Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • FTC files amicus brief in defense of COPPA

    Privacy, Cyber Risk & Data Security

    On August 19, the FTC filed an amicus brief supporting a class of plaintiffs representing their minor children in a case alleging that an educational technology company unlawfully collected, used and sold the children’s data in violation of COPPA. In the class action litigation, the educational technology company moved to compel arbitration based on its agreement with school districts, arguing that, under COPPA, the school district acts as agents for the parents and thus the district’s agreement is binding on the parents.  

    The FTC’s amicus brief disputed the company’s conclusion, arguing instead that COPPA does not address whether parents and children were bound by arbitration agreements when school districts agree to terms of service for classroom software. The FTC emphasized that COPPA’s provisions are limited to parental notice and consent requirements and do not extend to contractual obligations. 

    The FTC clarified in its brief that its guidance on schools’ roles under COPPA is limited to the notice and consent process and made clear that the commission’s commentary relied on by the company does not create an agency relationship between parents and school districts beyond the context of this the notice and consent. The FTC argued that the educational technology company’s reliance on COPPA (to justify binding parents and children to arbitration agreements) is unfounded in the rule implementing COPPA or FTC commentaries on the rule. Through its submission, the FTC, as the agency primarily tasked with enforcing COPPA, aimed to provide the court with its interpretation of COPPA thus emphasizing that the statute and its implementing rule do not support compelling arbitration of the parents’ claims in this case. The agency’s involvement also aims to underscore its commitment to protecting children’s online privacy and ensuring that companies adhere to COPPA’s requirements. 

    Privacy, Cyber Risk & Data Security FTC COPPA Amicus Brief

  • E-commerce company fined $25 million for alleged COPPA violations

    Federal Issues

    On July 19, the DOJ and FTC announced that a global e-commerce tech company has agreed to pay a penalty for alleged privacy violations related to its smart voice assistant’s data collection and retention practices. The agencies sued the company at the end of May for violating the Children’s Online Privacy Protection Act Rule and the FTC Act, alleging it repeatedly assured users that they could delete collected voice recordings and geolocation information but actually held onto some of this information for years to improve its voice assistant’s algorithm, thus putting the data at risk of harm from unnecessary access. (Covered by InfoBytes here.)

    The stipulated order requires the company to pay a $25 million civil money penalty. The order also imposes injunctive relief requiring the company to (i) identify and delete any inactive smart voice assistant children’s accounts unless requested to be retained by a parent; (ii) notify parents whose children have accounts about updates made to its data retention and deletion practices and controls; (iii) cease making misrepresentations about its “retention, access to or deletion of geolocation information or voice information, including children’s voice information” and delete this information upon request of the user or parent; and (iii) disclose its geolocation and voice information retention and deletion practices to consumers. The company must also implement a comprehensive privacy program specific to its use of users’ geolocation information.

    Federal Issues Privacy, Cyber Risk & Data Security DOJ FTC Enforcement COPPA FTC Act Consumer Protection

  • FTC proposal would allow facial recognition for consent under COPPA

    Agency Rule-Making & Guidance

    On July 19, the FTC announced it is seeking public feedback on whether it should approve an application that proposes to create a new method for obtaining parental consent under the Children’s Online Privacy Protection Act (COPPA). The new method would involve analyzing a user’s facial geometry to confirm the individual’s age. Under COPPA, online sites and services directed to children under 13 are required to obtain parental consent before collecting or using a child’s personal information. COPPA provides a number of acceptable methods for obtaining parental consent but also allows interested parties to submit proposals for new verifiable parental consent methods to the FTC for approval.

    The application was submitted by a company that runs a COPPA safe harbor program, along with a digital identity company and a technology firm that helps companies comply with parental verification requirements. Specifically, the FTC’s request for public comment solicits feedback on several questions relating to the application, including: (i) whether the proposed age verification method is covered by existing methods; (ii) whether the proposed method meets COPPA’s requirements for parental consent (i.e., can the proposed method ensure that the person providing consent is the child’s parent); (iii) does the proposed method introduce a privacy risk to consumers’ personal information, including their biometric information; and (iv) does the proposed method “pose a risk of disproportionate error rates or other outcomes for particular demographic groups.” Comments are due 30 days after publication in the Federal Register.

