Protecting Kids’ Privacy, Post-Chevron Deference

Critics and celebrants have been digesting the landmark US Supreme Court decision, Loper Bright Enterprises v. Raimondo. For privacy, and youth privacy in particular, the reality of what it means is nuanced. The Loper Bright decision need not be a crisis for the Children’s Online Privacy Protection Act (COPPA) and those who support children’s privacy. For teen privacy, the implications are different–and if there is bipartisan Congressional interest in protecting teenagers' privacy, legislation is needed now.

Loper Bright overturned Chevron deference, under which courts facing ambiguous statutes were to defer to reasonable regulatory agency interpretations of such statutes. There have been special concerns raised about what this means in the privacy and technology space, where statutes may often be ambiguous in order to not be too tied to existing technology, and where agencies are typically more technologically expert–or at least staffed by more technology experts–than courts. Following the decision, Congressional Republican leaders asked that the Federal Trade Commission (FTC), among others, list rules, adjudications, and enforcement actions that involved interpretations that might have been eligible for Chevron deference.

In overruling Chevron, Loper Bright says that “Courts must exercise their independent judgment in deciding whether an agency has acted within its statutory authority.” But Loper Bright maintains an important role for agencies and agency interpretations all the same. It states that:

In a case involving an agency, of course, the statute’s meaning may well be that the agency is authorized to exercise a degree of discretion. Congress has often enacted such statutes. For example, some statutes ‘expressly delegate’ to an agency the authority to give meaning to a particular statutory term. Others empower an agency to prescribe rules to ‘fill up the details’ of a statutory scheme, or to regulate subject to the limits imposed by a term or phrase that ‘leaves agencies with flexibility’ such as ‘appropriate’ or ‘reasonable.’ A court must determine the bounds of the ‘constitutional delegation.’

In other words, Congress has “often” delegated discretionary authority to agencies in its statutes, and while the courts should determine the bounds of that delegation, the agency can act within such bounds at its discretion. Statutes can empower agencies to fill in the details.

COPPA under Loper Bright

Repeatedly, Loper Bright states that Congress “often has” conferred discretion to agencies in its statutes. COPPA is one of those statutes.

In other words, there is no need to immediately panic–both in general, and for the kids. And I say that as someone who has spent years trying to get Congress to pass updated children and teens’ privacy legislation, working to comply with already existing legislation, and weighing in on multiple COPPA rulemaking efforts.

In COPPA, Congress expressly delegated to the FTC the ability to define key terms like “personal information”–explicitly stating that personal information is individually identifiable information, including “any … identifier that the Commission determines permits the physical or online contacting of a specific individual” (emphasis added). It also expressly delegated to the FTC the ability to determine, in regulations, when verifiable parental consent is not required under certain circumstances. Under Sec. 15 USC 6501 (2)(b)(2)(C)(ii), the FTC’s regulations shall address exceptions to parental consent, including instances “without notice to the parent in such circumstances as the Commission may determine are appropriate” (emphasis added).

Throughout the statute, COPPA empowers the agency “to fill up the statutory scheme” through regulations subject to limits that “leave the agency with flexibility” and acknowledge future changes in technology. For example, the statute states that “verifiable parental consent” mechanisms require a “reasonable effort (taking into consideration available technology).” And the FTC’s regulations are to require “reasonable” security procedures.

Much of the FTC’s current COPPA rulemaking should fall safely within the agency’s delegated boundaries. For example, the FTC proposes expanding the definition of personal information to include biometric identifiers, something which it can expressly do under the statute if the FTC determines such identifiers permit the online or physical contact of a child. And the FTC proposes strengthening data security requirements; it is required by statute to enact “reasonable” security requirements, and should have flexibility even under Loper Bright to determine what is reasonable.

