Google’s $170MM fine: A signal for larger role for FTC in data privacy enforcement?

Bloggers, legislators, and lawyers have spent a great deal of ink in the past two years on the implications of the EU’s GDPR, which went into effect last year, and the amendment of California’s Online Privacy Protection Act through the California Consumer Privacy Act, which will take effect on January 1, 2020. However, this week, Google agreed to a fine of $170 million due to its scraping of personal data of minors using YouTube.[1] YouTube then tailored advertising to those children based on the personal data collected by the tech giant. Interestingly, Google’s fine did not arise under the GDPR, CalOPPA, or any of the other data privacy laws “of the moment”. Instead, the fine was imposed by the U.S. Federal Trade Commission and the New York Attorney General under the Children’s Online Privacy Protection Act (“COPPA”).[2] COPPA was enacted in 1998 during the dot-com boom and went into effect in 2000. COPPA requires that child-directed websites provide notice and obtain consent before collecting personal data from children under 13.

Google’s fine this week represents the largest civil fine imposed by the FTC under COPPA. The FTC argued that YouTube’s status as a general-audience site did not apply to some of its individual channels, including those operated by toy companies, which were child-directed according to the FTC. Google’s settlement with the FTC requires that YouTube create a system permitting channel owners to identify child-directed content so channel owners can comply with COPPA’s directives. The fine[3] and settlement requirements demonstrate that the FTC may be entering the data privacy realm as the United States’ primary data privacy enforcer, despite the US failing to have a single data privacy regime. Along with Facebook’s $5 billion settlement in July with the FTC, the settlement further shows that the FTC is willing to use older (and potentially outdated) statutes and regulations as authority to enter this increasingly crowded regulatory environment.

For information on Brettner Counsel's cybersecurity and data privacy practice, please see https://www.bcfirm.law/practice-areas.

[1] Natasha Singer and Kate Conger, Google is Fined $170 Million for Violating Children’s Privacy, New York Times Sept. 4, 2019, available at https://www.nytimes.com/2019/09/04/technology/google-youtube-fine-ftc.html.

[2] $136 million will be paid to the FTC and $34 million to New York. A full description of the settlement is available on the FTC’s website located at https://www.ftc.gov/news-events/press-releases/2019/09/google-youtube-will-pay-record-170-million-alleged-violations.

[3] At the time of this post, Google is currently negotiating with French authorities a proposed settlement of $57 million for privacy violations.