    Agency Rule-Making & Guidance Federal Issues Privacy, Cyber Risk & Data Security Consumer Protection FTC COPPA

  • 9th Circuit denies en banc hearing on COPPA preemption question

    Courts

    On July 13, a panel of the U.S. Court of Appeals for the Ninth Circuit entered an order amending an opinion filed on December 28, 2022 and denied a petition for rehearing en banc in a putative class action accusing a multinational technology company and search engine and its affiliated video-sharing platform of collecting children’s data and tracking their online behavior surreptitiously without parental consent in violation of state law and the Children’s Online Privacy Protection Act (COPPA). The panel unanimously voted against defendant’s en banc rehearing request, commenting that no other 9th Circuit judge has requested a vote on whether to consider the matter en banc.

    Claiming the defendant used “persistent identifiers” — which the FTC’s regulations define as information “that can be used to recognize a user over time and across different Web sites or online services” — class members alleged state law claims arising under the constitutional, statutory, and common laws of California, Colorado, Indiana, Massachusetts, New Jersey, and Tennessee. Last December, the three-judge panel reversed and remanded the district court’s dismissal of the suit, disagreeing that the allegations were squarely covered, and preempted, by COPPA (covered by InfoBytes here.) On appeal, the 9th Circuit considered whether COPPA preempts state law claims based on underlying conduct that also violates COPPA’s regulations. The panel determined that “COPPA’s preemption clause does not bar state-law causes of action that are parallel to, or proscribe the same conduct forbidden by, COPPA. Express preemption therefore does not apply to the children’s claims.” The panel further noted that the U.S. Supreme Court and others have long held “that a state law damages remedy for conduct already proscribed by federal regulations is not preempted.”

    The panel, however, amended its prior opinion to note that the FTC supports its conclusion that COPPA does not preempt the asserted state law privacy claims on the basis of either express preemption or conflict preemption. At the end of May, at the 9th Circuit’s request, the FTC filed an amicus brief (covered by InfoBytes here) arguing that COPPA does not preempt state laws that are consistent with the federal statute’s treatment of regulated activities. The panel concluded that neither express preemption nor conflict preemption bar the plaintiffs’ claims.

    Courts Privacy, Cyber Risk & Data Security Appellate Ninth Circuit COPPA State Issues Class Action FTC Preemption

  • FTC, DOJ sue e-commerce company over child data

    Federal Issues

    On May 31, the DOJ filed a complaint on behalf of the FTC against a global e-commerce tech company for allegedly violating the Children’s Online Privacy Protection Act Rule (COPPA) relating to its smart voice assistant’s data collection and retention practices. While the company repeatedly assured users that they could delete collected voice recordings and geolocation information, the complaint alleged that the company held onto some of this information for years to improve its voice assistant’s algorithm, thus putting the data at risk of harm from unnecessary access. Additionally, the complaint also contended that, for a significant period of time, the company continued to retain transcripts for recordings even after the voice recordings were deleted. According to the complaint, the company failed to provide complete, truthful notice to parents about its deletion practices and lacked an effective system to ensure users’ data deletion requests were honored.

    The proposed court order would require the company to pay a $25 million civil money penalty and would prohibit the company from using geolocation and voice to create or improve any of its data products after a deletion request. The company would also be required to (i) delete any inactive smart voice assistant children’s accounts; (ii) notify users about its data retention and deletion practices and controls; and (iii) implement a privacy program specific to its use of users’ geolocation information, among other things.

    Federal Issues Privacy, Cyber Risk & Data Security FTC DOJ Enforcement COPPA Consumer Protection

  • FTC says COPPA does not preempt state privacy claims

    Courts

    The FTC recently filed an amicus brief in a case on appeal before the U.S. Court of Appeals for the Ninth Circuit, arguing that the Children’s Online Privacy Protection Act (COPPA) does not preempt state laws that are consistent with the federal statute’s treatment of regulated activities. The full 9th Circuit is currently reviewing a case brought against a multinational technology company accused of using persistent identifiers to collect children’s data and track their online behavior surreptitiously and without their consent in violation of COPPA and various state laws.

    As previously covered by InfoBytes, last December the 9th Circuit reversed and remanded a district court’s decision to dismiss the suit after reviewing whether COPPA preempts state law claims based on underlying conduct that also violates COPPA’s regulation. At the time, the 9th Circuit examined the language of COPPA’s preemption clause, which states that state and local governments cannot impose liability for interstate commercial activities that is “inconsistent with the treatment of those activities or actions” under COPPA. The opinion noted that the 9th Circuit has long held “that a state law damages remedy for conduct already proscribed by federal regulations is not preempted,” and that the statutory term “inconsistent” in the preemption context refers to contradictory state law requirements, or to requirements that stand as obstacles to federal objectives. The opinion further stated that because “the bar on ‘inconsistent’ state laws implicitly preserves ‘consistent’ state substantive laws, it would be nonsensical to assume Congress intended to simultaneously preclude all state remedies for violations of those laws.” As such, the appellate court held that “COPPA’s preemption clause does not bar state-law causes of action that are parallel to, or proscribe the same conduct forbidden by, COPPA. Express preemption therefore does not apply to the children’s claims.” The defendant asked the full 9th Circuit to review the ruling. The appellate court in turn asked the FTC for its views on the COPPA preemption issue, specifically with respect to “whether the [COPPA] preemption clause preempts fully stand-alone state-law causes of action by private citizens that concern data-collection activities that also violate COPPA but are not predicated on a claim under COPPA.”

    In agreeing with the 9th Circuit that plaintiffs’ claims are not preempted in this case, the FTC argued that nothing in COPPA’s text, purpose, or legislative history supports the sweeping preemption that the defendant claimed. According to the defendant, plaintiffs’ state law claims are inconsistent with COPPA and are therefore preempted “because the claims were brought by plaintiffs who were not authorized to directly enforce COPPA, and would result in monetary remedies under state law that COPPA did not make available through direct enforcement.” Moreover, all state law claims relating to children’s online privacy are inconsistent with COPPA’s framework, including those brought by state enforcers, the defendant maintained. The FTC disagreed, writing that the 9th Circuit properly rejected defendant’s interpretation, which would preempt a wide swath of traditional state laws. Moreover, COPPA’s preemption clause only applies to state laws that are “inconsistent” with COPPA so as not to create “field preemption,” the FTC said, adding that plaintiffs’ claims in this case are consistent with the statute.

    Courts State Issues Privacy, Cyber Risk & Data Security FTC Appellate Ninth Circuit COPPA Class Action Preemption

  • Indiana becomes seventh state to enact comprehensive privacy legislation

    Privacy, Cyber Risk & Data Security

    On May 1, the Indiana governor signed SB 5 to establish a framework for controlling and processing consumers’ personal data in the state. Indiana is now the seventh state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Connecticut, Virginia, Utah, and Iowa (covered by Special Alerts here and here and InfoBytes here, here, here, and here). The Act applies to any person that conducts business in the state or produces products or services targeted to residents and, during a calendar year, (i) controls or processes personal data of at least 100,000 Indiana residents or (ii) controls or processes personal data of at least 25,000 Indiana residents and derives more than 50 percent of gross revenue from the sale of personal data. The Act outlines exemptions, including financial institutions and data subject to the Gramm-Leach-Bliley Act, as well as covered entities governed by the Health Insurance Portability and Accountability Act.

