Privacy Fines Continue with Youtube (COPPA) and Equifax (data breach)

It has been a big summer for news of privacy fines. In addition to the Facebook FTC fine and the two proposed data breach fines from the UK ICO, we now have word on the Equifax fine and the outcome of the FTC COPPA investigation into YouTube.

The Federal Trade Commission and Google have reportedly agreed on a multimillion dollar settlement over allegations that YouTube violated the Children’s Online Privacy Protection Rule (COPPA). The details of the FTC fine have not been published yet. If the penalty exceeds $5.7 million, it will be a record fine for a COPPA violation.

Media reports have indicated that the FTC Commissioner vote was 3-2 with the three Republicans in favor of the settlement. The two Democrats reportedly voted against it. The final agreement must be approved by the Justice Department.

Allegations about suspected violations of COPPA at the video service run by Google were made last April in a letter to the FTC by more than 20 consumer advocacy groups. Senator Ed Markey (D-Mass.), the author of COPPA, has also urged regulators to investigate and fine YouTube.

The FTC has reportedly explored several solutions with regard to how to improve children’s privacy on YouTube. The media reported on a call between the FTC Chairman and consumer privacy advocates a few weeks back where he asked whether allowing video publishers to disable ads would be sufficient to protect their privacy. The consumer groups opposed the solution which would shift the burden of responsibility to the content creators of children’s videos. The media has not indicated what measures Google will be required to undertake by the FTC to bring YouTube into compliance.

COPPA requires operators of a website or online service that is directed at children under 13, or has actual knowledge that they collect personal information from children under 13, to gain parental consent before collecting personal information on kids. Earlier this year, the FTC issued its current largest COPPA fine against the owners of the Musical.ly app for collecting kids’ personal information without parental consent. The civil penalty agreed to was $5.7 million.

It has been a busy month for the FTC. The YouTube fine follows shortly after the FTC’s approval of a Facebook fine of $5 billion over Cambridge Analytica, by a similar 3-2 vote according to media reports. The Facebook fine is also awaiting DOJ approval. The Cambridge Analytica investigation began a month before consumer groups reported YouTube to the FTC over privacy concerns.

Record Equifax Data Breach Settlement

The Federal Trade Commission (along with the Consumer Financial Protection Bureau, 48 states, DC & Puerto Rico) also announced a proposed settlement with Equifax that will require the company to pay $700 million as a result of its 2017 data breach. The settlement is the largest data breach settlement ever, covering up to $425 million in monetary relief for victims, $175 million to the states and $100 million in civil penalties to the CFPB. It will require court approval.

Equifax has agreed to $300 million in monetary relief with the final $125 million only coming if the the original amount is insufficient to compensate all of the impacted consumers. The data breach impacted the personal data of as many as 147 million people, more than half of which are located in the United States.

None of the penalties will be paid to the FTC because the regulator does not have the authority to fine companies for violations of the FTC Act or the Safeguards Rule. This has been one of the major areas of debate in enforcement as Congress considers a new federal privacy law. When the FTC fines businesses for privacy violations (other than COPPA) under current law, it is usually for a violation of a consent decree. The FTC has asked Congress to give it rulemaking authority and the ability to fine first offenders as part of its request for new legislation to address privacy. However, Congress has been unable to reach a consensus yet after taking up the issue following the Facebook-Cambridge Analytica scandal and the adoption of the California Consumer Privacy Act (CCPA).

More to Come?

The Irish Data Protection Authority has been conducting a number of investigations into large tech companies and the head of its DPA earlier this year expected that some of those GDPR inquiries would begin to wrap up this summer. With the end of summer approaching, the announcements from the FTC and the ICO could be just the start of the big fines. Although there is no deadline for announcing the fines, the Irish DPA could very well take an aggressive approach in a larger than expected fine against one of the large social media and tech companies it is investigating given the size of the other privacy fines this summer.