SCOTUS Upholds TikTok Ban: Implications for Digital Marketing and Emerging Platforms
The United States Supreme Court unanimously upheld the Protecting Americans from Foreign Adversary Controlled Applications Act (the “Act”) – more commonly referred to as the TikTok Ban – and rejected TikTok’s arguments that the Act violated the First Amendment. While the ultimate fate of TikTok’s U.S. operations remains uncertain, the Supreme Court’s ruling has clear implications for digital content and marketing professionals and their selection of platform strategies going forward.
In a per curiam opinion published today, the Supreme Court recognized its long-standing tradition of exercising caution when deciding cases that involve “new technologies with transformative capabilities[,]” and resolved the narrow question of the tension between the First Amendment and the potential risks associated with foreign adversary control over data collection from U.S. citizens. The Act makes it unlawful for any entity to provide certain services to “distribute, maintain, or update” a “foreign adversary controlled application” in the United States, which explicitly meant TikTok and its parent company, ByteDance Ltd. The Supreme Court also acknowledged that the Act applies to any application that is both “(1) operated by a ‘covered company’ that is ’controlled by a foreign adversary,’ ” which is any country subject to the reporting requirements of 10 U.S.C. § 4872 – which currently includes China, Russia, Iran, and North Korea – and “ ’(2) determined by the President to present a significant threat to the national security of the United States,’ following a public notice and reporting process.”
Noting the “striking bipartisan support” for the Act, the Supreme Court’s narrow decision reflects a growing concern among policymakers and courts regarding the national security implications of foreign-owned technology companies operating in the United States. Beyond the immediate impact on TikTok and its users, this ruling has broader implications for the tech industry and the relationship between the U.S. government and foreign-owned companies. It signals a willingness by the Court to uphold government restrictions on technology companies, particularly those with ties to countries considered foreign adversaries when national security concerns can be credibly invoked. Since the Act identified TikTok by name, it is just the first company to be subject to the ban; however, the Act provides a broader framework that could apply to other platforms operating in the United States. Indeed, the popular trend of U.S. TikTok users migrating to another Chinese app, RedNote, could very well implicate the Act.
Marketing and advertising stakeholders should particularly take note of today’s Supreme Court decision because of a challenge built into the Act: While content creators and marketers benefit from being early adopters of emerging platforms, including international platforms, the Act comes into play when an application reaches a critical mass of more than 1,000,000 monthly active users. In other words, the Act adds another layer of complexity for content creators as they consider building their presence and following on new applications. Once an application becomes sufficiently popular, it could be shut down if it is deemed controlled by a foreign adversary. Likewise, marketing and advertising agencies should more carefully scrutinize the risk that a platform could be shut down under the Act, frustrating ongoing agreements or campaigns.
New Executive Order Bolsters the Nation’s Cyber Defenses
In a significant move to bolster the United States’ cybersecurity framework, President Biden issued an executive order (EO) on 16 January 2025 titled “Strengthening and Promoting Innovation in the Nation’s Cybersecurity” days before leaving the White House. This comprehensive directive outlines measures designed to enhance the security of federal systems, improve transparency in third-party software supply chains, and leverage emerging technologies to fortify cyber defenses.
Combating Cyber Crime, Fraud, and Ransomware
The EO includes several provisions designed to address the prevalence of cybercrime, including fraud and ransomware attacks, which have been on the rise in recent years. For example, the EO addresses the use of stolen and synthetic identities in defrauding public benefits programs. It also encourages the use of digital identity documents for identity verification, provided these requirements adhere to principles of privacy and interoperability. The EO also promotes the development of “Yes/No” validation services to reduce identity fraud, allowing for privacy-preserving verification methods.
The EO also includes specific measures aimed at countering ransomware attacks. It amends Executive Order 13694 of 1 April 2015 to block property and interests in property of persons engaged in significant malicious cyber-enabled activities, including ransomware attacks. This revision allows for the freezing of assets of individuals and entities involved in such activities, effectively creating a financial deterrent against ransomware payments.
Enhancing Third-Party Software Security and Improving Federal Systems’ Cybersecurity
The EO mandates rigorous security standards for software providers to the federal government. Within 30 days, the Office of Management and Budget, in consultation with the National Institute of Standards and Technology and the Cybersecurity and Infrastructure Security Agency (CISA), will recommend contract language requiring software providers to submit secure software development attestations and artifacts, in addition to the Software Bill of Materials currently required. This aims to ensure that only software adhering to secure development practices is used in federal systems, thereby reducing vulnerabilities.
Federal agencies are required to adopt proven security practices, including advanced identity and access management technologies. The directive emphasizes the importance of phishing-resistant authentication methods such as WebAuthn. Furthermore, CISA is tasked with developing technical capabilities to monitor threats across federal systems, which includes gaining timely access to data from agency endpoint detection and response solutions.
The EO directs the modernization of IT infrastructure and networks supporting federal missions, emphasizing the adoption of zero trust architectures and other advanced cybersecurity practices. It also seeks to establish minimum cybersecurity requirements for businesses, thereby raising the baseline of cybersecurity across various sectors.
This EO represents a comprehensive approach to strengthening the nation’s cybersecurity defenses. By setting stringent requirements for software providers, enhancing federal system security, and leveraging emerging technologies, the administration aims to create a more resilient cyber infrastructure. The provisions to combat ransomware by targeting the financial aspects of cybercrime demonstrate a proactive stance in addressing one of the most pressing cybersecurity threats facing the nation today.
TikTok, the Clock Won’t Stop, and Cases Involving Court Jurisdiction Narrowly Focused – SCOTUS Today
As the snow has fallen on Washington, DC’s First Street over the past few days, the Supreme Court has begun to issue opinions in the current term.
One of those cases has been in the news constantly, as it relates to a matter at issue in the recent presidential campaign that will likely get attention after the inauguration. The other two relate to federal court jurisdiction, but they are also consequential because their fact patterns are likely to be duplicated in future litigation.
While, with the advent of the new administration, things very well might change, the news today that the Court has upheld a law that could ban the social media platform TikTok this Sunday is significant not only to expressive younger Americans (perhaps your children and mine) but also as a matter of national security.
In a per curiam opinion in TikTok, Inc. v. Garland, the Court noted the following:
There is no doubt that, for more than 170 million Americans, TikTok offers a distinctive and expansive outlet for expression, means of engagement, and source of community. . . . But Congress has determined that divestiture is necessary to address its well-supported national security concerns regarding TikTok’s data collection practices and relationship with a foreign adversary.
