Harm or Deterrence?: FTC Civil Penalty Assessments Under COPPA

Jun 13, 2020

By Jennifer Thompson

See all of Our JDSupra Posts by Clicking the Badge Below

View Patrick Law Group, LLC

The Federal Trade Commission announced its most recent settlement action under the Children’s Online Privacy Protection Act (COPPA) on June 4. The settlement included a $4 million penalty (suspended to $150,000 due to the defendant’s proven inability to pay) against Hyperbeard, Inc. for alleged violations of COPPA. More interesting than the terms of the settlement itself, was the debate demonstrated in public statements from Chairman Joseph J. Simons and Commissioner Noah Joshua Phillips expressing differing opinions on the ultimate goal and purpose of FTC civil penalties for violations of COPPA.

The Hyperbeard Case

Hyperbeard is alleged to have violated COPPA by permitting third party ad networks to collect information from children under the age of 13 through the use of persistent identifiers, without obtaining advance verifiable parental consent. The collected personal information was then allegedly used by the ad networks to serve targeted behavior-based advertisements to the children using the Hyperbeard games and apps. COPPA expressly prohibits the collection or use of personal information from or relating to children under the age of 13, including through persistent identifiers absent verifiable parental consent. The Commissioners do not debate whether there was a violation of COPPA worthy of assessing penalties. Rather, the Commissioners diverge on how to calculate the penalties. The penalties in Hyperbeard were based on the increased revenue Hyperbeard  allegedly earned by serving children behavior-based ads as opposed to serving children contextual ads, which are legal because they are not based on behavioral or other personal information.

The Case for Deterrence

Chairman Simons’ statement defends the penalty assessed in Hyperbeard as an effective method of deterring activities proscribed by COPPA. For Simons, the ultimate goal is to encourage would-be defendants to act in a manner that complies with law. Simons notes that “violation should not be more profitable than compliance.” Accordingly, for Simons it made sense to base the penalty on the improper gain Hyperbeard earned through the proscribed activity. Simons also distinguishes COPPA actions, where the FTC is charged with “imposing civil penalties to deter conduct specifically proscribed by Congress” from other legal actions in the contracts or torts realms, where it is more appropriate to try to balance costs, benefits and behaviors.

While focusing on deterrence as the first objective, Simons does not discount harm. In fact, he noted it may be appropriate, to “adjust the penalty upward” in cases where the defendant’s actions more likely cause consumer harm “in order to more strongly penalize and deter those most harmful practices.” In Simons’ view, however, deterrence should come before the consideration of harm.

The Case for Harm

As the sole dissenter to the Hyperbeard settlement, Commissioner Phillips argued that there was insufficient harm to support the size of the penalty. Phillips first noted that there are a variety of factors that courts and the FTC should consider in assessing civil penalties. However, the statutory factors to be considered in determining the civil penalty do not explicitly mention harm.[1] Notwithstanding the absence of an express statutory basis, Phillips noted in his statement in U.S. v. Google, LLC and YouTube LLC (a 2019 FTC enforcement action) that the “such other matters as justice may require” language of the statute requires the FTC to consider “the actual harm experienced by consumers as a result of the defendant’s conduct.”

For Phillips, even though Hyperbeard violated the express terms of COPPA, there was insufficient harm to justify the size of the fine. Although the information Hyperbeard collected was personal in nature, and therefore statutorily protected, Phillips deemed it non-sensitive. For Phillips, the practice of collecting non-sensitive information via persistent identifiers in order to serve behavioral advertising is prevalent throughout our economy. In Phillips’ estimation, the combination of the non-sensitive nature of the collected information, the prevalence of advertising practices in society, and the absence of other alleged violations of COPPA, made the fine assessed against Hyperbeard excessive.

Moreover, Phillips expressed concern that focusing on a per se violation of COPPA without sufficient associated harm could lead to “routine and overwhelming penalties” when companies engage in consistent and widespread advertising practices. Further, Phillips expressed concern that penalties could be inconsistently applied or selectively prosecuted. While acknowledging that deterrence of illegal activity is a goal, Phillips argued that the social consequences of the deterrence argument are too great, stating “the costs necessary to achieve complete deterrence of every kind of legal violation would impose such a burden that society should not bear it.”

In sum, for Phillips, while the Commission is required to consider more than just harm (including deterrence), harm should not be ignored and penalties should be assessed differently depending on the severity of the infraction. Interestingly, the same practice of serving behavioral based advertisements was the basis of Phillips’ statement in support of the FTC’s penalties against Google and YouTube. It is unclear why Phillips believes that Hyperbeard’s advertising activities did not cause sufficient harm to justify a significant penalty, while the same advertising activity when performed by YouTube supported an even larger penalty.


Neither side believes that harm or deterrence is irrelevant, but they disagree as to which factor should be considered first or weighed more heavily. This debate is even more interesting when viewed against the backdrop of the ongoing FTC review of COPPA. During 2019, the FTC called for comments in connection with its announced COPPA review. To date, the FTC has not indicated when it will announce its proposed changes, or even whether there will be additional guidance on how the FTC should assess civil penalties for COPPA violations. However, Commissioner Simons seemed to acknowledge this debate is playing a role in the review, stating “Civil penalties will be an ongoing discussion here at the FTC as we attempt to do justice and achieve meaningful relief for consumers.”

[1] 15 U.S.C. Section 45(m)(1)(C) states in relevant part “In determining the amount of such a civil penalty, the court shall take into account the degree of culpability, any history of prior such conduct, ability to pay, effect on ability to continue to do business, and such other matters as justice may require.”


New York City Council Enters the Anti-Surveillance Fray

On Thursday, June 18, 2020 the New York City Council overwhelmingly approved the Public Oversight of Surveillance Technology Act (or “POST Act”) to institute oversight regarding the New York City Police Department’s use of surveillance technologies.

Harm or Deterrence?: FTC Civil Penalty Assessments Under COPPA

The Federal Trade Commission announced its most recent settlement action under the Children’s Online Privacy Protection Act (COPPA) on June 4. The settlement included a $4 million penalty (suspended to $150,000 due to the defendant’s proven inability to pay) against Hyperbeard, Inc. for alleged violations of COPPA.

Georgia COVID-19 Pandemic Business Safety Act

On July 29, 2020 the Georgia General Assembly sent to Governor Brian Kemp for his approval the Georgia COVID-19 Pandemic Business Safety Act.

FTC Provides Guidance on Using Artificial Intelligence and Algorithms

The Director of the Federal Trade Commission (FTC) Bureau of Consumer Protection recently issued guidance in its Tips and Advice blog as to how companies can manage consumer protection risks that may arise as a result of using artificial intelligence and algorithms.

Is Robotic Process Automation Reducing or Increasing your Software Licensing Fees?

While statistics regarding the increase in the use of Robotic Process Automation (RPA) vary, it is clear that the use of RPA is on the rise. Companies are rolling out RPA in an effort to increase productivity, cut costs and reduce errors.

A Few More Thoughts About Improving Our Force Majeure Provisions

The Coronavirus pandemic has brought the force majeure provision into the spotlight. A quick Google search brings up countless articles published in the past few weeks by lawyers worldwide about how to use force majeure provisions offensively and defensively in these uncertain times.

Government Efforts to Fight a Pandemic Challenge Data Privacy Concerns

Media outlets reported this week that representatives from Facebook, Google, Amazon, and Apple are meeting with members of the White House to brainstorm about ways in which the “Big Four,” can leverage the consumer information they possess to help in the war against COVID–19.

School or Parent? Factors Playing into the FTC’s Analysis of who should provide Parental Consent under COPPA in the Age of EdTech

The use of education technologies (EdTech) has exploded in recent years. In fact, between online learning sites, one to one device deployments in school districts and personalized curriculum services, virtually every student today has some online or digital component to their learning.

NYC’s Task Force to Tackle Algorithmic Bias Issues Final Report

In December, 2017 the New York City Council passed Local Law 49, the first law in the country designed to address algorithmic bias and discrimination occurring as a result of algorithms used by City agencies.

While you’ve been focused on CCPA Compliance Efforts, Elon has Been Developing Cyborgs

On November 27, 2019, the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security (DHS) released for public comment a draft of Binding Operational Directive 20-01, Develop and Publish a Vulnerability Disclosure Policy (the “Directive”).