My Little Pony, Barbie Websites Fined For Secretly Tracking Kids

"Operation Child Tracker" found third party applications that were following children around the internet.

Photo Illustration: Diana Quach
Sep 15, 2016 at 11:28 AM ET

Several children’s websites will be paying hefty fines after a two-year-long investigation found that they violated the Children’s Online Privacy Protection Act by allowing third parties to track users’ activities.

New York Attorney General Eric Schneiderman — who is currently in the beginning stages of an investigation into Donald Trump’s charity and a lawsuit accusing Trump University of fraud — also found the time to mount “Operation Child Tracker” two years ago. The unfortunately named (“child tracker,” come on) investigation looked at several child-oriented websites to see if they were in compliance with recent additions to COPPA that forbid cookies and other methods of tracking children’s online lives.

COPPA is a federal law enacted in 2000 that says every website and mobile app targeted to children has to obtain a parent or guardian’s permission before collecting their children’s personal information. Cookies, often used by advertisers to track a website visitor’s behavior, were added to the definition of personal information in 2013. According to Schneiderman’s announcement, websites for Nickelodeon and Nick. Jr. and toys including Barbie, Hot Wheels, American Girl, Neopets, My Little Pony, Little Pet Shop, and Nerf had such trackers.

It’s easy to see how some of the violations happened — and how insidious tracking technology can be, which is one of the reasons why COPPA was updated in the first place. Mattel had a tracker that measured site metrics, which is allowed. But that tracker, which was supplied by as third party, also had a bunch of other trackers that were not allowed and which Mattel apparently didn’t know about or didn’t do its due diligence to prevent. Mattel also embedded its own YouTube videos on some of its toys’ websites, and when children played those videos, Google’s trackers kicked in and began serving ads to kids based on their online behavior. Neopets had a Facebook plug-in, which then allowed Facebook to track users across the internet (this is disabled if the website owner tells Facebook it’s a site for kids, which Neopets didn’t).

New York has proven especially vigilant when it comes to children and the internet recently: Operation Child Tracker is said to be the “first of its kind,” and Gov. Andrew Cuomo barred sex offenders from playing internet games like Pokémon Go in case they were using them to lure children (despite having no evidence that any of them were).

The biggest fines went to Viacom, with $500,000. Mattel was fined $250,000, and Neopets was fined $85,000. Hasbro was mentioned as a violator but was not fined because it participates in the Federal Trade Commission’s safe harbor program. All four companies also agreed to “adopt comprehensive reforms” including regular scans for surprise third party trackers, doing a better job vetting those third parties in the first place, and making sure their websites’ privacy policies are updated.

Schneiderman said the investigation showed that children’s websites in general weren’t doing enough to prevent trackers and finding it difficult to stay in compliance with COPPA as ad technology rapidly changed.

“Operation Child Tracker revealed that some of our nation’s biggest companies failed to protect kids’ privacy and shield them from illegal online tracking,” Schneiderman said. “My office remains committed to protecting children online and will continue our investigation to hold accountable those who violate the law by tracking children.”