Last week, the Federal Trade Commission (FTC) announced that it has required Google and YouTube to pay a settlement fee totaling $170 million after its video-sharing platform was found violating the Children’s Online Privacy Protection Act (COPPA). The complaint was filed by the FTC and the New York Attorney General, with the former set to receive the penalty amounting to $136 million and the latter $34 million.
According to the FTC’s press release, this penalty “is by far the largest amount the FTC has ever obtained in a COPPA case since Congress enacted the law in 1998.”
Note that the complaint doesn’t involve the YouTube Kids app, a YouTube service dedicated to showcasing child-directed content only. Although the app still displays ads, albeit to a limited degree, it doesn’t track child data for this purpose.
This win over Google and YouTube follows on the heels of several complaints filed by the FTC in 2019 aiming to protect children’s privacy online. In May, three dating apps were removed from both the Apple and Google market places after the FTC alleged that the apps allowed 12-year-old kids to access them.
i-Dressup.com, a dress-up game website, agreed to settle charges in April after the FTC filed a complaint, alleging that the operators of the website failed to ask for parental consent when collecting data from children under 13.
In a similar case in February, the FTC reached a settlement with Musical.ly, now popularly known as TikTok, after its operators were found to collect data of young children, which includes their full names, email addresses, and other personally identifiable information (PII) without their parents’ consent.
A summary of YouTube’s violation
Since its inception, YouTube has touted itself as a video-sharing platform for general audience content. It was created for adults and not intended for children under 13 years of age.
Through the years, however, YouTube has become a constant companion of young children. In fact, according to market research company, Smarty Pants, YouTube is recognized as the most beloved brand among US kids aged 6–12 years old for four straight years since 2016. 
It’s also exceedingly difficult to defend the argument that “YouTube is not for children” when a sizable amount of child-directed content is already present—and continues to grow and rake in billions of views—on the platform.
YouTube’s business model is dependent on collecting personal information and persistent identifiers (i.e., cookies) from users for behavioral or personalized advertising. Child-directed channel owners who chose to monetize their content allowed YouTube to collect data of their target audience: children under 13, the age group YouTube said it wasn’t built for.
It’s easy to assume that YouTube may not have the means to know which data belongs to which age group, else they would have acted on it. However, according to the complaint [PDF], YouTube did know that they were collecting data from children.
More surprising, even, is the fact that Google used YouTube’s brand popularity among young kids as part of their marketing tactic, selling themselves to manufacturers and brands of child-centric products and services as “the new Saturday Morning Cartoons” among others.
Despite this knowledge, YouTube never attempted to notify parents about their data collection process, nor did they ask parents for consent in the data collection. In COPPA’s eyes, these are enormous red flags.
Good news: positive change is at hand
The settlement agreed upon between the FTC and Google/YouTube includes a monetary relief—the $170 million payout in this case—and three injunctive reliefs, which is defined as an act or prohibition the companies must complete as ordered by the court. As per the press release, the injunctions are as follows:
- Google and YouTube must “develop, implement, and maintain a system that permits channel owners to identify their child-directed content on the YouTube platform so that YouTube can ensure it is complying with COPPA.”
- Google and YouTube must “notify channel owners that their child-directed content may be subject to the COPPA Rule’s obligations and provide annual training about complying with COPPA for employees who deal with YouTube channel owners.”
- Google and YouTube are prohibited from violating the COPPA Rule, and the injunction “requires them to provide notice about their data collection practices and obtain verifiable parental consent before collecting personal information from children.”
As content creators are also culpable in letting the platform know about the kind of content they’re producing and posting, the FTC has noted that failure to inform YouTube that their content is aimed at children could be subject to removal from YouTube and other civil penalties.
Susan Wojcicki, CEO of YouTube, took to its official blog to personally update readers by expanding on these changes and reminding users that the company has been actively making changes within the video platform from Q4 2017.
