YouTube fined $170m for violating children’s privacy rights

Published on Wednesday, September 11, 2019 - 09:03 by Camilla Winlo

The US Federal Trade Commission (FTC) has announced a $170 million settlement agreement with Google (YouTube’s owner) after YouTube was found guilty of knowingly tracking children’s behaviour in order to target them with advertising. 

The ruling was made in the US under a law called COPPA – the Children’s Online Privacy Protection Act. However, this story has global implications – the case can also be applied to any organisation that runs a website which both UK or EU children might visit, because the GDPR has very similar requirements.

What went wrong?

YouTube used cookies on its website to collect information from visitors in order to target them with advertising. These cookies were used not only to track the behaviour of visitors whilst they were on YouTube, but also whilst they were browsing other sites. 

Whilst this is a common practice, the problem here lies in the fact that YouTube placed the cookies onto visitors’ computers regardless of what kind of content they were looking at on YouTube. 

COPPA – and GDPR – both require parental consent before personal data about children can be collected. In this case, YouTube couldn’t prove it had collected parental consent.

COPPA also applies to the makers of the cookies and to the advertising networks that served the adverts. They must show that they have the right permissions in place in order to process the data – again, the GDPR essentially has these same requirements. 

YouTube knew that it was popular with children and that some of the content on its site was specifically aimed at that age group. The organisation also knew that it wasn’t doing enough to ensure it was recognising when children visited its website, and it wasn’t trying hard enough to make sure it could prove that the organisation had parental consent before it collected information about the children who visited it. 

Targeted advertising is a huge industry and the size of the settlement reflects the amount of money that YouTube earned by breaking this law. 

What will YouTube have to do now?

As well as paying the settlement, YouTube will need to ensure it has the systems and processes in place to identify when child-directed content is uploaded. It can then either make sure no personal data is collected in respect of that content, or it will need to prove it has collected parental consent first. 

It will also have to provide annual training for the employees who handle the YouTube channel owners, and ensure YouTube channel owners are aware of their obligations. 

How does this affect website owners? 

Even if you don’t post content on YouTube, you should think about how your own website collects consent. Many website owners breach the requirements for collecting consent from adults – never mind children. 

It’s also a particularly easy breach for the ICO to spot, as the information they need to investigate is right there on the front page of every website. 

The rules in the UK are: 

  • If you use cookies or similar technologies, you need to understand how they work and ensure that everything they do has a lawful basis
  • If they involve data being processed overseas, you need to ensure appropriate safeguards are in place 
  • Only” Strictly Necessary” cookies can be placed without consent 
  • Every other kind of cookie needs consent, which means that you need to clearly explain exactly what the cookie does and what the implications are of giving or withholding consent, and give the visitor a free choice about whether to accept the cookie or not
  • You can only use cookies if they are “Strictly Necessary”, or if you can prove that the visitor did something to switch them on
  • If the visitor is a child, you can only place cookies if they are “Strictly Necessary”, or if you can prove that their parent has done something to switch them on
YouTube Fined

Find out more?

Leave your contact details below and one of our expert team will be in touch

We will only use the contact details you supply on the basis of our legitimate interest to respond to your query and contact you about DQM GRC. You will always be given the opportunity to opt-out from future communications. Please read our privacy policy for more details.


Find out more..

If you are interested in any of our services then please either use the contact form or contact us via of the methods below:

  •   Telephone
  •   E-mail

  •   +44 (0)1494 442900