And the Court has sided with Congress. Accordingly, TikTok either must divest or shut down the app this Sunday, January 19, as of which date, “the Protecting Americans from Foreign Adversary Controlled Applications Act [the “Act”] will make it unlawful for companies in the United States to provide services to distribute, maintain, or update the social media platform TikTok, unless U.S. operation of the platform is severed from Chinese control.”
The petitioners are two TikTok operating entities and a group of U.S. TikTok users who claimed that the Act, as applied to them, violates the First Amendment. The Court acknowledged that the case could be considered more of a regulation as to a foreign government adversary’s corporate ownership than as a matter of speech. Thus, the Court holds that “a law targeting a foreign adversary’s control over a communications platform is in many ways different in kind from the regulations of non-expressive activity that we have subjected to First Amendment scrutiny.” Those differences include “the Act’s focus on a foreign government [and] the congressionally determined adversary relationship between that foreign government and the United States. . . .” However, “[t]his Court has not articulated a clear framework for determining whether a regulation of non-expressive activity that disproportionately burdens those engaged in expressive activity triggers heightened review. We need not do so here. We assume without deciding that the challenged provisions fall within this category and are subject to First Amendment scrutiny.”
The Court goes on to set forth a primer on the conditions predicate for considering governmental action that arguably suppresses speech. “Content-based laws—those that target speech based on its communicative content—are presumptively unconstitutional and may be justified only if the government proves that they are narrowly tailored to serve compelling state interests.” Reed v. Town of Gilbert, 576 U.S. 155, 163 (2015). Content-neutral laws, in contrast, “are subject to an intermediate level of scrutiny because in most cases they pose a less substantial risk of excising certain ideas or viewpoints from the public dialogue.” Turner Broadcasting System, Inc. v. FCC, 512 U. S. 622, 642 (1994) 512 U.S., at 642 (citation omitted). “Under that standard, we will sustain a content-neutral law ‘if it advances important governmental interests unrelated to the suppression of free speech and does not burden substantially more speech than necessary to further those interests.” Turner Broadcasting System, Inc. v. FCC, 520 U. S. 180, 189 (1997).’”
”As applied to petitioners, the challenged provisions are facially content neutral and are justified by a content-neutral rationale.” Noting that the Act in question is “designed to prevent China—a designated foreign adversary—from leveraging its control over ByteDance Ltd. to capture the personal data of U. S. TikTok users,” which “qualifies as an important Government interest under intermediate scrutiny,” the Court held that this standard, including its narrow focus, justified the divestiture order at issue.
Justice Sotomayor and Justice Gorsuch concurred in the result. Justice Gorsuch’s caveat, expressing satisfaction that the Court did not consider evidence available to it but not to the petitioners, is noteworthy. That is a potential issue in many national security-related cases.
Labor law practitioners who read this blog will be particularly interested in the Court’s unanimous opinion in E.M.D. Sales, Inc. v. Carrera. The case concerns the application of the Fair Labor Standards Act (FLSA), guaranteeing a federal minimum wage for covered workers, 29 U. S. C. §206(a)(1), and requiring overtime pay for those working more than 40 hours per week, §207(a)(1). There are, however, many employees who are exempt from the FLSA’s overtime-pay requirement, e.g., salesmen who primarily work away from their employer’s place of business. §213(a)(1). The application of that exemption places the burden on the employer to show that it applies. Here, EMD, a Washington, DC-area food distributor, faced overtime claims by certain sales representatives who manage inventory and take orders at grocery stores. Several sales representatives sued EMD, alleging that the company violated the FLSA by failing to pay them overtime.
At trial, the U.S. District Court for the District of Maryland held that EMD failed to prove by “clear and convincing evidence” that its sales reps were “outside salesmen.” The U.S. Court of Appeals for the Fourth Circuit affirmed. EMD argued that the sales representatives were outside salesmen and, therefore, exempt from the FLSA’s overtime-pay requirement and that the District Court should have used the less stringent “preponderance of the evidence” standard.
The Supreme Court agreed, holding that the preponderance-of-the-evidence standard applies when an employer seeks to demonstrate that an employee is exempt from the minimum wage and overtime pay provisions of the FLSA. Noting that at the time of enactment of the FLSA in 1938, and continuing to the present, the preponderance standard is the default mode in American civil litigation, the Court held in favor of EMD.
There are three main circumstances in which a more stringent standard might apply: (1) where a statute requires it, (2) where the Constitution requires it, and (3) where coercive governmental action is present. None of those is present here. Moreover, in a related area to the case at bar, employment discrimination, the preponderance standard has consistently been applied. Additionally, the Court rejected the notion that the non-waivability of FLSA rights is material to what standard of proof applies.
Ultimately, the remedy applied by the Court is a limited one. In reversing the decision, the Court simply remands the case to the Court of Appeals to determine whether employees would fail to qualify as outside salesmen even under a preponderance standard.
In a case decided two days ago, Royal Canin U.S.A. Inc. v. Wullschleger, the Court dealt with a consumer claim that the manufacture of a brand of dog food (full disclosure: my dog loves the Golden Retriever variety) had engaged in deceptive marketing practices. The consumer’s original claim, filed in state court, asserted both federal and state law violations. Royal Canin removed the case to federal court pursuant to 28 U. S. C. §1441(a). The plaintiff, Anastasia Wullschleger, wanted the case to be resolved in state court, so she amended her complaint to remove any mention of federal law and petitioned the district court for a remand to state court, which the court denied. However, the Eighth Circuit reversed, and a unanimous Supreme Court, per Justice Kavanaugh, affirmed, holding that “[w]hen a plaintiff amends her complaint to delete the federal-law claims that enabled removal to federal court, leaving only state-law claims behind, the federal court loses supplemental jurisdiction over the state claims, and the case must be remanded to state court.”
Thus, the Court has begun to issue new opinions, at least one of which is going to resound loudly on the domestic political scene.
FDA Revokes Authorization for the Use of Red Dye No. 3 in Food and Ingestible Drugs
On 15 January 2025, the US Food and Drug Administration (FDA) announced that it will revoke the color additive authorization for use of FD&C Red No. 3 in food (including dietary supplements) and ingestible drugs. This ban responds to a 2022 color additive petition submitted by several interested parties and filed by FDA in 2023.
In support of the revocation, FDA is relying on the Delaney Clause of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. § 379e(b)(5)(B)), which requires FDA to ban color additives that are found to cause or induce cancer in humans or animals. Specifically, FDA is invoking the Delaney clause as a result of data that shows FD&C Red No. 3 causes cancer in male rats via a sex- and species-specific hormonal mechanism. In fact, according to the preamble of the final rule, “the carcinogenicity of FD&C Red No. 3 was not observed when tested in other animals including female rats and either sex of mice, gerbils, or dogs.” In other words, there is no demonstrable link between consumption of the food additive and cancer in any animal other than male rats, and most importantly, between consumption of the food additive and cancer in humans. The Delaney clause nevertheless requires the revocation of the clearance for FD&C Red No. 3 based on the male rat carcinogenicity data.
