FTC asserts that COPPA does not preempt state law claims

Julie Rubash, Chief Privacy Counsel
May 31, 2023

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

United States

FTC Asserts that COPPA Does NOT Preempt State Law Claims

The FTC filed a brief supporting an appeals court ruling in Jones v. Google, a case alleging that Google’s tracking of childrens’ online activity violated the constitutional, statutory and common law of several states. The district court originally dismissed the case, holding that the claims were preempted by the federal Children’s Online Privacy Protect Act (COPPA), but the appeals court panel found that COPPA did not preempt the state law claims, because the state laws were not inconsistent with COPPA.

Google asked for a full-court review of that decision, where the FTC’s opinion was requested, ultimately supporting the appeals panel decision. 


The FTC has enforcement authority under COPPA, which has a preemption clause restricting states from imposing liability for activities regulated by COPPA in a manner inconsistent with COPPA. Google argued in its appeal that all state-law claims involving children’s online privacy are barred by COPPA’s preemption clause, but the FTC argued that nothing in COPPA’s text purpose, or legislative history supports Google’s argument. If the full appeals court follows the FTC’s opinion, the state-law claims against Google will be permitted to proceed. 

In its press release about changes to the HBNR, the FTC made clear that “protecting the privacy and security of personal health data is a high priority for the FTC”. 


Dutch Groups Call on Consumers for Google Class Action

The Protection of Privacy Interests Foundation and the Consumers’ Association issued a notice calling on Dutch consumers to join a legal action against Google over alleged violations of Dutch and European privacy and consumer laws, including GDPR.

According to the news release, “Google constantly monitors consumer behavior by how it collects, processes and uses users’ personal information to monetize it without their consent”, which “is contrary to Dutch and European law”. The notice demands that Google structurally change its practices and also offer financial compensation to all Dutch users of Google.


Google has recently entered into several settlements with state attorneys generals in the United States over similar allegations.

Specifically, Google entered into: 

• a $85 million settlement with the Arizona Attorney General in October 2022, 

• a $391.5 million settlement with 40 state attorneys general in November 2022, 

• a $9.5 million settlement with the Washington D.C. Attorney General in January 2023,

• and a $9 million settlement with 6 state attorneys general in March 2023. 

A class action against Google was also certified by a California District Court judge in December 2022. 

CNIL Closes Case Against Microsoft After Approval of Consent Changes

The French Data Protection Authority (CNIL) announced its closing of a case against Microsoft, noting that Microsoft had completed the changes requested by the CNIL within the required 3-month period.

Specifically, Microsoft made technical modifications so that tracking linked to advertising fraud would be inactive in the absence of specific consent from French users. 


The CNIL’s injunction against Microsoft was issued in December 2022, along with a 60 million euro fine. Specifically, the CNIL found that when users visited ““, a cookie with several purposes, including to detect ad fraud, was deposited on their terminal without prior consent.

Additionally, the CNIL found that‘s cookie consent mechanism required two clicks to refuse all cookies but only one click to accept them, which the CNIL found to infringe the users’ freedom of consent. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

You Are Who You Work With: Cookie Consent and Data Privacy

June 11, 2024

Who you work with for consent management and data...

Texas AG Prepares for “Aggressive Enforcement” of Privacy Laws

June 10, 2024

Texas Attorney General announced a data privacy and security...

What are the privacy laws in Canada?

June 6, 2024

Everything you need to know about PIPEDA and Quebec’s...

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]