Verizon-owned AOL helped advertisers track children online in order to serve targeted ads, in violation of a federal children's privacy law, and has agreed to pay a fine of $4.95 million, New York Attorney General Barbara Underwood announced today.

"The Attorney General's Office found that AOL conducted billions of auctions for ad space on hundreds of websites the company knew were directed to children under the age of 13," Underwood's announcement said. "Through these auctions, AOL collected, used, and disclosed personal information from the websites' users in violation of COPPA [Children's Online Privacy Protection Act], enabling advertisers to track and serve targeted ads to young children."

In addition to paying the largest-ever fine for violating COPPA, the Verizon-owned company "has agreed to adopt comprehensive reforms to protect children from improper tracking," the announcement said.

Verizon purchased AOL in June 2015; AOL is now part of a Verizon subsidiary called Oath, which also includes Yahoo. Verizon also operates a nationwide mobile broadband network and offers home Internet and TV services in parts of the US. Verizon has consistently fought government regulation of privacy in broadband networks. As owner of Oath, Verizon is forcing users of Yahoo services to waive their class-action rights and agree to resolve disputes through arbitration.

The attorney general investigation "examined AOL's practices between October 2015 and February 2017," The New York Times reported. Verizon did not admit or deny the investigation's findings but told the Times, "We are pleased to see this matter resolved and remain wholly committed to protecting children's privacy online."

COPPA was enacted by Congress in 1998 and "prohibits operators of certain websites from collecting, using, or disclosing personal information (e.g., first and last name, email address) of children under the age of 13 without first obtaining parental consent," Underwood's announcement noted. The law was updated in 2013 to expand the definition of "'personal information'... to include persistent identifiers that can be used to recognize a user over time and across websites, such as the ID found in a Web browser cookie or an Internet Protocol ('IP') address."

The law applies to websites and online services directed at children under 13; operators of websites and online services that knowingly collect personal information from children under 13 are also covered by the law.

How Verizon violated kids’ privacy

Here's how AOL violated COPPA, according to the NY attorney general's office:

AOL operates several ad exchanges, including an exchange for image-based ads, referred to as "display" ads. Until recently, AOL's ad exchange for display ads was not capable of conducting a COPPA-compliant auction that involved third-party bidders because AOL's systems would necessarily collect information from users and disclose that information to the third parties. AOL policies therefore prohibited the use of its display ad exchange to auction ad space on COPPA-covered websites to third-parties. Despite these policies, AOL nevertheless used its display ad exchange to conduct billions of auctions for ad space on websites that it knew to be directed to children under the age of 13 and subject to COPPA.

AOL knew the ads were directed at children in part because "several AOL clients provided notice to AOL that [more than a dozen of] their websites were subject to COPPA," the AG's office said. Despite that, "AOL conducted at least 1.3 billion auctions of display ad space from these websites."

Separately, AOL "conducted at least 750 million auctions of display ad space" on hundreds of other websites. AOL knew these websites were directed at children under 13 because it had conducted an internal "review of the content and privacy policies of client websites."

Each auction takes a fraction of a second and occurs "after a user opens a webpage that contains ad space," the AG announcement noted. A cookie stored on a user's computer contains information that is transmitted by the ad exchange "to entities that may be interested in purchasing ad space on behalf of advertisers." This type of behavioral advertising targets ads at each person based on "the individual’s Internet browsing history, demographic information, or personal interests."

AOL was guilty of still another type of violation, the AG's announcement said. In addition to its own ad exchanges, AOL "operates a business that bids on ad space in auctions conducted by other ad exchanges."

"Prior to November 2017, AOL's systems ignored any information that it received from an ad exchange indicating that the ad space was subject to COPPA," the announcement said. "Thus, whenever AOL participated in and won an auction for COPPA-covered ad space, its systems behaved as they normally did. In these cases, the company typically used user information supplied by the exchange and information the company could collect directly from the user to select and serve a targeted advertisement to the user. AOL's collection and use of this information from users on COPPA-covered websites violated COPPA."

AOL rep violated law to increase revenue

One AOL account manager knowingly violated COPPA in order to increase revenue, the AG investigation also found:

As described above, AOL permitted clients to use its display ad exchange to sell ad space on COPPA-covered sites, even though the exchange was not capable of conducting a COPPA-compliant auction that involved third-party bidders. AOL documents show that an AOL account manager based in New York intentionally configured at least one of these client's accounts in a manner that she knew would violate COPPA in order to increase advertising revenue. In addition, AOL documents show that the NY account manager repeatedly represented to at least this client that AOL's display ad exchange could be used to sell ad space to third-parties in a COPPA compliant manner. As a result of these misstatements, the client used AOL's display ad exchange to place more than a billion advertisements on COPPA-covered inventory.

The settlement requires AOL to "establish and maintain a comprehensive COPPA compliance program" and to retain an objective, third-party expert to assess its new privacy controls.

AOL must also create new functionality for website operators that sell ads through AOL systems, allowing website operators "to indicate each website or portion of a website that is subject to COPPA." AOL will keep that information in a database "and disclose to each third-party bidder that relevant ad space is subject to COPPA."

"Finally, AOL has also agreed to destroy all personal information collected from children that is in its possession, custody, or control, unless such personal information is required to be maintained by law, regulation, or court order," the settlement announcement said.