Food manufacturers will have until 15 January 2027 to reformulate products containing FD&C Red No. 3, whereas drug producers will have until 18 January 2028. California’s ban on FD&C Red No. 3 in food (along with three other additives) under AB 418 goes into effect a few weeks before FDA’s ban, on 1 January 2027.
Hold Your Horses – Cannabis Rescheduling Hearings Stayed, Pending Appeal
In the latest development in a road to rescheduling cannabis from Schedule I to Schedule III under the Controlled Substances Act (“CSA”), on January 13, 2025, in the Matter of Schedules of Controlled Substances: Proposed Rescheduling of Marijuana, DEA Docket No. 1362 Hearing Docket No. 24-44, Chief Administrative Law Judge (“ALJ”) John Mulrooney cancelled the January 21, 2025 hearing on the merits of the Drug Enforcement Agency’s (“DEA”) proposal to reschedule cannabis from Schedule I to Schedule III.
After a request by two private movants (the “Movants”) to remove the DEA from its role as proponent of the proposed reclassification rule was denied, the Movants filed a motion for the ALJ to reconsider its denial of this request. On January 13, 2025, ALJ Mulrooney (i) denied the motion for reconsideration but (ii) granted leave for the Movants to file an interlocutory appeal on the merits of ALJ Mulrooney’s refusal to remove the DEA as proponent of the reclassification. While this Order opens the door on appeal to potentially enable to a private actor to replace the DEA as proponent of the reclassification, the January 13 Order will surely cause further delay in the process of potential rescheduling, evidenced by ALJ Mulrooney’s ordering the Movants and the Government to provide a joint status update 90 days from the issuance of the Order, and every 90 days thereafter.
For those hoping that cannabis would be reclassified before the Trump administration enters office, this is a major disappointment. For those who have been paying attention, this is no surprise, and more of the same.
In a constantly evolving and [still – very] nascent industry like the cannabis industry, one truth has remained: it is a fools errand to try to predict if, when, and how regulatory changes and developments will occur at the federal level. For years, there have been similar questions floated and discussed amongst advisors, operators, and investors in the cannabis industry: “when will cannabis be legalized?”,“when will the SAFE act pass”, “surely Congress will do something, right?”.
Federal action is largely an issue of legislative and regulatory priorities (or, as we have seen, a lack-thereof). Folks can talk and pontificate all they want, but the reality has remained the same: States (at this point, 39 in total, having already passed laws allowing medical marijuana use) are left to fend for themselves, as are the businesses trying to operate with one (if not two) arms tied behind their back.
When President Biden requested in October 2022 for the U.S. Department of Health and Human Services (“HHS”) to “initiate the administrative process to review expeditiously how marijuana is scheduled under federal law”, there was tepid excitement. Hey – the White House is asking HHS to look into this… progress! Then, in August 2023, HHS issued a recommendation to the DEA that cannabis be reclassified from Schedule I to Schedule III under the CSA. At this point, industry participants started to cautiously buy in – maybe – just maybe – this will be the time something actually happens. After all, for business operators, a reclassification to Schedule III under the CSA, would have potentially huge implications – potentially rendering §280E of the tax code inapplicable to cannabis businesses, opening the door for cannabis businesses to deduct various business expenses like any other businesses complying with their state and local laws. And yet, here we are, almost two and a half years later, and the industry is still hoping for change at the federal level.
For operators and investors alike, the reality is simple. Now is not the time to focus on what could happen – or what we hope will happen – at the federal level. Industry participants must continue to focus on what they control: increasing operational efficiency to achieve and maintain profitability.
California Wildfires—Insurance Tips for Policyholders
The recent wildfires in California have clearly had a catastrophic impact, destroying a vast number of homes and business premises across the region. Homeowners and businesses may have limited means to protect against nature’s forces, but, in this alert, we provide tips on steps that can be taken to protect against denials of coverage by insurers. Careful and proactive attention to insurance coverage considerations could be the key to restoring homes and business operations and weathering the financial storms that follow from such disastrous events.
Potentially Relevant Insurance Policies
It is vital for affected homeowners and businesses to review all relevant or potentially relevant insurance policies promptly, including excess-layer policies, and to comply with loss notification procedures. The most common source of coverage for most individuals and businesses is likely to be first-party property coverage insuring the damaged premises and other assets, including against the risk of fire, smoke, and related damage. In many cases, this insurance will be supplemented by specialty coverages that apply to specific situations.
For businesses, the coverage will typically include the following:
Property damage where losses are caused to the business premises and assets, including computers and machinery.
Business interruption (BI) where the business experiences loss of earnings or revenue due to property damage or loss of use caused by an insured peril, for a specified period of time after the insured event or until normal business operations have been resumed.
Contingent BI which generally covers loss of revenue arising from damage to the property of a supplier, customer, or other business partner.
Denial of access, where use or access to the insured property is prevented or restricted for a specific period of time, for example, if roads or bridges leading to the property have been blocked or destroyed.
Civil authority coverage, which covers losses arising from an order made by a civil or government authority that interferes with normal business operations.
Service interruption coverage, which typically covers the insured for losses related to electricity or interruption of other utilities or supplies.
Extra expense incurred to enable business operations to be resumed or to mitigate other losses.
When presenting an insurance claim, it is important that policy provisions are considered against the backdrop of potentially applicable insurance coverage law to ensure that the policyholder is taking the steps necessary to maximize coverage. Many property policies are written on an “all risks” basis, but there will typically be exclusions, sublimits, or restrictions applicable to certain perils or circumstances. Some coverages may be subject to different policy limits and policy deductibles that impact the amount of coverage available. A proper analysis of the policy wording is vital to enable the insured to take full advantage of the coverage provided.
Practical Tips to Maximize Coverage
There are several steps policyholders should consider when making an insurance claim arising from natural disasters like the California fires:
Be Proactive in Notifying Insurers
Most policies identify specific procedures to be followed in presenting a claim, and there are likely to be timing deadlines associated with them. Failure to comply may result in insurers seeking to restrict or deny coverage for a claim otherwise covered by the policy. Policyholders should carefully consider any notice requirements, including any clause allowing for notice of a loss or an event that may or is likely to give rise to a claim. Prompt notification may assist policyholders in securing early access to loss mitigation resources and related coverages.