“We’ve been significantly investing in the policies, products and practices to help us do this,” wrote Wojcicki. “From its earliest days, YouTube has been a site for people over 13, but with a boom in family content and the rise of shared devices, the likelihood of children watching without supervision has increased. We’ve been taking a hard look at areas where we can do more to address this…”
Here is a list of expanded changes that YouTube will undergo in the coming months:
- In four months, data from anyone viewing content directed at children will be treated as coming from a child regardless of the viewer’s actual age.
- Personalized ads will no longer be served within child-directed content. (Note that this doesn’t mean that no ads will be shown.)
- Some YouTube features, like comments and notifications, will be unavailable on such content.
- YouTube will be using machine learning to find child-directed content.
- YouTube will further promote their YouTube Kids app to parents by running a campaign on YouTube itself and creating a desktop version of the app.
- YouTube will be providing support to family and kid content creators during the transition phase.
- YouTube is launching a $100 million fund for creators to make content that are both original and thoughtful. This fund is dispersed over the next three years.
General dissatisfaction with results
While some may see this as a historic win for the FTC and the New York Attorney General, others view it as another exercise in avoiding due punishment for another big company breaking the law.
Case in point: Commissioner Rohit Chopra, one of the two commissioners who voted against the settlement, pointed out in his statement [PDF] the same mistakes the Commission made in a similar Facebook case: “[There is] no individual accountability, insufficient remedies to address the company’s financial incentives, and a fine that still allows the company to profit from its lawbreaking.”
Chopra also noted inconsistencies with the way the FTC handles cases of small companies versus large firms. Ergo, the former is penalized excessively while the latter gets off easy. With this point, James P. Steyer, founder and CEO of Common Sense Media, agrees.
“The settlement is nothing more than a slap on the wrist for a company as large as Google, and does not enforce meaningful change to truly protect children’s data and privacy,” Steyer said in an official statement.
However, he also recognized that YouTube’s stated reforms are moving the dialogue forward. “YouTube’s commitment to enacting specific reforms on the platform is also a step in the right direction, but they must now put resources behind their statement. Kids and families must be a top priority in both Washington, DC, and in Silicon Valley.”
Commissioner Rebecca Slaughter, the other dissenting party, raised in her own statement [PDF] that the injunctions are incomplete, for they lack the orders and/or mechanisms—a “technological backstop”—that ensure content creators are telling the truth in properly designating channels of child-directed content.
Slaughter isn’t the only one to mention what’s lacking in the settlement. Speaking to Angelique Carson, editor for the International Association of Privacy (IAPP) in The Privacy Advisory Podcast, Linnette Attai, president of global compliance firm PlayWell and COPPA expert, expressed her concerns.
“We’re not seeing the rigorous third-party auditing that we’ve seen, traditionally, in COPPA settlements. We’re not seeing requirements to delete data, which is something that you will see in very early COPPA settlements but seems to have fallen off as an option for the FTC in recent years,” she said. “It’s one thing to say, ‘You cannot use this data.’ It’s quite another to say, ‘You have to delete it,’ which ensures that you cannot accidentally use it.”
V for vigilance
Every person has data, and in this day and age, it’s passed around regularly, oftentimes nonchalantly, to those who may or may not appreciate its value. If users are unfazed about big and small companies crossing lines to monetize personal data, perhaps a stark reminder that cybercriminals are after your PII, too, will make you seriously consider how you approach your data privacy.
Children’s data is being targeted by threat actors, too. In fact, when it comes to fraud, cybercriminals prefer data belonging to kids over adults. This is why parents and carers must be extra vigilant in keeping their data—and the data of their little ones—secure. Talking to your kids about what it’s like online [PDF], knowing the ways you can protect your child’s privacy, and reporting companies to the FTC for potential COPPA rights violations are three big steps you can take to not only improve your child’s privacy posture but their security posture as well.
Stay safe, everyone! Especially for your kids.