Why COPPA flags don’t work (and just cost Oath/AOL $5M)
The announcement that Oath has just been hit with the largest fine in the history of COPPA underlines the volume and quality of child-directed inventory being bought and sold within the mainstream (adult) programmatic exchanges.
Exchanges are processing ‘kids inventory’ either knowingly or unknowingly. The current mechanism for publishers to surface this inventory to buyers is enabling a ‘COPPA flag’ – an optional setting in some ad servers (e.g. adding the tfcd=1 parameter to an ad tag).
This advises the buyer that the impression is assumed to be a child and should be treated differently. If a buyer sees this flag, in theory their system should be removing personal data, such as truncating the IP address or suppressing identifiers.
The fundamental issue is that a COPPA flag doesn’t prevent data collection or data sharing. It’s just a signal which may or may not be respected by any of the vast number of systems involved in the ad delivery chain. It’s a classic case of trying to shoehorn an adult solution into a children’s problem. Any profile-driven ad delivery architecture isn’t compatible with the privacy needs of kids and the laws designed to protect them.
Instead of creating a dedicated zero-data infrastructure to serve our most vulnerable audience, we have an ineffective hack. In the meantime, 170,000 kids are going online for the first time every day. You can do the math.
This is precisely why we built dedicated technology specifically for the requirements of the children’s audience (kidtech). Our server-side Kid-Safe Filterstrips all trackers from ad tags before they ever reach the child, and removes personal data from all ad requests, creating a native level of compliance with both COPPA and GDPR-K.