Published on Wednesday, September 11, 2019 - 09:03 by Camilla Winlo
The US Federal Trade Commission (FTC) has announced a $170 million settlement agreement with Google (YouTube’s owner) after YouTube was found guilty of knowingly tracking children’s behaviour in order to target them with advertising.
The ruling was made in the US under a law called COPPA – the Children’s Online Privacy Protection Act. However, this story has global implications – the case can also be applied to any organisation that runs a website which both UK or EU children might visit, because the GDPR has very similar requirements.
What went wrong?
YouTube used cookies on its website to collect information from visitors in order to target them with advertising. These cookies were used not only to track the behaviour of visitors whilst they were on YouTube, but also whilst they were browsing other sites.
Whilst this is a common practice, the problem here lies in the fact that YouTube placed the cookies onto visitors’ computers regardless of what kind of content they were looking at on YouTube.
COPPA – and GDPR – both require parental consent before personal data about children can be collected. In this case, YouTube couldn’t prove it had collected parental consent.
COPPA also applies to the makers of the cookies and to the advertising networks that served the adverts. They must show that they have the right permissions in place in order to process the data – again, the GDPR essentially has these same requirements.
YouTube knew that it was popular with children and that some of the content on its site was specifically aimed at that age group. The organisation also knew that it wasn’t doing enough to ensure it was recognising when children visited its website, and it wasn’t trying hard enough to make sure it could prove that the organisation had parental consent before it collected information about the children who visited it.
Targeted advertising is a huge industry and the size of the settlement reflects the amount of money that YouTube earned by breaking this law.
What will YouTube have to do now?
As well as paying the settlement, YouTube will need to ensure it has the systems and processes in place to identify when child-directed content is uploaded. It can then either make sure no personal data is collected in respect of that content, or it will need to prove it has collected parental consent first.
It will also have to provide annual training for the employees who handle the YouTube channel owners, and ensure YouTube channel owners are aware of their obligations.
How does this affect website owners?
Even if you don’t post content on YouTube, you should think about how your own website collects consent. Many website owners breach the requirements for collecting consent from adults – never mind children.
It’s also a particularly easy breach for the ICO to spot, as the information they need to investigate is right there on the front page of every website.
The rules in the UK are:
If you are interested in any of our services then please either use the contact form or contact us via of the methods below: