Reported September 14, 2020, by kidscreen.com, a London company Hausfeld & Co LLP is suing YouTube for $2.5 billion to be dispersed among five million British children and parents. The lawsuit was filed because YouTube is tracking

kids under age 13 - and the children deserve compensation.

The suite also claims YouTube regularly breaks the UK Data Protection Act and the EU's General Data Protection Regulation (GDPR).  This claim is brought one year after YouTube agreed to pay $170 million to the US FTC and New York Attorney General for violating COPPA by using cookies on kid-directed channels to track children across the internet, without parental consent.

Children's Online Privacy Protection Rule ("COPPA")

General requirements. It shall be unlawful for any operator of a Web site or online service directed to children, or any operator that has actual knowledge that it is collecting or maintaining personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed under this part. Generally, under this part, an operator must:

(a) Provide notice on the Web site or online service of what information it collects from children, how it uses such information, and                its disclosure practices for such information (§312.4(b));

(b) Obtain verifiable parental consent prior to any collection, use, and/or disclosure of personal information from children (§312.5);

(c) Provide a reasonable means for a parent to review the personal information collected from a child and to refuse to permit its                   further use or maintenance (§312.6);

(d) Not condition a child's participation in a game, the offering of a prize, or another activity on the child disclosing more personal                 information than is reasonably necessary to participate in such activity (§312.7); and

(e) Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information                       collected from children (§312.8).

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR's primary aim is to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.^[1] Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements related to the processing of personal data of individuals (formally called data subjects in the GDPR) who are located in the EEA, and applies to any enterprise—regardless of its location and the data subjects' citizenship or residence—that is processing the personal information of data subjects inside the EEA.