Moreover, an account manager appears to have set up "at least one" client's account knowing it would violate COPPA, and incorrectly claimed that the company's ad exchange could serve ads while honoring the law. The firm even found hundreds of additional websites subject to COPPA and still kept selling targeted ads.

Oath has agreed to "comprehensive reforms" as part of the settlement, the state Attorney General's office said. It has to run a COPPA program that includes dedicated leadership, yearly training for relevant staff, the detection of possible risks as well as regular oversight both inside and outside of the company. It's also promising to maintain features that let sites indicate when they're subject to COPPA, and will destroy all non-essential personal info from children.

In a statement, Oath didn't directly address its responsibility in the case, instead stating that it was happy to move on. "We are pleased to see this matter resolved and remain wholly committed to protecting children's privacy online," a spokesman said.

This isn't the first large COPPA violation in the US, but the scale and apparent intent are rare. New York Attorney General Barbara Underwood went so far as to accuse Oath of "flagrantly" breaking the law. While the settlement payout may not put much of a dent in Oath's finances, it's large enough that it might deter others from taking similar risks with children's privacy.