On September 4, the Federal Trade Commission announced that Google will be required to pay $170 million to the FTC and the state of New York for children’s data privacy violations. The fine is part of a settlement in a case filed against Google and its subsidiary, YouTube, in the district court for the District of Columbia. The complaint first alleges that YouTube collected data from users of “child-directed websites” without providing notice to the children or their parents. Secondly, it alleges that YouTube failed to obtain parental consent to the collection of personal information. Both allegations were filed under rules promulgated under the Children’s Online Privacy Protection Act (COPPA). The FTC will collect $136 million of the fine, the largest amount the Commission has ever collected from a party in violation of COPPA.

YouTube provides a variety of “channels” on which users can watch programming. According to the FTC’s evidence, YouTube is one of the top-visited websites for children under the age of thirteen. Also, according to the complaint, YouTube used an internal content rating system that separated content by targeted age group. However, YouTube failed to adopt special data collection procedures for young consumer groups—as required by COPPA—despite creating one age group to target children seven and younger. The settlement seeks to remedy thousands of privacy violations committed by the website by enjoining YouTube and Google from further violating COPPA and forcing payment of a civil penalty.

COPPA was enacted in 1998 to extend additional protections for child consumers’ personal data online. The Act, which directs the FTC to promulgate rules to enforce its protections, went into effect in 2000. It applies to any operator of a “commercial website or online service,” and the FTC provides six steps for compliance: 1) determine if the company is a website or online Service that collects personal information from kids under 13; 2) post a privacy policy that complies with COPPA; 3) notify parents directly before collecting personal information from their kids; 4) get parents’ verifiable consent before collecting personal information from their kids; 5) honor parents’ ongoing rights with respect to personal information collected from their kids; and 6) implement reasonable procedures to protect the security of kids’ personal information. Any violation of the rule constitutes a violation of the Federal Trade Commission Act, 15 U.S.C. § 45(a) and subjects the violating operator to civil damages not exceeding an inflation-adjusted maximum per violation, $42,530 as of 2019. A court examining a violation may grant any injunctive relief that it deems appropriate, as well.

Although the FTC has brought many cases against companies for violating users’ data privacy interests, this case is significant because it raises concerns about companies’ disregard for the privacy rights of children. Criticshave remarked that implementation of COPPA by the FTC has done little to actually stop deceptive data collection practices. Because of limitations on the FTC’s authority, penalties assessed by the FTC have been limited to civil fines, which can be paid by the major corporate operators relatively painlessly.

The FTC has also had a hard time keeping up with developments in online technology. COPPA was last revised in 2013, and the Act still harbors loopholes for content operators whose product is not explicitly marketed to children, even if children are their primary consumers. As of July 25th of this year, the FTC has asked for public comments on several aspects of the COPPA rule, including whether the current scope of the rule has been effective in protecting the privacy rights of children. But revisions to the existing rule may not go far enough.

Many critics suggest that Congress must take legislative action in order to ensure real protection for young consumers because COPPA’s scope and available penalties are currently not enough to deter deceptive data collection practices. Additionally, although COPPA has existed for over twenty years, enforcement actions taken under the Act have never been challenged in court—making the FTC’s own prior decisions the only relevant precedent. Some critics have indicated that to avoid years-long litigation, the FTC opts for smaller-than-ideal settlements.The fine in this case, even though historic for the FTC, represents only around two days’ worth of revenue for YouTube’s parent company and is much lower than the statutory maximum.

Meanwhile, some states have decided to stop waiting for Federal action to address this problem. In California and Connecticut, bills have been passed to ensure more expansive coverage of data privacy protections for children and harsher penalties for violating parties.