knowledge of such collection.
Regulators Continue to Focus on Privacy Issues (Particularly Children’s Privacy Issues) – The YouTube settlement is another example of a long-running effort by regulators—in particular, the FTC and New York AG—to investigate and enforce against companies and individuals for privacy-related violations. In July, the FTC announced its largest monetary settlement to date in connection with alleged data privacy-related violations by a social media company, and the New York AG has pursued a number of actions based on alleged COPPA violations, including an $835,000 settlement in 2016 with several children’s brands that were allegedly tracking users to serve ads. In light of the increased focus on privacy-related violations in recent years, we anticipate that this trend will continue at both the federal and state level.
Regulators Are Increasingly Willing to Collaborate on Privacy Enforcement Efforts – The joint effort by the FTC and New York AG against YouTube and Google is but one recent example of regulators pooling resources to enforce against large companies. In December 2018, twelve state Attorneys General, led by the Indiana Attorney General, filed the first ever multi-state data breach lawsuit against a healthcare information technology company and its subsidiary related to a breach that compromised the personal data of 3.9 million people. This is in line with a broader trend of states continuing to coordinate enforcement efforts through multi-state litigations arising from large-scale data breaches and other alleged violations.
The FTC Is Re-Setting Its Standards for Calculating Civil Penalties to Force Companies to Reevaluate the Consequences of Noncompliance – In a statement accompanying the settlement, Chairman Simons and Commissioner Wilson noted that the YouTube settlement is nearly 30 times higher than the largest fine previously imposed under COPPA. And, as noted above, the FTC announced its largest-ever civil penalty in July 2019 as part of a settlement over alleged privacy-related violations—a self-proclaimed “paradigm shift” in consumer privacy enforcement. There, the FTC noted that the penalty was over 20 times greater than the largest fine under the EU’s General Data Protection Regulation (“GDPR”) and one of the largest civil penalties in U.S. history, surpassed only by cases involving widespread environmental damage and financial fraud. In sum, the FTC has expressed a willingness in recent years to impose civil penalties much higher than any previous fine as a way of setting a high-water mark to deter others from committing future violations.
The FTC Continues to Resolve Enforcement Actions Using Highly Prescriptive Consent Orders – In the wake of the LabMD decision, the FTC has resolved numerous cases using highly prescriptive consent orders that mandate sweeping injunctive relief. In LabMD, the Eleventh Circuit found that an FTC cease and desist order mandating a “complete overhaul of LabMD’s data-security program to meet an indeterminable standard of reasonableness” was unenforceable because it lacked adequate specificity. Since then, the FTC has increasingly used consent orders that require detailed injunctive measures to resolve enforcement actions. For example, this latest settlement explicitly requires YouTube to implement a system for channel owners to designate whether their content is directed at children, rather than simply prohibiting YouTube from violating the COPPA Rule again in the future. We can expect the Commission to continue this trend.
Regulators Are Taking Enforcement Actions Based on Highly Technical Aspects of Privacy Compliance – Another noteworthy aspect of the YouTube settlement is that it demonstrates regulators’ ability and willingness to assess highly technical aspects of privacy compliance—such as persistent identifiers—as part of their investigations and enforcement efforts. This is a stark change from several years ago, when enforcement actions tended not to implicate such technical aspects of a company’s products and services. In light of this trend, companies should ensure close coordination among their in-house counsel, IT team, and outside counsel experienced with technical issues, in order to meaningfully evaluate and adopt controls to address and mitigate potential compliance risks.
The complaint against Google and YouTube can be accessed at: https://www.ftc.gov/system/files/documents/cases/youtube_complaint.pdf.
The proposed settlement with Google and YouTube can be accessed at: https://www.ftc.gov/system/files/documents/cases/172_3083_youtube_coppa_consent_order.pdf
Gibson Dunn’s 2019 U.S. Cybersecurity and Data Privacy Outlook and Review can be accessed at: https://www.gibsondunn.com/us-cybersecurity-and-data-privacy-outlook-and-review-2019/
 16 C.F.R. § 312.2.
 15 U.S.C. § 6502(c); 15 U.S.C. § 57(a)(d)(3).
 Susan Wojcicki, An update on kids and data protection on YouTube, YouTube Official Blog (Sept. 4, 2019) https://youtube.googleblog.com/2019/09/an-update-on-kids.html.
 Dissenting Statement of Commissioner Rohit Chopra, In the Matter of Google LLC and YouTube, LLC (Sept. 4, 2019), here; Dissenting Statement of Commissioner Rebecca Kelly Slaughter, In the Matter of Google LLC and YouTube, LLC (Sept. 4, 2019), here.
 LabMD, Inc. v. FTC, No. 16-16279, slip op. at 17-18 (11th Cir. June 6, 2018).
The following Gibson Dunn lawyers prepared this client update: Alexander Southwell, Rich Cunningham, Olivia Adendorff, Ryan Bergsieker, Ashley Rogers and Lucie Duvall.
Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues. For further information, please contact the Gibson Dunn lawyer with whom you usually work or any of the following leaders and members of the firm’s Privacy, Cybersecurity and Consumer Protection practice group:
Alexander H. Southwell – Co-Chair, PCCP Practice, New York (+1 212-351-3981, firstname.lastname@example.org)
M. Sean Royall – Dallas (+1 214-698-3256, email@example.com)
Debra Wong Yang – Los Angeles (+1 213-229-7472, firstname.lastname@example.org)
Olivia Adendorff (+1 214-698-3159, email@example.com)
Ryan T. Bergsieker – Denver (+1 303-298-5774, firstname.lastname@example.org)
Richard H. Cunningham – Denver (+1 303-298-5752, email@example.com)
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, firstname.lastname@example.org)
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, email@example.com)
Kristin A. Linsley – San Francisco (+1 415-393-8395, firstname.lastname@example.org)
Karl G. Nelson – Dallas (+1 214-698-3203, email@example.com)
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, firstname.lastname@example.org)
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, email@example.com)
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, firstname.lastname@example.org)
Ahmed Baladi – Co-Chair, PCCP Practice, Paris (+33 (0)1 56 43 13 00, email@example.com</abr />
James A. Cox – London (+44 (0)207071 4250, firstname.lastname@example.org)
Patrick Doris – London (+44 (0)20 7071 4276, email@example.com)
Penny Madden – London (+44 (0)20 7071 4226, firstname.lastname@example.org)
Jean-Philippe Robé – Paris (+33 (0)1 56 43 13 00, email@example.com)
Michael Walther – Munich (+49 89 189 33-180, firstname.lastname@example.org)
Kai Gesing – Munich (+49 89 189 33-180, email@example.com)
Sarah Wazen – London (+44 (0)20 7071 4203, firstname.lastname@example.org)
Vera Lukic – Paris (+33 (0)1 56 43 13 00, email@example.com)
Alejandro Guerrero – Brussels (+32 2 554 7218, firstname.lastname@example.org)
© 2019 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.