YouTube To Pay $170m To Settle Allegations of Illegally Collecting Children’s Personal Data

YouTube will pay a record $170 million to settle allegations by the Federal Trade Commission and the New York Attorney General in the United States that Google’s video sharing service illegally collected personal information from children without their parents’ consent.

The settlement requires Google and YouTube to pay $136 million to the FTC and $34 million to New York for allegedly violating the Children’s Online Privacy Protection Act Rule. The $136 million penalty is by far the largest amount the FTC has ever obtained in a COPPA case since Congress enacted the law in 1998, the FTC said.

In a complaint filed against the companies, the FTC and New York Attorney General allege that YouTube violated the COPPA Rule by collecting personal information—in the form of cookies —from viewers of child-directed channels, without first notifying parents and getting their consent. YouTube earned millions of dollars by using the cookies to deliver targeted ads to viewers of these channels, according to the complaint.

The COPPA Rule in the United States requires that child-directed websites and online services provide notice of their information practices and obtain parental consent prior to collecting personal information from children under 13, including the use of persistent identifiers to track a user’s Internet browsing habits for targeted advertising. In addition, third parties, such as advertising networks, are also subject to COPPA where they have actual knowledge they are collecting personal information directly from users of child-directed websites and online services.

“YouTube touted its popularity with children to prospective corporate clients,” said FTC chairman Joe Simons. “Yet when it came to complying with COPPA, the company refused to acknowledge that portions of its platform were clearly directed to kids. There’s no excuse for YouTube’s violations of the law.”

The YouTube platform allows Google account holders, including large commercial entities, to create “channels” to display their content. According to the complaint, eligible channel owners can choose to monetize their channel by allowing YouTube to serve behaviorally targeted advertisements, which generates revenue for both the channel owners and YouTube.

Several channel owners told YouTube and Google that their channels’ content was directed to children, and in other instances YouTube’s own content rating system identified content as directed to children. In addition, according to the complaint, YouTube manually reviewed children’s content from its YouTube platform to feature in its YouTube Kids app.

Despite this knowledge of channels directed to children on the YouTube platform, YouTube served targeted advertisements on these channels. According to the complaint, it even told one advertising company that it did not have users younger than 13 on its platform and therefore channels on its platform did not need to comply with COPPA.

The settlement also prohibits Google and YouTube from violating the COPPA Rule, and requires them to provide notice about their data collection practices and obtain verifiable parental consent before collecting personal information from children.

In a statement, Youtube highlighted the changes it was making to better protect children using the platform. It said: “Responsibility is our number one priority at YouTube, and nothing is more important than protecting kids and their privacy. We’ve been significantly investing in the policies, products and practices to help us do this. 

“We’ve been taking a hard look at areas where we can do more to address this, informed by feedback from parents, experts, and regulators, including COPPA concerns raised by the U.S. Federal Trade Commission and the New York Attorney General that we are addressing with a settlement announced today.” 

Separately, Google has been accused of secretly using hidden web pages that feed the personal data of its users to advertisers, “undermining its own policies and circumventing EU privacy regulations that require consent and transparency”, the FT reported.

In evidence to the Data Protection Commission in Ireland Johnny Ryan, chief policy officer of web browser Brave, said he had discovered the secret web pages as he tried to monitor how his data were being traded on Google’s advertising exchange.

As reported in The Telegraph, a Google spokesperson said: “We do not serve personalised ads or send bid requests to bidders without user consent. The Irish DPC – as Google’s lead DPA – and the UK ICO are already looking into real time bidding in order to assess its compliance with GDPR. We welcome that work and are co-operating in full.”