The Ninth Circuit Court of Appeals recently issued a ruling that could have significant implications for the data privacy regulatory landscape in the United States, particularly with respect to laws aimed at protecting minors.
A class action lawsuit was filed against Google over the way YouTube tracks the viewing habits of minors. The plaintiffs had sued Google under various state data privacy laws as well as under the federal Children’s Online Privacy Protection Act (COPPA). Google moved for dismissal of the state law claims based on the argument that the plaintiffs’ claims were preempted by COPPA. In other words, Google was arguing that the plaintiffs’ claims can only be brought under COPPA because it supersedes state law with respect to the plaintiffs’ allegations. Though the district court agreed with Google, the Ninth Circuit reversed, holding that because there’s no inconsistency between COPPA and the state laws at issue, the plaintiffs can sue under both.
The main take home from this decision is that the patchwork nature of data privacy regulation in the United States isn’t going away anytime soon. The United States is fairly unique in this regard, both in terms of the lack of a comprehensive federal data privacy law as well as the existence of numerous data privacy laws at the state level. Many of those state laws are domain-specific and are essentially duplicative of laws and regulations at the federal level. In many ways, this makes data privacy compliance more complex in the US than in other countries, which has prompted calls for an overhaul spearheaded by the federal government.
What’s also notable here is that the Federal Trade Commission (FTC), which enforces COPPA, actually sided with the plaintiffs on this issue, happily conceding that it’s not the only sheriff in town when it comes to policing compliance with COPPA’s requirements. This decision coupled with the FTC’s position means that the calls for a federally driven overhaul of data privacy law in the US won’t be heeded anytime soon.