Early Assessment of Coverage
There are significant benefits in evaluating coverage at an early stage to understand any issues that may impact the way in which the claim is presented. Consultation with experienced coverage lawyers will assist in identifying and analyzing responsive policies as well as anticipating coverage issues or exclusions insurers might seek to rely upon.
Collate and Preserve Relevant Documents
Insurers typically require proof of loss and damage along with extensive supporting documentation. It is critical to take steps early on to ensure that potentially relevant documents and electronic records are located and preserved. In particular, insurers may argue that some part of the revenue loss is attributable to other causes, such as poor business decisions or economic downturn, such that historical records often must be examined and relied upon.
Preparation of Proof of Loss
The preparation of a detailed inventory and proof of loss is a time-consuming and challenging process but can prove invaluable in seeking to challenge any settlement offers made by the insurers or any loss adjustors appointed on their behalf. Many commercial policies include claim preparation coverage, which covers costs associated with compiling a detailed claim submission. The appointment of independent loss assessors or forensic accountants can prove particularly beneficial for collating BI losses, which are often challenged by insurers. For example, insurers may adopt a narrow view of what constitutes “interruption” to the business, particularly where certain business activities are ongoing.
Advance Payments
Any delays by insurers in making appropriate and periodic payments will delay the rebuilding of premises and the resumption of business operations. Insureds should consider requests for interim or advance payments, prior to completion of the loss adjustment process, particularly if the policy expressly provides for this.
Evaluating and Challenging Insurer Positions
The validity of any coverage defenses or limitations raised by insurers will be impacted by the precise wording of the insurance contract and by the applicable governing law. Experienced coverage counsel will be able to assist an insured in assessing the merit and viability of any coverage issues raised by insurers, or by their appointed loss adjusters, and in maximizing the insured’s potential recovery.
TikTok Ban Upheld By SCOTUS– Is TCR Next?
So the US Supreme Court today upheld a law requiring that abysmal TikTok app to either by sold or face a nationwide ban.
The basis for the law is TikTok’s foreign ownership and the massive amount of data available to the Chinese government as a result.
I’m a huge fan of the ban, but mostly because I’m a geezer that thinks kids these days spend too much time staring at their phones.
Still, the national security concerns are very legitimate and resonate well beyond TikTok– for instance The Campaign Registry is still tracking most every 10DLC SMS campaign in the country and is still foreign owned.
I suspect new FCC Chairman Carr–with his focus on national security– and Olivia Trusty (Trump’s new FCC pic) will take a very dim view of TCR’s foreign ownership and I suspect a similar sale or ban ruling may be in the cards.
We’ll see.
SHE BELONGS!: Trump’s New FCC Pick Olivia Trusty Appears Incredibly Well Qualified– and Even Had a Hand Drafting the TRACED Act
Usually when there is a nomination to the FCC the individual nominated is at least somewhat within the Czar’s orbit.
Truthfully, Ms. Trusty is not. Other than being connected on LinkedIn–not even sure how that happened– I don’t recall running across Ms. Trusty, but her career as a Congressional staffer appears to have been quite impactful (impressive.)
Some quick notes about her background.
She’s an athlete–love that– and was a member of the Tar Heels gymnastics team back in the early 2000s. (She was even the “Gymnast of the Week” back in January, 2004.)
Her passion for athletics undoubtedly lead her to assist with the EMPOWERING OLYMPIC AND AMATEUR ATHLETES ACT OF 2019, where she had a significant role assisting Senator Wicker in moving the bill forward. The bill arose following the conviction of Dr. Nassar who had abused Olympians, and resulted in 18 months of interviews with athlete survivors and 4 subcommittee hearings before the law emerged.
Nearer and dearer to TCPAWorld reader’s hearts–Trusty was on the team that developed the Traced Act.
As we reported a while back, Senator Thune–who is credited as one of the chief architects of the Traced Act–is now the ranking Republican in the Senate. I do not view it as a coincidence that Trusty now finds herself headed to the FCC after helping to craft that statute–which is easily the most impactful telecom law to pass in a decade.
In the words of Thune himself, Ms. Trusty “worked tirelessly to help develop and advance [the TRACED Act.]”
So.. yeah. Trusty knows her way around the TCPA.
And that is no surprise since she was the Republican policy director for the Senate Commerce, Science and Transportation Committee Communications, Media and Broadband Subcommittee (Jan. 2019- Dec. 2022). That’s just the Subcommittee with jurisdiction over all sectors of communications phone calls and the internet.
And then before that was a senior consultant in Verizon’s Government Relations team and a Senior Policy Representative for Qwest Communications.
So… yeah.
Trusty feels like a no-brainer. But there’s even more to her background that is interesting.
Check out this bullet point on her resume:
Senate Armed Services Committee Cybersecurity Subcommittee (Jan. 2023-), Staff Lead, Republican
Yeah. She helped lead the subcomittee on cybersecurity. And now she’s teaming up with Chairman Carr who has stated a key focus of the FCC should be national security. (I wonder how she’s going to feel about foreign-owned TCR collecting all that data about American text practices?)
And no surprise, Trusty also had a hand in crafting the National Defense Authorization Act, addressing a broad range of issues, from strategic competition with China and Russia to countering threats to Iran, North Korea and violent extremists. Most importantly, the bill authorized record level investments in key technologies– including artificial intelligence.
Trusty is also exceptionally well traveled. According to the Congressional Foreign Travel Financial Reports Ms. Trusty has visited Australia, New Zealand, Switzerland, Argentina, Chile, Egypt, Jordan, Singapore, Japan, South Korea, Taiwan and Israel in just the last couple of years–probably in furtherance of her efforts supporting the Senate Armed Services committee.
So yeah.
Trusty Trusty (as you can expect to hear me call her from now on) is a VERY solid candidate. But also the sort of institutionalist I am surprised (but glad) Trump went with.
I am impressed. Top to bottom. Look forward to working with her office– assuming she is formally nominated and approved, which seems very likely given her background and the Senate composition.
(Special thanks to our new clerk Gabby for the great investigation work here– nice job!)
CFPB Issues Order for Financial Data Exchange to Issue Standards under CFPB’s Personal Financial Data Rights Rule
On January 8, 2025, the Consumer Financial Protection Bureau (CFPB) issued an order recognizing Financial Data Exchange, Inc. (FDX) as a standard-setting body under the CFPB’s Personal Financial Data Rights rule. The order of recognition is the first to be issued under the rule. The Personal Financial Data Rights rule, released in October 2024, requires financial institutions, credit card issuers, and other financial providers to unlock an individual’s personal financial data and transfer it to another provider at the consumer’s request for free. The CFPB established a formal application process outlining the qualifications to become a recognized industry standard-setting body, which can issue standards that companies can use to help them comply with the CFPB’s rules. The CFPB also issued updated procedures for companies seeking special regulatory treatment, such as through “no-action letters.”
