With this massive growth of CTV among consumers and advertisers, questions about how to protect consumers’ and, in particular, children’s privacy in these broadly used platforms have come to the forefront.
WHAT IS COPPA
The Children's Online Privacy Protection Act ("COPPA") is a United States federal law passed by Congress in 1998 to protect children’s online privacy. COPPA requires the Federal Trade Commission (“FTC”) to issue and enforce a rule implementing the law (“the COPPA Rule” or “the Rule”). The FTC’s COPPA Rule became effective in 2000 and was amended in 2013. The FTC is presently in the process of reviewing the Rule again. COPPA is enforced by the FTC and by state Attorneys General, who have the authority to seek civil penalties from companies that violate the law.
EXTRATERRITORIALITY
Although COPPA is a U.S. law, foreign online service operators must comply with the COPPA Rule if their services, or a portion of the services, are directed to children in the U.S., or if they have actual knowledge that they collect information from children in the U.S. Relatedly, American online service operators that collect information from foreign children are also subject to COPPA.
WHO MUST COMPLY WITH COPPA
The COPPA Rule applies to online service operators whose service, or a portion of the service, is directed to children under the age of 13 or who have actual knowledge that they collect information from children under the age of 13. Actual knowledge can be gained in a variety of ways, including by a user attempting to pass through an age gate, a user or parent telling a customer service team the user’s age, or by user generated content (e.g., a user stating she is in elementary school in her profile).
Third parties in the digital advertising ecosystem (e.g., not the online service operator) must comply with the COPPA Rule when they have actual knowledge that they collect information from users of an online service directed to children. The FTC sets forth two scenarios where ad networks and other third parties will likely be deemed to have actual knowledge:
See the FTC’s 2013 Statement of Basis and Purpose.
COPPA’s requirements apply only when the online service operators or third parties described above collect personal information. Because personal information includes persistent identifiers, COPPA applies to the collection of mobile device identifiers, browser-based cookies, or other persistent device identifiers, regardless of whether the device is a personal device (e.g., a mobile phone) or shared device (e.g., desktop computer or tablet). Please also refer to the section below: HOW DOES COPPA APPLY TO ADTECH.
While the FTC has yet to bring a COPPA enforcement action in the Connected TV (CTV) space, the law applies. If a CTV app is targeted to appeal to children then it is considered child-directed, and the operator and third parties with actual knowledge of its child-directed nature are required to treat every user as a child and comply with COPPA. This is true if the user is accessing the app from a smart TV or a tablet, even one that is predominantly used by an adult. See IAB Guide to Navigating COPPA.
COPPA’S REQUIREMENTS FOR COVERED OPERATORS
Operators covered by the Rule must:
See COPPA Rule at 16 C.F.R. § 312.
HOW DOES COPPA APPLY TO ADTECH
In addition to publishers of content directed to children or that have actual knowledge of a child using their service, any company that handles persistent identifiers of an online service it knows to be directed to children is subject to COPPA. This includes demand-side platforms (DSPs), supply-side platforms (SSPs), ad networks, data management platforms (DMPs), customer data platforms (CDPs), analytics and fraud detection companies, measurement providers and all of the other advertising technologies.
Although COPPA does not prohibit advertising to children, the Rule prohibits the collection of personal information (including cookies and other persistent identifiers) from children under 13 without verifiable parental consent. The intention behind this prohibition is to stop behavioral advertising, retargeting and profiling of children under 13. Contextual advertising is permissible under COPPA. In practice, this means contextually-based advertising that does not track the user over time and across online services.
THE COPPA FLAG IN PROGRAMMATIC ADVERTISING
Real-time Bidding (“RTB”) is a way of transacting media that allows an individual ad impression to be put up for bid in real-time. This is done through a programmatic on-the-spot auction. RTB allows for the ability to serve targeted ads. The Interactive Advertising Bureau’s OpenRTB is an API specification for an open protocol for the automated trading of digital media across a range of platforms and devices. Part of IAB’s OpenRTB specification, the COPPA flag is an attribute of a bid request that signals whether that request is for the opportunity to serve an ad to a child protected by COPPA. The publisher issuing the bid request has made the determination that the user is a child. The flag will have a value of 1 if the user is a child under 13, and a value of 0 otherwise. This flag allows media buyers to programmatically decide whether to make a bid and whether they can use tracking and targeting technologies with that impression. See IAB Guide to Navigating COPPA. For more information about how an advertiser or adtech partner can act upon the flag, refer to the Knowledge Base.
DIRECTED TO CHILDREN, INCLUDING MIXED AUDIENCE ONLINE SERVICES UNDER COPPA
There are two categories of online services under COPPA: directed to children and general audience. Mixed audience online services are a subset of the child-directed category of online services.
