Viacom, Mattel, Hasbro, And JumpStart Violated Children’s Online Privacy Protection Act By Allowing Illegal Third-Party Tracking Technology At Websites For Barbie, Nick Jr., My Little Pony, American Girl, Hot Wheels, And Dozens Of Others
Companies Agree To Pay Penalties Totaling $835,000, Adopt Comprehensive Reforms To Protect Children From Improper Tracking
Attorney General Eric T. Schneiderman today announced that his office has reached settlements with Viacom, Inc., Mattel, Inc., Hasbro Inc., and JumpStart Games, Inc., resolving investigations into the companies’ violations of the Children’s Online Privacy Protection Act (COPPA).
“Operation Child Tracker,” a two-year, first-of-its-kind investigation by the Attorney General’s office, discovered that websites operated by these companies were home to tracking technology that illegally enabled third-party vendors, such as marketers or advertising companies, to track children’s online activity in violation of COPPA.
The companies – whose online properties include some of the most popular children’s websites, including websites associated with Nick Jr. and Nickelodeon (Viacom); Barbie, Hot Wheels, and American Girl (Mattel); Neopets (JumpStart); and My Little Pony, Littlest Pet Shop, and Nerf (Hasbro) – agreed to pay a combined $835,000 in penalties and implement significant reforms.
“Federal law demands that children are off-limits to the prying eyes of advertisers,” saidAttorney General Schneiderman. “Operation Child Tracker revealed that some of our nation’s biggest companies failed to protect kids’ privacy and shield them from illegal online tracking. My office remains committed to protecting children online and will continue our investigation to hold accountable those who violate the law by tracking children.”
“In enacting COPPA, Congress wisely provided for law enforcement by both the FTC and state attorneys general, so that there are multiple cops on the beat protecting children’s privacy,” saidJessica Rich, Director of the Federal Trade Commission’s Bureau of Consumer Protection. “We applaud these important actions by the New York Attorney General’s office, and appreciate their coordination with the Commission. These settlements send a strong message to companies about the importance of complying with the COPPA Rule.”
“These important settlement agreements are the latest illustration of just how important it is for businesses, parents, and policymakers to be more vigilant about protecting the online privacy of kids and to build in privacy by design,” said Ariel Fox Johnson, Senior Policy Counsel at Common Sense Media, a recognized leader in educating families about online privacy and security. “We applaud Attorney General Schneiderman and the companies for working together to ensure these web sites no longer enable the tracking or commercial profiling of kids and hope that the settlements will bring greater awareness about steps we should all take to make sure that the online world of children is educational, fun, and also safe.”
COPPA prohibits the unauthorized collection of children’s personal information on websites directed to children under the age of 13, including the collection of information used to track a child’s movements across the web. Each of the settling companies allowed third party tracking technologies on their websites in violation of COPPA.
Each of the settling parties has agreed to comprehensive reforms to protect children from improper tracking in the future. These include regular electronic scans to monitor for third party tracking technologies, adopting procedures for vetting third parties’ data collection practices to ensure that they comply with COPPA, and providing notice to third parties when they are operating through a website covered by COPPA. Three of the companies -- Viacom, Mattel, and JumpStart -- will also provide regular reports to the office regarding the results of their scans and pay penalties totaling $835,000. Viacom will pay $500,000; Mattel will pay $250,000; JumpStart will pay $85,000. Hasbro participated in an FTC-approved “safe harbor” program and will not pay a penalty.
Each of the settling companies cooperated in “Operation Child Tracker” and took remedial measures after being contacted by the Attorney General.
How Targeted Advertising and Tracking Works
Most online shoppers have encountered advertisements for a product that seems to follow them from website to website. These advertisements are known as online behavioral advertisements or OBA, a form of targeted advertising that selects an advertisement to serve to an individual based on previously collected information about that individual, such as the individual’s Internet browsing history, demographic information, or personal interests.
One of the most common tracking technologies used for OBA is the web browser cookie, a small text file sent by a website to a user’s computer and stored by the user’s web browser. Every time the user connects to the website’s server, all of the cookies stored by that website on the user’s computer are retrieved and their values are transmitted to the server. Where a third party is integrated into many websites, cookies can be used to track a user’s browsing history across those websites; each time a user visits a website that incorporates the third party, the user’s browser will transmit information from the user’s cookie to the third party, thereby notifying the third party of the user’s visit to the website.