FDX is a standard-setting organization operating in the United States and Canada. It has over 200 member organizations, including depository and non-depository commercial entities, data providers and recipients, data aggregators, service providers to open banking participants, trade and industry organizations, and other non-commercial members, including consumer groups. FDX’s stated primary purpose is to develop, improve and maintain a common, interoperable standard for secure consumer and business access to financial records.
In September 2024, the CFPB received the application for recognition from FDX. CFPB published the application from FDX for public comment later that month. The application was then the first to be published for public comment.
The CFPB approved the application, subject to several conditions. In June 2024, the CFPB finalized a rule outlining the qualifications to become a recognized industry standard-setting body. The rule issued in June identifies the five key qualifications that standard-setting bodies must demonstrate to be recognized by the CFPB, including openness, transparency, balanced decision-making, consensus, and due process and appeals.
The order recognizes FDX as an industry standard-setting body for five years. The CFPB continues to evaluate other applications for recognition.
Breaking News: U.S. Supreme Court Upholds TikTok Ban Law
On January 17, 2024, the Supreme Court of the United States (“SCOTUS”) unanimously upheld the Protecting Americans from Foreign Adversary Controlled Applications Act (the “Act”), which restricts companies from making foreign adversary controlled applications available (i.e., on an app store) and from providing hosting services with respect to such apps. The Act does not apply to covered applications for which a qualified divestiture is executed.
The result of this ruling is that TikTok, an app which is owned by Chinese company ByteDance and qualifies as a foreign adversary controlled application under the Act, will face a ban when the law enters into effect on January 19, 2025. To continue operations in the United States in compliance with the Act, the law requires that ByteDance sell the U.S. arm of the company such that it is no longer controlled by a company in a foreign adversary country. In the absence of a divestiture, U.S. companies that make the app available or provide hosting services for the app will face enforcement under the Act.
It remains to be seen how the Act will be enforced in light of the upcoming changes to the U.S. administration. TikTok has 170 million users in the United States.
Transferring U.S. Data Overseas? Consider Whether the DOJ’s Bulk Data Regulations or PADFA May Apply to Your Organization
Though attempts to pass comprehensive federal consumer privacy legislation again stalled in 2024, efforts targeted at addressing national security-related privacy concerns had more success. Along with the Protecting Americans from Foreign Adversary Controlled Applications Act, Congress passed the Protecting Americans’ Data from Foreign Adversaries Act (“PADFA”) as part of a sweeping foreign aid bill, which was subsequently signed into law by President Biden on April 23, 2024. PADFA, which went into effect on June 24, 2024, followed President Biden’s Feb. 2024 Executive Order 14117 “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (“EO”), under which the Department of Justice was directed to establish and implement regulations (initially reported by SPB here). The DOJ’s rulemaking process, which began in late fall of last year, culminated in the issuance of a final rule (“Bulk Data Regs”) on December 27, 2024, and publication of the same in the Federal Register on January 4, 2025. The Bulk Data Regs largely become effective 90 days after publication in the Federal Register, on April 4, with certain provisions going into effect 270 days following publication.
Below, we provide a discussion of various key aspects of PADFA and the Bulk Data Regs and key considerations to bear in mind, including with respect to the scope of application, covered data, service provider/vendor transfers, security requirements, downstream transfer and diligence obligations, and important exemptions provided under each. Further below, we provide a table for handy reference with select definitions and information from each legal regime.
At first blush, given their focus on national security and sensitive data, PADFA and the Bulk Data Regs would appear to apply to a limited slice of companies in the U.S. that do business with certain foreign adversaries or countries of concern, or persons or companies related to them. However, upon a deeper look, these regimes provide extremely broad definitions of “sensitive” data and offer potential applicability to any U.S. business transferring data overseas (the Bulk Data Regs in particular), including multi-national companies that transfer data between and among affiliated companies throughout the world. As a result, U.S.-based and multi-national companies that do business or transfer U.S. data overseas, whether to adversarial countries like China and Russia or elsewhere, should carefully review PADFA and the Bulk Data Regs to understand whether and to what extent these legal regimes may apply to their organizations.
If you have any questions, please reach out to the author or your SPB relationship partner.
Scope of ApplicationPADFA only applies to “data brokers” that transfer “personally identifiable sensitive data” to certain foreign adversaries or persons located in, or controlled by, foreign adversaries, namely China, Russia, Iran, and North Korea. The Bulk Data Regs potentially apply to any U.S. entity that transfers “government-related data” or “bulk” “sensitive personal data” overseas, including other than to countries of concern or “covered persons.” A “covered person” under the Bulk Data Regs includes a foreign entity that is 50% owned, directly or indirectly, by an entity that is organized/chartered under the laws of, or has a principal place of business in, a country of concern. (This definition is broader and more nuanced but squarely covers entities that are majority-owned by individuals/entities in China or other countries of concern. See table below.) The Bulk Data Regs’ countries of concern consist of China (incl. Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela.
Under PADFA, “data broker” is provided a similar definition to those found under U.S. state data broker laws, covering entities that collect and sell or otherwise make available data regarding individuals from whom the entity did not collect directly (see the table below for the definition). On the other hand, the Bulk Data Regs’ concept of “data brokerage” focuses on the lack of a direct relationship between the data subject and the entity receiving the data from the U.S. entity.
Covered DataBoth PADFA and the Bulk Data Regs are incredibly far-reaching when it comes to their respective covered data definitions, providing “sensitive” data terms that are much broader than those found in state consumer privacy laws. As to the Bulk Data Regs’ “sensitive personal data”, certain thresholds must be met (e.g., 1,000 devices for precise geolocation data, 100,000 individuals for “covered identifiers”) to invoke its requirements, which may serve to exclude from its scope companies making incidental transfers of certain sensitive data. However, it is worth noting that the definition of “bulk” is somewhat contrary to the common notion of the term since, for some types of data, the threshold is quite low (e.g., 1,000 data subjects for precise geo, biometric, and human ‘omic data). In any event, the thresholds may not help companies in data-intensive industries such as advertising technology in avoiding the reach of the Bulk Data Regs. The Bulk Data Regs’ thresholds do not apply to “government-related data” such that any transfer of such data to countries of concern or covered persons falls within its scope.
