Oh Verizon. For years we've noted how the company's consumer privacy practices are utterly abysmal. Like that time in 2016 when Verizon was fined a relative pittance by the FCC for modifying user wireless packets so it could covertly track users around the internet (beyond cookie, clickstream, or even deep packet inspection data). This being Verizon, it didn't bother to tell anybody that this was happening. As a result, it took two years for security researchers to even notice what the company was up to, and another six months of media yelling before the company was willing to even let consumers opt out of the data collection.
Fast forward to this week, and Verizon has been busted once again on the privacy front, this time for slinging behavioral advertisements at kids in violation of the Children’s Online Privacy Protection Act (COPPA). According to an announcement by acting New York Attorney General Barbara Underwood , Verizon's Oath operations (the mash up of its Yahoo and AOL acquisitions) routinely auctioned off ad space and placed ads on websites the company knew targeted kids -- without parental consent. As a result, Verizon's being hit with the biggest fine in the history of COPPA:
"The Attorney General’s Office found that AOL conducted billions of auctions for ad space on hundreds of websites the company knew were directed to children under the age of 13. Through these auctions, AOL collected, used, and disclosed personal information from the websites’ users in violation of COPPA, enabling advertisers to track and serve targeted ads to young children. The company has agreed to adopt comprehensive reforms to protect children from improper tracking and pay a record $4.95 million in penalties, the largest penalty ever in a COPPA enforcement matter in U.S. history."
But much like the company's fine for its earlier scandal, the fine itself is likely a small fraction of the money made during the time AOL spent intentionally turning a blind eye as behavior ads were aimed at kids and kid-frequented websites. The AG's report notes that until late last year (presumably as a result of realizing the AG inquiry existed), AOL's systems ignored any information that it received from an ad exchange indicating that the ad space was subject to COPPA, so the website routinely ignored the law in general. It's worth noting that the full settlement has not yet been released.
There's no indication from the NY AG (I've reached out for more detail) how long this was going on, but it's fairly obvious the income AOL made from ignoring COPPA (there were 1.3 billion auctions of display ad space) outweighs any penalty it's facing, however historic. COPPA is one of the few privacy regulations currently in place, and even then, Verizon/AOL/Oath's decision to just ignore the law speaks pretty broadly as to how even the privacy laws we do have are inconsistently enforced. Especially when we're talking about deep-pocketed telecom giants, who have openly flirted with the idea of charging users even more money for privacy without regulators so much as batting an eye.
As we sit down and begin the long, difficult conversation about what a real internet-era privacy law should look like, the lion's share of the focus remains (quite justly given the Cambridge Analytica scandal) on Facebook. But it can't be understated how the telecom industry has historically been even worse -- especially given they're effectively bone-grafted to the nation's intelligence surveillance apparatus. That these are the companies that will have the biggest impact on the crafting of privacy laws should terrify anyone interested in getting meaningful privacy legislation right.