The Ninth Circuit’s decision means that the case will go forward and makes clear that a private cause of action brought under state law may coexist with federal law barring the same or similar conduct.

Regulation of “persistent identifiers”

The Jones decision arises from the regulation of what are referred to as “persistent identifiers.”  The Federal Trade Commission, which enforces COPPA, defines this data as information “that can be used to recognize a user over time and across different Web sites or online services. . . . Examples include users’ Internet Protocol addresses (‘IP addresses’), numerical labels assigned to each device connected to the Internet.”  In 2013, the FTC issued regulations under COPPA that prohibit the collection of children’s “persistent identifiers” without the consent of their parents. 

The allegations against Google/YouTube

The Plaintiffs based their class action lawsuit on allegations that Google, through its ownership of YouTube, used persistent identifiers to track the online behavior of children without parental consent. The plaintiffs sought damages and injunctive relief based on claims of invasion of privacy, unjust enrichment, consumer protection violations, and unfair business practices under the state laws of California, Colorado, Indiana, Massachusetts, New Jersey and Tennessee. The parties agreed that the actions alleged in the lawsuit, if true, would violate COPPA’s requirements that online services obtain “verifiable parental consent” before collecting persistent identifiers from children. However, COPPA violations do not give rise to a private cause of action, and enforcement is limited to actions taken by the FTC.    

A federal judge in San Jose dismissed the lawsuit, finding that the plaintiffs’ state law claims were preempted by COPPA. In particular, the District Court found the class action plaintiffs “failed to allege deception beyond what is regulated by COPPA.” The plaintiffs appealed to the Ninth Circuit.

COPPA does not preempt state law causes of action

The central question facing the Ninth Circuit panel was “whether COPPA preempts state law claims based on underlying conduct that also violates COPPA’s regulations.” As the U.S. Supreme Court has said, “preemption” is the concept that state laws are invalid if they are found to “interfere with, or are contrary to federal law.” 

First, the Ninth Circuit panel examined what is referred to as “express preemption,” where lawmakers provide a clear statement that a certain law is intended to preempt state law. With respect to preemption, COPPA states as follows:

No State or local government may impose any liability for commercial activities or actions by operators in interstate or foreign commerce in connection with an activity or action described in this chapter that is inconsistent with the treatment of those activities or actions under this section. 

The panel found this statutory language did not express a “clear congressional intent to create an exclusive remedial scheme for enforcement of COPPA requirements.” That is, the state law remedies sought by the plaintiffs were not “an obstacle to COPPA in purpose or effect.” Further, the court found that the state law remedies were consistent with the FTC’s purposes in enforcing COPPA. 

Next, the Ninth Circuit analyzed whether “conflict preemption” warranted dismissal of the lawsuit. Conflict preemption applies when a state law conflicts with a federal statute. A state law may be preempted if it inhibits the “accomplishment of a federal objective” or makes it “impossible for private parties to comply with both state and federal law.” The Ninth Circuit found that there was no conflict preemption in this case. 

Conclusion

The Jones decision highlights the importance of understanding all laws and regulations applying to the collection and storage of data and other sensitive information. Based on the reasoning of the Ninth Circuit panel, data collectors must not only comply with COPPA but must also be aware of their potential for liability under numerous state law causes of action. In addition to having to defend this lawsuit, Google could be facing potential regulatory action brought by the FTC.   

The Jones decision underscores the importance of a robust cybersecurity plan. If you need assistance, please do not hesitate to contact any member of Constangy’s Cybersecurity and Data Privacy Team.