Transfers to Service Providers and Vendors; Security RequirementsPADFA exempts transfers to “service providers” from its scope of restricted transfer. The definition of “service provider” includes entities that would typically qualify as service providers and processors under other legal schemes, namely entities that receive data from or on behalf of a data controller and that collect, process, or transfer data on behalf of, and at the direction of, the data controller (provided that the data controller is not a foreign adversary country or controlled by a foreign adversary country) (see the service provider definition in the “exemptions” section of the table below).
The Bulk Data Regs explicitly prohibit transfers of certain data made pursuant to “vendor agreements,” subject to an exemption where the U.S. entity imposes specific security requirements on the vendor. Notably, this exemption does not apply to transfers of bulk “human ‘omic data”. The security requirements exemption also applies to covered data transactions involving employment agreements and investment agreements. The applicable security requirements were promulgated in parallel by the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”), which is part of the U.S. Department of Homeland Security. PADFA does not require entities to impose security requirements on service providers.
Downstream Transfer and Diligence ObligationsIn addition to the restrictions on certain transfers to countries of concern and covered persons, the Bulk Data Regs require U.S. entities to contractually restrict “foreign person”-recipients of covered data in “data brokerage” transactions from transferring such data to countries of concern and covered persons, and to implement a diligence and reporting program for violations of recipients’ obligations. As a result, this aspect of the Bulk Data Regs may impose compliance obligations, including ongoing diligence on overseas data transfers, on a broad swath of U.S. entities, even if they do not do business with countries of concern or covered persons. PADFA does not impose similar obligations.
ExemptionsThe Bulk Data Regs provide a number of exemptions for various transactions or transfers, including those related to official business of the U.S. government, transactions “ordinarily incident to and part of the provision of financial services”; corporate group transactions; “Transactions required or authorized by Federal law or international agreements, or necessary for compliance with Federal law”; investment agreements subject to a CFIUS action”; and transactions “ordinarily incident to and part of the provision of telecommunications services”. While many of these exemptions may necessitate a deeper look for various companies, U.S. companies that are subsidiaries of companies in China or other countries of concern, or U.S. companies that otherwise have affiliates in such countries, should carefully consider the corporate group transaction exemption. This provision exempts from much of the regulations’ scope data transactions between U.S. entities and subsidiaries or affiliates located in or otherwise subject to the ownership, direction, jurisdiction, or control of a country of concern and that are ordinarily incident to and part of administrative or ancillary business operations (including HR, payroll and other corporate financial activities, sharing data with advisors for regulatory compliance, business travel, employee benefits, and employee communications).
PADFA does not have similar exemptions, though there are a number of activities that exclude entities from the definition of data broker, including transfers to service providers as discussed above, as well as data-level exemptions such as those for certain publicly available information. These are laid out further in the table below.
Key Concepts and Definitions
Bulk Data Regs
PADFA
Prohibited Activities
The Bulk Data Regs make it illegal to knowingly engage in a covered data transaction involving data brokerage with a country of concern or covered person.
Covered Data TransactionA covered data transaction is any transaction that involves any access by a country of concern or covered person to any government-related data or bulk U.S. sensitive personal data and that involves:(1) Data brokerage;(2) A vendor agreement;(3) An employment agreement; or(4) An investment agreement.
Under PADFA, it is unlawful for a data broker to sell, license, rent, trade, transfer, release, disclose, provide access to, or otherwise make available personally identifiable sensitive data of a United States individual to–(1) any foreign adversary country; or (2) any entity that is controlled by a foreign adversary.
Data broker definition
“Data brokerage” means the sale of data, licensing of access to data, or similar commercial transactions, excluding an employment agreement, investment agreement, or a vendor agreement, involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data. (There is no definition of “data broker.”)
A “data broker” is defined as an entity that, for valuable consideration, sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available data of United States individuals that the entity did not collect directly from such individuals to another entity that is not acting as a service provider.
Covered Data
The Bulk Data Regs regulate covered transactions involving government-related data and bulk sensitive personal data.
Government-Related Data(1) Any precise geolocation data, regardless of volume, for any location enumerated on the “Government-Related Location Data List” in the Bulk Data Regs.(2) Any sensitive personal data, regardless of volume, that a transacting party markets as linked or linkable to current or recent former employees or contractors, or former senior officials, of the United States Government, including the military and Intelligence Community.
Sensitive Personal DataThe term sensitive personal data means covered personal identifiers, precise geolocation data, biometric identifiers, human ‘omic data, personal health data, personal financial data, or any combination thereof.
Covered Personal IdentifiersThe term covered personal identifiers means any listed identifier: (1) In combination with any other listed identifier; or (2) In combination with other data that is disclosed by a transacting party pursuant to the transaction such that the listed identifier is linked or linkable to other listed identifiers or to other sensitive personal data. (b) Exclusion. The term covered personal identifiers excludes: (1) Demographic or contact data that is linked only to other demographic or contact data (such as first and last name, birthplace, ZIP code, residential street or postal address, phone number, and email address and similar public account identifiers); and (2) A network-based identifier, account-authentication data, or call-detail data that is linked only to other network-based identifier, account-authentication data, or call detail data as necessary for the provision of telecommunications, networking, or similar service.
Listed IdentifierThe term listed identifier means any piece of data in any of the following data fields: (a) Full or truncated government identification or account number (such as a Social Security number, driver’s license or State identification number, passport number, or Alien Registration Number); (b) Full financial account numbers or personal identification numbers associated with a financial institution or financial-services company; (c) Device-based or hardware-based identifier (such as International Mobile Equipment Identity (“IMEI”), Media Access Control (“MAC”) address, or Subscriber Identity Module (“SIM”) card number); (d) Demographic or contact data (such as first and last name, birth date, birthplace, ZIP code, residential street or postal address, phone number, email address, or similar public account identifiers); (e) Advertising identifier (such as Google Advertising ID, Apple ID for Advertisers, or other mobile advertising ID (“MAID”)); (f) Account-authentication data (such as account username, account password, or an answer to security questions); (g) Network-based identifier (such as Internet Protocol (“IP”) address or cookie data); or (h) Call-detail data (such as Customer Proprietary Network Information (“CPNI”)).
Personal Financial DataThe term personal financial data means data about an individual’s credit, charge, or debit card, or bank account, including purchases and payment history; data in a bank, credit, or other financial statement, including assets, liabilities, debts, or trades in a securities portfolio; or data in a credit report or in a “consumer report” (as defined in 15 U.S.C. 1681a(d)).