The Children’s Online Privacy Protection Act (COPPA)
In 1998, Congress enacted COPPA to protect the safety and privacy of young children online. COPPA prohibits operators of certain websites from collecting, using, or disclosing personal information (e.g., first and last name, e-mail address) of children under the age of 13 without first obtaining a parent’s consent. The operators of websites directed to children under the age of 13 (a “child-directed website”) and the operators of websites that have actual knowledge that they are collecting personal information from a child under the age of 13 (collectively, “covered operators”) are subject to COPPA.
In July 2013, revised FTC regulations associated with COPPA took effect, expanding the definition of “personal information” to include persistent identifiers that can be used to recognize a user over time and across websites, such as the ID found in a web browser cookie or an Internet Protocol (“IP”) address. The revision effectively prohibits covered operators from using cookies, IP addresses, and other persistent identifiers to track users across websites for most advertising purposes, amassing profiles on individual users, and serving online behavioral advertisements on COPPA-covered websites. Covered operators can, however, use persistent identifiers to support the internal operations of a website.
Websites are strictly liable for the collection, use, and disclosure of personal information by independent third parties that are allowed to operate through their websites. The FTC found that strict liability was necessary in light of the “complex infrastructure of entities” often found operating on websites that have the opportunity to collect personal information from children. The FTC concluded that the operator of the website should be accountable because it “is in the best position to know which plug-ins it integrates into its site, and is also in the best position to give notice and obtain consent from parents.” Indeed, absent the strict liability standard, “there would be no incentive for child-directed content providers to police their sites or services, and personal information would be collected from young children, thereby undermining congressional intent.”
Operation Child Tracker
Operation Child Tracker is a first of its kind investigation into illegal online tracking of young children in violation of COPPA. The investigation examined the most popular children’s websites for unauthorized tracking. The office found that four website operators, Viacom, Mattel, JumpStart, and Hasbro, had allowed third party tracking on their websites prohibited by COPPA. The office’s findings regarding each of the individual website operators are summarized below.
Viacom operates the Nick Jr. website, at www.nickjr.com, and the Nickelodeon website, atwww.nick.com. The Nick Jr. website features content associated with animated children’s shows from Viacom’s Nick Jr. television network, including “Dora the Explorer,” “Bubble Guppies,” and “Blues Clues,” which have historically been directed to children 2-5 years old and their parents. The Nickelodeon website features content associated with animated and live-action shows from Viacom’s Nickelodeon television network, including “SpongeBob SquarePants,” “Teenage Mutant Ninja Turtles,” and “Alvinnn!!!! and the Chipmunks,” which have historically been directed to children 6-11 years old. Millions of people visit the Nick Jr. and Nickelodeon websites each month.
The office of the Attorney General found a variety of improper third party tracking on the Nick Jr. and Nickelodeon websites. These included the following:
- Many advertisers and agencies that placed advertisements on Nick Jr. and Nickelodeon websites introduced tracking technologies of third parties that routinely engage in the type of tracking, profiling, and targeted advertising prohibited by COPPA. Viacom considered several approaches to mitigate the risk of COPPA violations from these third parties, including removing adult advertising (which was more likely to employ third party tracking technologies) from a child-directed section of the Nick Jr. website and monitoring advertisements for unexpected tracking technology using scanning software on a case-by-case basis. However, Viacom did not timely take either approach and did not implement sufficient safeguards for its users.
- Some visitors to the homepage of the Nick Jr. website were served behavioral advertising and tracked through a third party advertising platform Viacom used to serve advertisements. Although Viacom considered the homepage of the Nick Jr. website to be parent-directed, and thus not covered by COPPA, the homepage had content that appealed to children. Under COPPA, website operators must treat mixed audience pages as child-directed. Viacom also inadvertently introduced the third party advertising platform onto another child-directed section of the Nick Jr. website for a six-week period.
Mattel, a designer and manufacturer of toys, operated websites associated with many of its toy brands, which include Barbie, Hot Wheels, Matchbox, American Girl, Max Steel, Monster High, Polly Pocket, and Thomas & Friends. In all, 26 of Mattel’s websites feature content for young children, including online games, animated cartoons, and downloadable content such as posters, computer desktop wallpaper, and pages for young children to color. Millions of people visit Mattel’s websites each month.
The office of the Attorney General found that a variety of improper third party tracking technologies were present on Mattel’s child-directed websites and sections of websites. These included the following:
- Mattel deployed a tracking technology supplied by a third party data broker across its Barbie, Hot Wheels, Fisher-Price, Monster High, Ever After High, and Thomas & Friends websites. Mattel used the tracking technology for measuring website metrics, such as the number of visitors to each site, a practice permitted under COPPA. However, the tracking technology supplied by the data broker introduced many other third party tracking technologies in a process known as “piggy backing.” Many of these third parties engage in the type of tracking, profiling, and targeted advertising prohibited by COPPA.
