Last week the New York Attorney General (NY AG) Eric T. Schneiderman announced the conclusion of a two-year investigation into the tracking practices of four online publishers – Viacom, Inc., Mattel, Inc., Hasbro Inc., and JumpStart Games, Inc. – over allegations of violations of the federal Children’s Online Privacy Protection Act of 1998 (COPPA)[1] and the Federal Trade Commission’s (FTC) rule implementing it (COPPA Rule).[2]

According to the NY AG’s allegations, the companies allowed third-party vendors, including marketers and advertising companies, to track children’s online activity without obtaining “verifiable parental consent” under the COPPA Rule. Under the COPPA Rule, online service providers are strictly liable for acts of third parties.

All of the settling companies agreed to adopt several COPPA compliance measures, including:

  • Regular electronic scans to check for third-party trackers;
  • Procedures for assessing third parties’ tracking to ensure that any tracking complies with COPPA; and
  • Notifying third parties that the websites for which they are providing services are covered by COPPA.

Three companies also agreed to make payments to the AG (Viacom agreed to pay $500,000; Mattel, $250,000; and JumpStart, $85,000), while Hasbro, which participated in an FTC-approved safe harbor program, did not. The parties paying settlements will also be required to file periodic reports. Oversight of practices of COPPA safe harbor participants are required to be monitored by the safe harbor organization in accordance with the rules governing the program’s approval by the FTC.

Jessica Rich, the Federal Trade Commission’s (FTC’s) Director of the Bureau of Consumer Protection, expressed appreciation to the NY AG’s office for coordination with the Commission.

The press release acknowledges the difficulties that publishers of online services have in keeping up with the changing advertising technology landscape, but is a reminder of the strict liability aspect of COPPA. The settlement represents the most prominent enforcement action of COPPA by a state attorney general to date. Businesses that operate online services directed to children under 13, or those that have actual knowledge that they collected information from children under 13, face increasingly complex COPPA compliance challenges in this evolving technological landscape.