As most privacy watchers know, one of the hot-button issues in the ongoing debate over federal legislation is whether the law should include a private right of action (PRA). As we also know, some existing federal privacy laws include a PRA (e.g., the Cable Communications Policy Act) and some don’t (e.g., the Children’s Online Privacy Protection Act).
However, a recent decision from the 9th Circuit reminds us that it may not matter whether a federal law specifically creates a PRA. Indeed, even where the law doesn’t mention a PRA, private plaintiffs have a wide array of other tools from which to derive one.
The case – Jones v. Google – is technically about preemption (another hot button privacy issue) and whether COPPA preempts state law. However, because it involves claims brought by private plaintiffs (who are suing Google under state law theories that “are parallel to, or prescribe the same conduct forbidden by, COPPA”), it also answers the question of whether COPPA preempts such “parallel” PRAs under state law. The 9th Circuit responded with an emphatic “no,” reversing the holding of the district court below. (Note that Google has sought a rehearing in the 9th Circuit en banc, so this may not be the end of the story.)
Here’s a little more background:
COPPA’s preemption provision
COPPA provides that “No State or local government may impose any liability for commercial activities or actions by operators in interstate or foreign commerce in connection with an activity or action described in this chapter that is inconsistent with the treatment of those activities or actions under this section.” (Section 6502(d))
The case – Jones v. Google
Plaintiffs in the case (described as “several minor children” suing through guardians ad litem) filed an action against Google (among other defendants), alleging that, on its YouTube platform, Google collected and used children’s IP addresses for advertising purposes, without parental consent. The alleged violations track those contained in the FTC’s 2019 COPPA case against Google (brought jointly with the New York AG), alleging conduct that would violate COPPA. However, because COPPA doesn’t include a PRA, plaintiffs based their case on various state law theories, including invasion of privacy, unjust enrichment, consumer protection (aka UDAP) violations, and unfair business practices based on constitutional, statutory, and common law theories in various states.
Google moved to dismiss the case, asserting that the plaintiffs’ claims were preempted by COPPA. The district court agreed, concluding that the core allegations in the case were “squarely covered” by COPPA; that the plaintiffs’ action was “inconsistent” with the statutory scheme laid out in COPPA (which authorizes enforcement only by the FTC and State AGs, and requires coordination between them); and that other allegations failed to allege deception beyond what’s regulated by COPPA. On appeal by the plaintiffs, a three-judge panel of the 9th Circuit reversed.
The panel analyzed the COPPA language under both express and conflict preemption doctrines but reached the same basic conclusion under both – that, in barring “inconsistent” state laws, COPPA implicitly preserves state laws that are “consistent” (i.e., “do not stand as an obstacle to COPPA in purpose of effect”) – even where the state remedies for violations may be different. The circuit court also specifically rejected Google’s argument that the language in COPPA (especially its use of the word “treatment”) evinced a Congressional intent to create an exclusive remedial scheme for COPPA.
In sum, although COPPA doesn’t include a PRA and preempts “inconsistent” state laws, the plaintiffs were able to challenge COPPA-covered conduct based on state theories of liability – indeed, theories under UDAP and the common law that are (at least arguably) broad enough to encompass conduct covered by many other laws.
As noted, Google has sought a rehearing en banc so it’s possible the outcome here will change yet again. (Note that the FTC has weighed in here via amicus brief, supporting the panel’s ruling.) However, the case illustrates how the private bar can (and/or is attempting) to use general and common law theories of liability to (in essence) create PRAs even for federal laws that omit them.
It’s also worth thinking about what this might mean for other federal laws and regulations that (1) don’t include a PRA and (2) don’t preempt, or only partially preempt, state laws enforceable by private plaintiffs. (As this primer on federal preemption makes clear, even where preemption applies, there are many different types of express and implied preemption schemes that, like COPPA’s, preserve state law in whole or in part.)
Just as examples:
- One of the leading federal proposals to address kids’ online safety – the Kids Online Safety Act (KOSA) – is silent on preemption and doesn’t create a PRA. If passed, will private plaintiffs use it as a model to craft “parallel” PRAs under state law?
- Another legislative proposal – the Children and Teens’ Online Privacy Protection Act (aka COPPA 2.0) – would substantially expand COPPA. If passed, will its new provisions invite new class actions under state law, following the Jones v. Google model?
- Over at the FTC, the proposal to develop a Surveillance and Data Security Rule is (so far) silent on preemption and certainly doesn’t attempt to create a PRA. (As Consumer Protection Director Sam Levine acknowledged in a recent blogpost on the Franchise Rule, the FTC can’t create a PRA on its own.) If and when completed, will the rule pave the way for Jones v. Google-typePRAs – challenging conduct that would violate the federal rule, but alleging state law violations instead?
- As a final (non-privacy) example, the FTC’s pending rulemaking to expand the Negative Option Rule proposes a preemption scheme that would preserve state laws that are consistent with and/or provide “greater protection” than the rule. Here too, if and when the rule is completed, will private plaintiffs use it as a model to develop parallel state claims? (Indeed, the state claims could go even further than the FTC rule, due to the proposed “greater protection” language.)
Admittedly, the PRAs I’m discussing aren’t actually PRAs under federal law – they’re parallel state suits that, arguably, private parties could bring even in the absence of a federal law. However, as we all know, federal law provides a model and statement of public policy that plaintiffs and courts draw upon in interpreting and expanding state common law theories and rights.
This point is not lost on the FTC’s Levine, which in the blogpost (mentioned above) invited this very outcome in the context of the FTC’s Franchise Rule, stating:
Neither the FTC Act nor the Franchise Rule creates a private right of action that allows a consumer to sue a franchisor under those laws. However, the Franchise Rule prohibits practices the FTC has determined are unfair or deceptive, and franchisees may be able to use state statutes that prohibit unfair or deceptive practices to challenge conduct that violates the Franchise Rule or truth-in-advertising standards. Of course, state law will determine whether a franchisee may bring a claim for a franchisor’s misrepresentations or omissions, but let’s be clear: There is nothing in the FTC Act or the Franchise Rule that would preclude franchisees from exercising their legal rights. Simply put, the FTC Act and the Franchise Rule impose no roadblock to consumers seeking justice under state law.