Directed to children is defined in the COPPA Rule as a commercial website or online service, or portion thereof, that is targeted to children. See COPPA Rule at 16 C.F.R. § 312.2 (definition of “Web site or online service directed to children”). Classifying a service as child-directed is subjective. However, it requires consideration of a number of factors set forth in the COPPA Rule. These factors include:
See COPPA Rule at 16 C.F.R. § 312.2 (definition of “Web site or online service directed to children,” paragraph (1)). In other words, if an online service is targeted to appeal to children, then it is considered child-directed, and the operator is required to treat every user of the service as if they are a child and comply with the COPPA Rule. This is true even if the user is assessing the service from a shared device or a device that belongs to an adult.
The COPPA Rule provides for a mixed audience subcategory of the directed to children category. See COPPA Rule at 16 C.F.R. § 312.2 (definition of “Web site or online service directed to children,” paragraph (3)); and Complying with COPPA: Frequently Asked Questions (See FAQs D.4-8). A mixed audience online service falls under the definition of directed to children despite not targeting children under 13 as its primary audience. Operators of mixed audience online services are permitted to implement a neutral age screen for their users. Using the age screen enables the operator of a mixed audience online services to collect personal information from users who indicate they are under 13 but only after obtaining verifiable parental consent. Notably, an online service may be deemed directed to children even if its Terms of Service or Privacy Policy prohibit children under 13 from using the service. In determining whether an online service is child-directed, the FTC will consider the factors set forth in the Rule listed above.
GENERAL AUDIENCE SITES AND SERVICES UNDER COPPA
General audience is the term used by the FTC to describe sites and services that do not target children under 13 as a portion of the audience. See the FTC’s 1999 Statement of Basis and Purpose. The COPPA Rule applies to operators of general audience online services with actual knowledge that they are collecting information from children under 13.
Importantly, a general audience online service does not become a mixed audience service simply because some children use the site or service. However, sites that are widely-known to have a large proportion of children are using the service will likely be considered a mixed audience site.
PERSONAL INFORMATION UNDER COPPA
The COPPA Rule defines personal information to include:
See COPPA Rule at 16 C.F.R. § 312.2 (definition of “Personal information”).
DATA COLLECTION UNDER COPPA
Data collection is defined under COPPA as the gathering of any personal information from a child by any means, including but not limited to:
See COPPA Rule at 16 C.F.R. § 312.2 (definition of “Collects or collection”).
SAFE HARBORS UNDER COPPA
COPPA includes a provision which enables industry groups, commercial entities, or others to develop their own COPPA oversight programs, known as Safe Harbor programs. There are currently six COPPA Safe Harbor programs approved by the FTC: Children’s Advertising Review Unit (CARU), the Entertainment Software Rating Board (ESRB), PRIVO, kidSAFE, iKeepSafe, and TRUSTe. A Safe Harbor organization may audit, monitor and provide guidance to its participating companies. A benefit of certification with a Safe Harbor program is that, generally, a disciplinary review for a COPPA violation will allow for a period to cure the violation instead of a formal investigation by the FTC. To be clear, Pixalate is not an FTC approved COPPA Safe Harbor.
Pixalate is providing tools designed to help ad tech companies avoid serving targeted ads on child-directed websites. In the first instance, it is the publisher’s responsibility to designate its app as child-directed wherever appropriate. If a publisher identifies its app as child-directed, ad networks must NOT serve targeted ads on that property. Many ad tech companies have expressed concern, however, that publishers do not always get such designations correct. These ad tech companies are trying to go above and beyond the requirements of COPPA to ensure that targeted ads are not served on child-directed properties. This is where Pixalate’s compliance tools add significant value. Given that manual review of all of the transactions that take place in the ad ecosystem is virtually impossible and that third parties cannot often ascertain the intended audience of an app, Pixalate provides a solution that flags likely child-directed properties for further review or blocking of targeted ads by ad tech companies.
Please note that Pixalate’s assessment of COPPA risk, or potential child directedness, does not provide a legal conclusion regarding an app’s intended audience or the sufficiency of an app’s COPPA Rule compliance.
PIXALATE’S MANUAL CHILD DIRECTED RISK ASSESSMENT METHODOLOGY FOR CTV APPS
Pixalate has formed a Trust and Safety Advisory Board, helmed by a former FTC enforcer and composed of qualified educators, to review and assess whether apps are child-directed. The educators on Pixalate’s Trust and Safety Advisory Board make assessments of apps based on the child-directed factors outlined in the COPPA Rule discussed above. App review is an ongoing process. Pixalate prioritizes CTV apps for review based on the popularity of the app which is measured by the volume of advertising observed by Pixalate number of app reviews.
