Critics and advocates alike are pondering the landmark U.S. Supreme Court decision, Roper Bright Enterprises v. Raimondo. The reality of what it means when it comes to privacy, especially the privacy of young people, is nuanced. The Roper Bright decision is not necessarily a crisis for the Children’s Online Privacy Protection Act (COPPA) or those who support children’s privacy. But when it comes to teenagers’ privacy, the implications are different. If there is a bipartisan Congressional interest in protecting teenagers’ privacy, legislation is needed now.
Loper Bright overturned Chevron deference, which states that courts faced with ambiguous statutes will defer to reasonable regulatory agency interpretations of such statutes. Special concerns have been raised about what this means in the privacy and technology arena, where statutes are often vague in order to avoid being too tied to existing technology, and where agencies are often more technology experts than courts (or at least have more technology experts). In response to the ruling, Republican congressional leaders called on the Federal Trade Commission (FTC) and others to list rules, decisions, and enforcement actions that contain interpretations that may be subject to Chevron deference.
In overturning the Chevron decision, Judge Loper Bright wrote that “courts must use their own judgment in determining whether an agency acted within its statutory authority.” But, Judge Loper Bright argued, agencies and their interpretations still play a key role. He wrote:
Of course, in cases involving agencies, the meaning of the statute is likely to be that the agency is authorized to exercise some discretion. Congress has frequently enacted such statutes. For example, some statutes “expressly delegate” to agencies the power to give meaning to certain statutory terms. Other statutes grant agencies the power to prescribe rules to “fill in the details” of the statutory system, or to regulate subject to limitations imposed by terms or phrases such as “appropriate” or “reasonable” that “give the agency flexibility.” Courts must determine the scope of the “constitutional delegation.”
In other words, Congress “often” delegates discretionary power to agencies by statute, and although the scope of that delegation is for the courts to decide, agencies may act within that scope. Statutes can give agencies the power to fill in the details.
COPPA by Lopar Bright
Loper Bright reiterated that Congress has “often” given agencies discretionary power through statutes, with COPPA being one such statute.
In other words, there is no immediate need for panic for the public, or for kids. I say this as someone who has spent years trying to get Congress to pass modern child and youth privacy laws, lobbied for compliance with existing laws, and been involved in multiple COPPA rulemaking efforts.
In COPPA, Congress expressly delegated to the FTC the authority to define key terms like “personal information,” and to state that personal information is information that can identify an individual, including “any identifier that the Commission determines would permit physical or online contact with a particular individual” (emphasis added). The FTC also expressly delegated the authority to determine when regulations do not require verifiable parental consent under certain circumstances. Under sec. 15 USC 6501 (2)(b)(2)(C)(ii), FTC regulations shall address exceptions to parental consent, including examples “without parental notice under circumstances the Commission determines appropriate” (emphasis added).
COPPA gives agencies authority throughout the statute to “fulfill statutory schemes,” but does so through limited regulation that leaves agencies “flexibility” and allows for future changes in technology. For example, the statute requires that “verifiable parental consent” mechanisms require “reasonable efforts (considering available technology),” and FTC regulations require “reasonable” security procedures.
Much of the FTC’s current COPPA rulemaking should fall safely within the agency’s mandate. For example, the FTC is proposing to expand the definition of personal information to include biometric identifiers. If the FTC determines that such identifiers permit online or physical contact with a child, it can do so expressly under the law. The FTC also proposes to strengthen data security requirements. The law requires it to enact “reasonable” security requirements, and there should be flexibility to determine what is reasonable even under the Roper-Bright Act.
More novel aspects of the rulemaking, such as the proposal to codify educational technology exceptions to parental consent, may be within the scope of the FTC’s express mandate to determine what is appropriate or may otherwise be within its mandate. As noted above, under the statute the FTC can determine whether certain parental consent exceptions are appropriate. The proposed educational technology rules address exceptions to parental consent, and in practice, some educational technology uses may fall within the scope of that express mandate. Where this is not the case, or where other aspects of the proposed rules are inconsistent with the statutory text’s explicit references to “Commission decisions,” the FTC is filling in the details with the changing technology areas in which it is directed to prescribe rules.
Thus, the FTC’s proposed rule can be legitimately interpreted as filling an appropriate gap within its scope of authority, given the overall statutory language, the directive to adopt regulations that reflect new and “current” technology that Congress was addressing in 1998, and the fact that the regulations are to be reviewed for effectiveness by the FTC within five years of their initial passage. As Loper Bright reiterates in its conclusion, this decision “is not to say that Congress cannot or will not grant the agency discretion; Congress can, and has often done so within constitutional limits.” Courts need only “uniquely identify and respect such delegations of authority, monitor outside the statutory boundaries of those delegations, and ensure that the agency exercises discretion in accordance with the APA.” COPPA can be interpreted to provide the FTC with appropriate discretion to provide flexibility in protecting the privacy of children under the age of 13.
This doesn’t mean that Congress can’t further clarify in future legislation that the FTC has the authority to determine how to adequately protect children’s privacy in new technologies. On the contrary, if Congress is serious about protecting young people’s privacy, it should seek to provide further clarity going forward. Addressing educational technology specifically is prudent for many reasons. COPPA was passed at a time when respect for Chevron was understood to be the rule, and future legislation will be passed under a different judicial system. But there is reason to believe that COPPA can continue to protect young children, including through regulatory updates to keep up with changing technologies.
Different cases of teenagers
When it comes to protecting teenagers, Roper Bright may be more problematic. Currently, there is no Congressional law or specific FTC rule that specifically protects teenagers’ privacy. The FTC’s current commercial surveillance rulemaking explicitly considers violations of teenagers’ privacy. The rulemaking is based on the FTC Act’s Section 5 authority to regulate unfair and deceptive trade practices and Section 18 authority to issue rules that define unfair and deceptive practices. It is a comprehensive rulemaking that faces many challenges beyond the consideration of Chevron. However, given the scope of Section 5, it is unclear what authority is delegated to the FTC to regulate teenagers’ privacy.
Additionally, while Chevron respect has not played much of a role in FTC enforcement, the FTC has recently relied on Article 5 to protect teenagers in privacy and online safety enforcement actions. For example, earlier this month in NGL Labs, the FTC and the Los Angeles District Attorney settled a lawsuit with an anonymous messaging app, one of whose claims was that advertising the anonymous messaging app to teenagers was unfair under Article 5 and caused significant harm. In a previous settlement with Epic Games, the FTC also relied on its Article 5 authority to protect teenagers, alleging that Fortnite’s default settings, such as having live text and voice communication turned on and matching young people with strangers to play games together, harmed children and teenagers who were bullied, threatened, and harassed. And in a related executive order, the FTC alleged that Epic’s use of dark patterns led children and teenagers to make unwanted in-app purchases, also violating Article 5.
It seems likely that Loper Bright will embolden future defendants to resist settlements or scale back their claims, so long as they believe that the FTC’s interpretation of Section 5 as protecting the privacy and well-being of teenagers online will likely be held to account by courts for overstepping the FTC’s authority.
If Congress truly wants to ensure that teens are protected online, it needs to enact specific legislation that delegates authority to the FTC to protect teen privacy more than ever before.
Parliamentary Issues
While there remains good reason to believe that COPPA, as the FTC’s rules have been updated, will continue to provide flexibility to protect children’s privacy, the FTC’s ability to protect teenagers may be significantly limited. Congress could change this trajectory by passing future privacy legislation that explicitly provides for delegation of authority to the FTC, including to address rapidly evolving technologies such as artificial intelligence and emerging technologies.