Even more seemingly novel aspects of the rulemaking–such as proposals to codify an ed tech exception to parental consent–may fall within the space where the FTC was explicitly tasked with determining what was appropriate, and could otherwise fall within its delegated ambit. As mentioned above, the FTC under statute may determine when certain parental consent exceptions are appropriate. The ed tech proposed rules address a parental consent exception, and in practice some ed tech uses could fall within that explicit delegation. To the extent they may not, or other aspects of the proposed rule do not match up with an explicit reference to the “Commission’s determination” in the statutory text, the FTC is filling in the details in an area of changing technology where it was directed to prescribe rules.

Thus the FTC’s proposed rule is fairly read as appropriate gap-filling within the ambit of its authority, given the overall statutory language, the novel technology Congress was addressing in 1998, the directive to adopt regulations reflecting “current” technology, and the fact that the regulations were to be reviewed by the FTC as to their effect within 5 years after initial passage. As Loper Bright reiterates in its conclusion–the decision “is not to say that Congress cannot or does not confer discretionary authority on agencies. Congress may do so, subject to constitutional limits, and it often has.” Courts must just “independently identify and respect such delegations of authority, police the outer statutory boundaries of those delegations, and ensure that agencies exercise their discretion consistent with the APA.” COPPA can be read as conferring appropriate discretionary authority to the FTC to flexibly protect the privacy of children under 13.

This is not to say that Congress could not be even more explicit, in future statutes, that the FTC is given scope to make determinations about how to appropriately protect children’s privacy in new technology. To the contrary, if it is serious about protecting young people’s privacy, Congress should strive to be even more explicit moving forward. Specifically addressing ed tech in particular would be advisable, for numerous reasons. COPPA was passed when Chevron deference was understood to be the rule, and future laws will be passed under a different judicial regime. But there is reason to believe that COPPA can continue to protect young children, including via regulatory updates that address changing technology.

The Different Case for Teenagers

For protections for teenagers, Loper Bright may be more problematic. Right now, there is no Congressional statute that specifically protects teen privacy, or any specific FTC rule. The FTC’s ongoing Commercial Surveillance Rulemaking is explicitly considering privacy harms to teenagers. The rulemaking is based on the FTC Act’s Section 5 authority to regulate unfair and deceptive trade practices and its Section 18 authority to issue rules defining unfair and deceptive practices. This is a sweeping rulemaking that faces a number of challenges aside from Chevron deference. But given Section 5’s breadth, it is not as clear what authority has been delegated to the FTC to regulate the privacy of teenagers.

In addition, while Chevron deference has played a lesser role in FTC enforcement, the FTC has of late been relying on Section 5 to protect teenagers in its privacy and online safety enforcement actions. For example, earlier this month, in NGL Labs, the FTC and the LA District Attorney settled a case with an anonymous messaging app, with one claim being that marketing an anonymous messaging app to teens was unfair under Section 5, causing substantial injury. In a prior settlement with Epic Games, the FTC also relied on its Section 5 authority to protect teenagers, asserting that Fortnite’s default settings–such as live text-and-voice communications being on, and matching young people with strangers for playing games together, harmed children and teens who were bullied, threatened, and harassed. And, in a related administrative order, the FTC asserted that Epic’s use of dark patterns caused children and teens to make unwanted in-app purchases, again violating Section 5.

It seems likely that Loper Bright may embolden future defendants to fight settlement, or whittle down allegations, to the extent they believe the FTC’s interpretation of Section 5 as one protecting teenagers’ privacy and well-being online is likely to be questioned as overstepping the agency’s bounds by a court.

If Congress is truly interested in ensuring that teenagers are protected online, now more than ever there is a need for specific legislation that delegates authority to the FTC to protect teen privacy.

Congress’s Challenge

While there remains good reason to believe that COPPA, with updated FTC regulations, can continue to flexibly protect children’s privacy, the FTC’s ability to protect teenagers may now be substantially more limited. Congress could change this trajectory by passing future privacy laws that make explicit its delegation of authority to the FTC, including to address fast-moving technology such as artificial intelligence and whatever is next on the horizon.