    Indiana consumers will have the right to, among other things, (i) confirm whether their personal data is being processed and access their data; (ii) correct inaccuracies; (iii) delete their data; (iv) obtain a copy of personal data processed by a controller; and (v) opt out of the processing of their data for targeted advertising, the sale of their data, or certain profiling. The Act outlines data controller responsibilities, including a requirement that controllers must respond to consumers’ requests within 45 days unless extenuating circumstances arise. The Act also limits the collection of personal data “to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer,” and requires controllers to implement data security protection practices “appropriate to the volume and nature of the personal data at issue” and conduct data protection assessments for processing activities created on or generated after December 31, 2025, that present a heightened risk of harm to consumers. Under the Act, controllers may not process consumers’ personal data without first obtaining consent, or in the case of a minor, without processing such data in accordance with the Children’s Online Privacy Protection Act. Additionally, the Act sets forth obligations relating to contracts between a controller and a processor.

    While the Act explicitly prohibits its use as a basis for a private right of action, it does grant the state attorney general exclusive authority to enforce the law. Additionally, upon discovering a potential violation of the Act, the attorney general must give the controller or processor written notice and 30 days to cure the alleged violation before the attorney general can file suit. The attorney general may seek injunctive relief and civil penalties not to exceed $7,500 for each violation.

    The Act takes effect January 1, 2026.

    Privacy, Cyber Risk & Data Security State Issues State Legislation Indiana Consumer Protection COPPA

  • FTC testifies on privacy efforts

    Federal Issues

    On April 18, FTC Chair Lina M. Khan and Commissioners Rebecca Slaughter and Alvaro Bedoya testified before the House Energy and Commerce Subcommittee on Innovation, Data, and Commerce on the agency’s efforts to protect consumers from unfair or deceptive practices and unfair methods of competition. The hearing addressed the agency’s 2024 budget request, as well as topics focused on rulemaking authority, junk fees, robocalls, fraud, and privacy initiatives, among others. House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-WA) delivered opening remarks, during which she cited the resignation of both Republican commissioners and criticized the agency’s “abuses of power.”

    In a prepared statement, the commissioners provided an overview of the agency’s consumer protection work, including its initiatives to safeguard consumers’ privacy that take a multi-pronged approach focusing on health data, children and teens, and data security. The commissioners broadly discussed recent enforcement actions taken to protect sensitive health data and commented on FTC efforts to use the agency’s rulemaking authority to protect children in the marketplace (the FTC is currently reviewing the Children’s Online Privacy Protection Act Rule to determine any necessary changes and is exploring how commercial surveillance may be fueling manipulative advertising practices targeted towards children and teens). They also flagged a recent data security action as an example of how the agency “is pivoting toward requiring restrictions on what data firms can collect and retain.” According to the testimony, the FTC engaged in 35 investigations, cases, and enforcement projects with foreign consumer, privacy, and criminal enforcement agencies during the last fiscal year. The commissioners also said the agency is currently reviewing comments received on a 2022 advance notice of proposed rulemaking (covered by InfoBytes here), which sought feedback on the widespread collection of consumers’ personal information as well as concerns relating to consumer data security and commercial surveillance. While the commissioners reiterated the agency’s strong support for federal privacy legislation, Chair Rodgers said the FTC voted on partisan lines “to act unilaterally” on its own set of rules.

    Federal Issues Privacy, Cyber Risk & Data Security House Energy and Commerce Committee Consumer Protection FTC UDAP COPPA

  • FTC finalizes gaming company order on dark patterns

    Federal Issues

    On March 14, the FTC finalized an administrative order requiring a video game developer to pay $245 million in refunds to consumers allegedly tricked into making unwanted in-game purchases. As previously covered by InfoBytes, the FTC filed an administrative complaint claiming players were able to accumulate unauthorized charges without parental or card holder action or consent. The FTC alleged that the company used a variety of dark patterns, such as “counterintuitive, inconsistent, and confusing button configuration[s],” designed to get players of all ages to make unintended in-game purchases. These tactics caused players to pay hundreds of millions of dollars in unauthorized charges, the FTC said, adding that the company also charged account holders for purchases without authorization. Under the terms of the final decision and order, the company is required to pay $245 million in refunds to affected card holders. The company is also prohibited from charging players using dark patterns or without obtaining their affirmative consent. Additionally, the company is barred from blocking players from accessing their accounts should they dispute unauthorized charges.