Personal Health DataThe term personal health data means health information that indicates, reveals, or describes the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual. This term includes basic physical measurements and health attributes (such as bodily functions, height and weight, vital signs, symptoms, and allergies); social, psychological, behavioral, and medical diagnostic, intervention, and treatment history; test results; logs of exercise habits; immunization data; data on reproductive and sexual health; and data on the use or purchase of prescribed medications.
Human ‘Omic DataThe term human ‘omic data means human genomic data, human epigenomic data, human proteomic data, and human transcriptomic data, but excludes pathogen-specific data embedded in human ‘omic data sets.
BulkThe term bulk means any amount of sensitive personal data that meets or exceeds the following thresholds at any point in the preceding 12 months, whether through a single covered data transaction or aggregated across covered data transactions involving the same U.S. person and the same foreign person or covered person: (a) Human ‘omic data collected about or maintained on more than 1,000 U.S. persons, or, in the case of human genomic data, more than 100 U.S. persons; (b) Biometric identifiers collected about or maintained on more than 1,000 U.S. persons; (c) Precise geolocation data collected about or maintained on more than 1,000 U.S. devices; (d) Personal health data collected about or maintained on more than 10,000 U.S. persons; (e) Personal financial data collected about or maintained on more than 10,000 U.S. persons; (f) Covered personal identifiers collected about or maintained on more than 100,000 U.S. persons; or (g) Combined data, meaning any collection or set of data that contains more than one of the categories in paragraphs (a) through (g) of this section, or that contains any listed identifier linked to categories in paragraphs (a) through (e) of this section, where any individual data type meets the threshold number of persons or devices collected or maintained in the aggregate for the lowest number of U.S. persons or U.S. devices in that category of data.
ExclusionsThe term sensitive personal data, and each of the categories of sensitive personal data, excludes: (1) Public or nonpublic data that does not relate to an individual, including such data that meets the definition of a “trade secret” (as defined in 18 U.S.C. 1839(3)) or “proprietary information” (as defined in 50 U.S.C. 1708(d)(7)); (2) Data that is, at the time of the transaction, lawfully available to the public from a Federal, State, or local government record (such as court records) or in widely distributed media (such as sources that are generally available to the public through unrestricted and open-access repositories); (3) Personal communications; and (4) Information or informational materials and ordinarily associated metadata or metadata reasonably necessary to enable the transmission or dissemination of such information or informational materials.
(5) Personally identifiable sensitive data -The term `personally identifiable sensitive data” means any sensitive data that identifies or is linked or reasonably linkable, alone or in combination with other data, to an individual or a device that identifies or is linked or reasonably linkable to an individual. This is much broader than the Bulk Data Regs, in part because it does not require a certain volume of data.
(7) Sensitive data. — The term “sensitive data” includes the following:• (A) A government-issued identifier, such as a Social Security number, passport number, or driver’s license number.• (B) Any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare condition or treatment of an individual.• (C) A financial account number, debit card number, credit card number, or information that describes or reveals the income level or bank account balances of an individual.• (D) Biometric information.• (E) Genetic information.• (F) Precise geolocation information.• (G) An individual’s private communications such as voicemails, emails, texts, direct messages, mail, voice communications, and video communications, or information identifying the parties to such communications or pertaining to the transmission of such communications, including telephone numbers called, telephone numbers from which calls were placed, the time calls were made, call duration, and location information of the parties to the call.• (H) Account or device log-in credentials, or security or access codes for an account or device.• (I) Information identifying the sexual behavior of an individual.• (J) Calendar information, address book information, phone or text logs, photos, audio recordings, or videos, maintained for private use by an individual, regardless of whether such information is stored on the individual’s device or is accessible from that device and is backed up in a separate location.• (K) A photograph, film, video recording, or other similar medium that shows the naked or undergarment-clad private area of an individual.• (L) Information revealing the video content requested or selected by an individual.• (M) Information about an individual under the age of 17.• (O) Information identifying an individual’s online activities over time and across websites or online services.• (P) Information that reveals the status of an individual as a member of the Armed Forces.(Q) Any other data that a data broker sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available to a foreign adversary country, or entity that is controlled by a foreign adversary, for the purpose of identifying the types of data listed in subparagraphs (A) through (P).
Covered data recipients
The term covered person means: (1) A foreign person that is an entity that is 50% or more owned, directly or indirectly, individually or in the aggregate, by one or more countries of concern or persons described in paragraph (a)(2) of this section; or that is organized or chartered under the laws of, or has its principal place of business in, a country of concern; (2) A foreign person that is an entity that is 50% or more owned, directly or indirectly, individually or in the aggregate, by one or more persons described in paragraphs (a)(1), (3), (4), or (5) of this section; (3) A foreign person that is an individual who is an employee or contractor of a country of concern or of an entity described in paragraphs (a)(1), (2), or (5) of this section; (4) A foreign person that is an individual who is primarily a resident in the territorial jurisdiction of a country of concern; or (5) Any person, wherever located, determined by the Attorney General: (i) To be, to have been, or to be likely to become owned or controlled by or subject to the jurisdiction or direction of a country of concern or covered person; (ii) To act, to have acted or purported to act, or to be likely to act for or on behalf of a country of concern or covered person; or (iii) To have knowingly caused or directed, or to be likely to knowingly cause or direct a violation of this part.
Countries of concern = China (incl. Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela.
“Person” means an individual or entity.
“Foreign person” means any person that is not a U.S. person.
“U.S. person” means any United States citizen, national, or lawful permanent resident; any individual admitted to the United States as a refugee under 8 U.S.C. 1157 or granted asylum under 8 U.S.C. 1158; any entity organized solely under the laws of the United States or any jurisdiction within the United States (including foreign branches); or any person in the United States.
“Foreign adversary” = China, Russia, Iran, and North Korea.
The term “controlled by a foreign adversary” means, with respect to an individual or entity, that such individual or entity is– (A) a foreign person that is domiciled in, is headquartered in, has its principal place of business in, or is organized under the laws of a foreign adversary country; (B) an entity with respect to which a foreign person or combination of foreign persons described in subparagraph (A) directly or indirectly own at least a 20 percent stake; or (C) a person subject to the direction or control of a foreign person or entity described in subparagraph (A) or (B).
Notable Exemptions
The Final Rule provides a number of exemptions:• Personal communications;• Information or informational materials;• Travel;• Official business of the U.S. government;• Transactions “ordinarily incident to and part of the provision of financial services”;• Corporate group transactions;• “Transactions required or authorized by Federal law or international agreements, or necessary for compliance with Federal law”;• Investment agreements subject to a CFIUS action”;• Transactions “ordinarily incident to and part of the provision of telecommunications services”;• “Drug, biological product, and medical device authorizations”; and• “Other clinical investigations and post-marketing surveillance data.”