- A tracking technology that Mattel deployed on the e-commerce portion of the American Girl website, which is not directed to children or covered by COPPA, was inadvertently introduced onto certain child-directed webpages of the American Girl website.
- Mattel uploaded videos to Google’s YouTube.com, a video hosting platform, and then embedded some of these videos onto the child-directed portion of several Mattel websites, including the Barbie website. When the embedded videos were played by children, it enabled Google tracking technologies, which were used to serve behavioral advertisements.
JumpStart, a developer of educational and entertainment software and websites for children, operates the Neopets website, which it acquired in April 2014. The website enables users to create and care for cartoon virtual pets. Pet owners play simple animated games to earn points, which can be redeemed for virtual food, clothing, and gear for their pets.
Visitors to the Neopets website can navigate the site and play games with or without an account. Users that choose to register an account must provide a date of birth during the account registration process. As of the end of 2014, there were several million registered accounts that belonged to users under the age of 13.
The office of the Attorney General found that several improper third party tracking technologies were present on the Neopets website, both for logged-in users under the age of 13 and users who were not logged-in. These included the following:
- JumpStart failed to configure the advertising platform used to serve ads on the Neopets website in a manner that would comply with COPPA. As a result, users under the age of 13 were served behavioral advertising and tracked through the advertising platform.
- JumpStart integrated a Facebook plug-in into the Neopets website. Facebook plug-ins are integrated into many websites and allow Facebook to track users across the Internet. Facebook uses the tracking information for serving behavioral advertising, among other things, unless the website operator notifies Facebook with a COPPA flag that the website falls is subject to COPPA. JumpStart did not notify Facebook that the Neopets website was directed to children.
Hasbro, a producer of toys and games, operated websites associated with many of its popular toy brands, which include My Little Pony, Littlest Pet Shop, Nerf, and Transformers. Many of these websites featured content for young children, including online games, animated cartoons, and downloadable content such as posters and pages for young children to color. Hundreds of thousands of people visit Hasbro’s websites each month.
The office of the Attorney General found that several improper third party tracking technologies were present on Hasbro’s child-directed websites and sections of websites. These included the following:
- Hasbro engaged in an advertising campaign that tracked visitors to the Nerf section of Hasbro’s website in order to serve Hasbro advertisements to those same users as they visited other websites at a later time, a type of online behavioral advertising prohibited by COPPA known as “remarketing.”
- Hasbro integrated a third-party plug-in into many of its websites, that allowed users to be tracked across websites and introduced other third parties that engaged in the type of tracking, profiling, and targeted advertising prohibited under COPPA.
It is important to note that Hasbro participated in a safe harbor program. A website operator that complies with the rules of an FTC-approved safe harbor program is deemed in compliance with COPPA. However, safe harbor programs rely on full disclosure of the operator’s practices and Hasbro failed to disclose the existence of the remarketing campaign through the Nerf website.
Settlement Agreements Require Comprehensive Reforms
Viacom, Mattel, JumpStart, and Hasbro have each entered into settlement agreements with the office of the Attorney General requiring them to adopt comprehensive reforms. These include the following:
- Conducting regular electronic scans to monitor for unexpected third party tracking technologies that may appear on their children’s websites. Three of the companies, Viacom, Mattel, and JumpStart will provide regular reports to the office regarding the results of the scans.
- Adopting procedures for vetting third parties before they are introduced onto their children’s websites to determine whether and how the third parties collect, use, and disclose, and allow others to collect, use, and disclose, personal information from users.
- Providing notice to third parties that collect, use, or disclose personal information of users with information sufficient to enable the third parties to identify the websites or sections of websites that are child directed pursuant to COPPA.
- Updating website privacy policies with either (a) information sufficient to enable parents and others to identify the websites and portions of websites that are directed to children under COPPA or (b) a means of contacting the company so that parents and others may request such information.
Lessons from Operation Child Tracker
The investigation revealed that website operators have not done enough to ensure that their children’s websites are free of improper third party tracking technologies. For example:
- Website operators are not sufficiently vetting advertisers, advertising networks and other third parties that they allow on their websites to determine whether third parties collect personal information from users or allow others to do so.
- Website operators are not monitoring their websites for unexpected third party tracking technologies that are inadvertently introduced or piggy-back off of other third parties.
- Website operators are having difficulty keeping up with rapidly changing ad technology to ensure COPPA compliance.