PIXALATE’S OVERALL COPPA RISK ASSESSMENT METHODOLOGY FOR CTV APPS
Pixalate approaches COPPA as a risk factor. Pixalate’s assessment of COPPA risk does not provide a legal conclusion regarding whether an app is “directed to children” under COPPA. Pixalate analyzes multiple signals and produces a risk score (low, medium, high or critical) that captures the likelihood that a given app is a potential COPPA risk. In order to do so, the following signals are used:
Because Pixalate continuously monitors these signals, a mobile app’s COPPA Overall Risk Assessment rating can change between low, medium, high and critical over time.
Audience
See above: PIXALATE’S MANUAL CHILD DIRECTED RISK ASSESSMENT METHODOLOGY.
Privacy Policy
Operators that are covered by the COPPA Rule are required to post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children. Pixalate deems the lack of an identifiable privacy policy for a child-directed app to be a critical COPPA risk factor because it is a violation of COPPA for operators of websites and onlines services that collect, use, or disclose personal information from children to fail to post a privacy policy online. Additionally, the FTC recommends that all websites and online services - particularly those directed to children - post privacy policies online so visitors can easily learn about the operator’s information practices. Pixalate determines whether an app has a privacy policy based on information provided in the app stores. Additionally, Pixalate uses crawlers to scan developer websites for privacy policies. An app will be flagged as not having a privacy policy if it is not detected under either of these two methods.
Residential IP Passed in the Advertising Bidstream
Residential IP is an address that is assigned from an ISP to a homeowner, and is associated with a single owner and location. IP addresses are persistent identifiers that fall under the definition of personal information in the COPPA Rule. Accordingly, Pixalate deems passing residential IP information to be a COPPA risk factor. Pixalate examines the traffic associated with an app and determines if the end-user IP is transmitted through the advertising pipeline which exposes granular information about the user’s location. If IP is passed, the IP is categorized based on network type, for example: Cable/DSL, Cellular Tower, etc. Cable/DSL IPs are residential IPs which can be reverse geocoded to expose the location of the user. If the majority of the traffic from an app exposes such Cable/DSL IPs then Pixalate flags it as passing residential IP traffic in the bidstream. Pixalate interprets the passing of a Residential IP in the bidstream as a COPPA risk because advertising can be targeted using this information. However, if the last octet of the Residential IP address has been truncated in the programmatic bidstream, it is no longer considered personal information under COPPA. Accordingly, Pixalate does interpret the passing of a truncated Residential IP in the bidstream as a COPPA risk.
Geolocation Information Passed in the Advertising Bidstream
Geolocation information sufficient to identify street name and name of a city or town is personal information under the COPPA Rule. Pixalate deems passing geolocation information to be a COPPA risk factor. Pixalate examines the traffic associated with an app and determines if the end-users’ GPS coordinates are being transmitted through the advertising pipeline that exposes granular information about the users’ locations. If traffic from an app exposes such GPS location data then it is flagged as passing location information.
Risk Scores: Low, Medium, High and Critical
The table below details the impact of various signal combinations on the COPPA risk score.
DISCLAIMER
Pixalate’s COPPA Compliance Tools render opinions that Pixalate believes may be useful to our clients and others in the digital media industry. It is important to note, however, that the mere fact that an app appears to be directed to children (e.g., data subjects under 13 years of age, as defined by the COPPA Rule) does not mean that any such app, or its operator, is failing to comply with the COPPA Rule. Further, with respect to apps that appear to be child-directed and have characteristics that, in Pixalate’s opinion, may trigger related privacy obligations and/or risk, such assertions reflect Pixalate’s opinions (i.e., they are neither facts nor guarantees); and, although Pixalate’s methodologies used to render such opinions are derived from automated processing and at times coupled with human intervention, no assurances can be – or are – given by Pixalate with respect to the accuracy of any such opinions.
“As ad spend on channels like CTV grows by leaps and bounds, advertisers need greater transparency into their programmatic buys.”
Patrick McCormack
Head of Business Development and Global Partnerships, yahoo
“MRT offers Criteo access to critical insights helping us evaluate brand safety signals and maintain our quality standards across our in-app supply globally.”
François Zolezzi
Head of Supply Quality, Criteo
Eric Bozinny
Senior Director, Marketplace Quality, PubMatic
“To ensure the quality and safety of all our LAN inventory, LinkedIn uses the MRT to evaluate publishers.”
Peter Turner
Business Development, LinkedIn Marketing Solutions