(B) Exclusion.–The term “data broker” does not include an entity to the extent such entity–(i) is transmitting data of a United States individual, including communications of such an individual, at the request or direction of such individual, (ii) is providing, maintaining, or offering a product or service with respect to which personally identifiable sensitive data, or access to such data, is not the product or service; (iii) is reporting or publishing news or information that concerns local, national, or international events or other matters of public interest; (iv) is reporting, publishing, or otherwise making available news or information that is available to the general public–(I) including information from–(aa) a book, magazine, telephone book, or online directory; (bb) a motion picture; (cc) a television, internet, or radio program; (dd) the news media; or (ee) an internet site that is available to the general public on an unrestricted basis; and (II) not including an obscene visual depiction (as such term is used in section 1460 of title 18, United States Code); or (v) is acting as a service provider.
(8) Service provider.–The term “service provider” means an entity that– (A) collects, processes, or transfers data on behalf of, and at the direction of– (i) an individual or entity that is not a foreign adversary country or controlled by a foreign adversary; or (ii) a Federal, State, Tribal, territorial, or local government entity; and (B) receives data from or on behalf of an individual or entity described in subparagraph (A)(i) or a Federal, State, Tribal, territorial, or local government entity.
Enforcement and Penalties
The Bulk Data Regs are enforced by the Dept. of Justice, and allow for the imposition of both civil and criminal penalties.
Current maximum civil penalties are not to exceed the greater of $368,136 or an amount that is twice the amount of the transaction that is the basis of the violation with respect to which the penalty is imposed.
Potential criminal fines and imprisonment are available for willful violations of the regulations. In particular, a maximum of $1,000,000 fine and imprisonment of not more than 20 years, or both, are available in the event of willful violations.
A violation of [PADFA] shall be treated as a violation of a rule defining an unfair or a deceptive act or practice under section18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
The Federal Trade Commission is provided with enforcement authority under PADFA. Remedies for violation of Section 18(a)(1)(B) of the FTC Act include civil penalties of up to $50,120 per violation and various forms of equitable relief (e.g., disgorgement, injunctions, etc.).
FTC Finalizes Long-Awaited Updates to Children’s Privacy Rule
On January 16, 2025, the FTC announced the issuance of updates to the FTC’s Children’s Online Privacy Protection Rule (the “Rule”), which implements the federal Children’s Online Privacy Protection Act of 1998 (“COPPA”). The updates to the Rule come more than five years after the FTC initiated a rule review. The Commission vote on the Rule was 5-0, with various Commissioners filing separate statements. The updated Rule, which will be published in the Federal Register, contains several significant changes, but also stops short of the version proposed by the FTC in January 2024. The Rule will go into effect 60 days after its publication in the Federal Register; most entities subject to the Rule will have one year after publication to comply.
Key updates to the Rule include:
Requirement to obtain opt-in consent for targeted advertising to children and other disclosures of children’s personal information to third parties: The Rule will require operators of child-directed websites or online services to obtain separate verifiable parental consent before disclosing children’s personal information to third parties. According to a statement filed by outgoing FTC Chair Lina Khan, this means that operators will be prohibited from selling children’s personal information or disclosing it for targeted advertising purposes unless parents separately agree and opt in to these uses.
Limits on data retention: The Rule will prevent operators from retaining children’s personal information for longer than necessary than the specific documented purposes for which the data was collected. Operators also must maintain a written data retention policy that (1) details the specific business need for retaining children’s personal information and (2) sets forth a timeline for deleting this data. Operators may not retain children’s personal information indefinitely.
Changes to key definitions: The Rule also makes several changes to the definitions that govern its application. For example, the definition of “personal information” now includes biometric identifiers that can be used for the automated or semi-automated recognition of a child (e.g., fingerprints, handprints, retina patterns, iris patterns, genetic data – including a DNA sequence, voiceprints, gait patterns, facial templates, or faceprints). In addition, the factors the Commission will take into account in considering whether a website or service is “directed to children” will be expanded to include marketing or promotional materials or plans, representations to consumers or third parties, reviews by users or third parties and the ages of users on similar websites or services.
Increased Safe Harbor transparency: FTC-approved COPPA Safe Harbor programs are required to identify in their annual reports to the Commission each operator subject to the self-regulatory program (“subject operator”) and all approved websites or online services, as well as any subject operator that left the program during the time period covered by the annual report. The Safe Harbor programs also must outline their business models in greater detail and provide copies of each consumer complaint related to a member’s violation of the program’s guidelines. In addition, Safe Harbor programs must publicly post a list of all current subject operators and, for each such operator, list each certified website or online service.
Importantly, the Rule is notable for what it does not contain.
No EdTech changes: Despite having proposed imposing a wide range of obligations on EdTech companies operating in the education space, the Rule avoids incorporating any education-related requirements. According to the FTC, because the Department of Education has indicated its intention to update its FERPA regulations (34 C.F.R. 99), the Commission sought to avoid changing COPPA in any way that might conflict with the DOE’s eventual amendments. Instead, the Commission states it will continue to enforce COPPA in the EdTech context consistent with its existing guidance.
No coverage of user engagement techniques: The Rule does not incorporate the proposal to require parental notification and consent for the collection of data used to encourage or prompt children’s prolonged use of a website or online service. The Commission indicated that, after reviewing the public comments, it believes the proposed use restriction “was overly broad and would constrain beneficial prompts and notifications.” The FTC cautioned, however, that it nevertheless may pursue enforcement under Section 5 of the FTC Act in appropriate cases to address unfair or deceptive acts or practices encouraging prolonged use of websites and online services that increase risks of harm to children.
Personalization and contextual advertising still exempted: The Rule does not limit the “support for the internal operations” exemption under COPPA to exclude operator-driven personalization or contextual advertising.
No need to tie personal information collected to specific uses: The Rule will not require that operators correlate each data element collected online from children to the particular use(s) of such data element.
In voting in support of the revised Rule, incoming FTC Chair Andrew Ferguson filed a separate statement expressing what he termed “serious problems” with the Rule, which he blamed on “the result of the outgoing administration’s irresponsible rush to issue last-minute rules.” Ferguson would have required the Rule to clarify instances in which an operator’s addition of third parties to whom they provide children’s personal information would trigger a need for updated notice and refreshed consent. He also took issue with the prohibition on indefinite retention of children’s personal information, predicting that it “is likely to generate outcomes hostile to users.” Finally, he indicated his belief that the FTC missed an opportunity to make clear the Rule is not an obstacle to the use of children’s personal information solely for the purpose of age verification.