    Separately, last month the U.S. District Court for the Eastern District of North Carolina entered a stipulated order against the company related to alleged violations of the Children’s Online Privacy Protection Act (COPPA). The FTC claimed the company failed to protect underage players’ privacy and collected personal information without first notifying parents or obtaining parents’ verifiable consent. Under the terms of the order, the company is required to ensure parents receive direct notice of its practices with regard to the collection, use or disclosure of players’ personal information, and must delete information previously collected in violation of COPPA’s parental notice and consent requirements unless it obtains parental consent to retain such data or the player claims to be 13 or older through a neutral age gate. Additionally, the company is required to implement a comprehensive privacy program to address the identified violations, maintain default privacy settings, obtain regular, independent audits, and pay a $275 million civil penalty (the largest amount ever imposed for a COPPA violation).

    Federal Issues FTC Enforcement Dark Patterns COPPA Privacy, Cyber Risk & Data Security FTC Act Unfair UDAP Consumer Finance

  • 9th Circuit reverses decision in COPPA suit

    Courts

    In December, the U.S. Court of Appeals for the Ninth Circuit reversed and remanded a district court’s decision to dismiss a suit alleging that a multinational technology company used persistent identifiers to collect children’s data and track their online behavior surreptitiously and without their consent in violation of the Children’s Online Privacy Protection Act (COPPA). According to the opinion, the company used targeted advertising “aided by sophisticated technology that delivers curated, customized advertising based on information about specific users.” The opinion further explained that “the company’s technology ‘depends partly on what [FTC] regulations call ‘persistent identifiers,’ which is information ‘that can be used to recognize a user over time and across different Web sites or online services.’” The opinion also noted that in 2013, the FTC adopted regulations under COPPA that barred the collection of children’s “persistent identifiers” without parental consent. The plaintiff class claimed that the company used persistent identifiers to collect data and track their online behavior surreptitiously and without their consent, and alleged state law claims arising under the constitutional, statutory, and common law of California, Colorado, Indiana, Massachusetts, New Jersey, and Tennessee, in addition to COPPA violations. The district court ruled that the “core allegations” in the third amended complaint were squarely covered, and preempted, by COPPA.

    On appeal, the 9th Circuit considered whether COPPA preempts state law claims based on underlying conduct that also violates COPPA’s regulations. To determine this, the appellate court examined the language of COPPA’s preemption clause, which states that state and local governments cannot impose liability for interstate commercial activities that is “inconsistent with the treatment of those activities or actions” under COPPA. The opinion noted that the 9th Circuit has long held “that a state law damages remedy for conduct already proscribed by federal regulations is not preempted,” and that the statutory term “inconsistent” in the preemption context refers to contradictory state law requirements, or to requirements that stand as obstacles to federal objectives. The appellate court stated that it was not “persuaded that the insertion of ‘treatment’ in the preemption clause here evinces clear congressional intent to create an exclusive remedial scheme for enforcement of COPPA requirements.” The opinion noted that because “the bar on ‘inconsistent’ state laws implicitly preserves ‘consistent’ state substantive laws, it would be nonsensical to assume Congress intended to simultaneously preclude all state remedies for violations of those laws.” As such, the appellate court held that “COPPA’s preemption clause does not bar state-law causes of action that are parallel to, or proscribe the same conduct forbidden by, COPPA. Express preemption therefore does not apply to the children’s claims.”

    Courts Appellate Ninth Circuit COPPA Privacy, Cyber Risk & Data Security FTC State Issues

Pages

Upcoming Events