The Federal Trade Commission (FTC) recently filed a brief in the case of Jones v. Google, stating that the Children’s Online Privacy Protection Rule (COPPA) does not preempt state online privacy laws that are consistent with COPPA. The FTC’s brief ultimately agreed with an appellate court’s ruling in the matter. In showing a strong interest in interpreting COPPA correctly, the FTC continues to protect the public from deceptive or unfair business practices. In line with this mission, earlier this month, the FTC joined other agencies in a statement on artificial intelligence and automated systems, citing concerns about invasive commercial surveillance. However, even in the case of the lawful collection of consumer data, employers must protect against cybersecurity threats to ensure the security and privacy of that information.

COPPA and Online Privacy Laws

Enacted in 1998, COPPA requires websites and other online services targeted toward children under 13 to notify parents and obtain verifiable consent before collecting personal information from children. COPPA also includes a preemption clause restricting states from imposing liability for such regulated activities if state law is inconsistent with how COPPA treats those activities. The FTC enforces COPPA, which affects what covered businesses must include within their online privacy policies.

Background of the Case

In Jones v. Google, a group of children, appearing through their parents and guardians, alleged that Google collected their data and covertly tracked their online activity in violation of federal COPPA and state online privacy laws. Specifically, the plaintiffs stated the following:

  • Google used persistent identifiers (a unique identifying code attached to a specific downloaded file or accessed webpage) to collect data on them.
  • The company tracked their online behavior surreptitiously and without consent.

The plaintiffs brought their case to the U.S. District Court for the Northern District of California. The district court initially found that COPPA preempted the claims under California state online privacy laws. Subsequently, the plaintiffs appealed to the U.S. Court of Appeals for the Ninth Circuit.

When COPPA Does Not Preempt State Online Privacy Laws

Upon appeal, Google argued that all state online privacy laws involving children’s online privacy are inconsistent with COPPA’s framework. Therefore, they claimed that federal COPPA preempts and bars them. The Ninth Circuit, however, disagreed with the district court’s decision and found that COPPA did not preempt the plaintiff’s claims under state law. As the panel noted in considering previous preemption claims, state laws that “supplement” or “require the same thing” as federal laws are not inconsistent with the relevant federal law.

In response to Google’s request for additional review, the Ninth Circuit asked the FTC to weigh in. The question was whether the COPPA preemption clause preempts state law causes of action concerning data-collection activities violating COPPA but predicated on a claim under COPPA. The FTC responded, filing an amicus brief supporting the Ninth Circuit’s decision to reject Google’s interpretation. According to the brief, COPPA does not preempt state laws that are consistent with COPPA’s treatment of regulated activities. Furthermore, nothing in COPPA or its legislative history supports sweeping preemption, as Google tried to claim.