Showing 9 of 96 Publications in Data Security

Consumer Privacy, Information Sharing, and Consumer Finance: Tradeoffs and Opportunities

Scholarship Abstract Concerns over the ownership, use, security, and flows of consumer data information are not new. Yet the dominance of the Internet and electronic payments . . .

Abstract

Concerns over the ownership, use, security, and flows of consumer data information are not new. Yet the dominance of the Internet and electronic payments has elevated such concerns to a high level. Traditionally there was perceived to be a tradeoff between the flow of information necessary for the consumer financial system to work well (such as to solve information asymmetries necessary in order to make credit-granting decisions) and consumer control over their data and keeping their information private. Data security approaches historically pursued a state “fortress” model that rested on the ability of consumers to keep private a small amount of information the consumer uniquely knew, such as a PIN or password.

Today, however, it is becoming apparent that this static model is no longer viable and can be expected to grow less viable with the growth of artificial intelligence and machine-learning. But such approaches have costs as well—not only are they often more cumbersome, when the fortress walls are breached these systems can be slower to adapt and can result in increased harm to consumers on the back end. Some people have suggested that we respond to these emergent threats by trying to build taller and thicker fortress walls and other static, such as the use of biometric identification. The approach suggested here, by contrast, attempts to model what a more dynamic approach to information security would look like and how such a system would be dependent on more data flows rather than less. I suggest some areas of current and proposed regulation that should be reexamined in light of the analysis presented here.

Read at SSRN.

Continue reading
Data Security & Privacy

Comments to UK Information Commissioner’s Office on ‘Pay or Consent’

Regulatory Comments I thank the ICO for the opportunity to submit comments on “pay or consent.” My focus will be on the question of how to deal with . . .

I thank the ICO for the opportunity to submit comments on “pay or consent.” My focus will be on the question of how to deal with consent to personal data processing needed to fund the provision of a service that does not fit the legal basis of contractual necessity.[1]

Personalised Advertising: Contractual Necessity or Consent?

Under the GDPR, personal data may only be processed if one of the lawful bases from Article 6 applies. They include, in particular, consent, contractual necessity, and legitimate interests. When processing is necessary for the performance of a contract (Article 6(1)(b)), then that is the basis on which the controller should rely. One may think that if data processing (e.g., for targeting ads) is necessary to fund a free-of-charge service, that should count as contractual necessity. I am unaware of data protection authorities disputing this in principle, but there is a tendency to interpret contractual necessity narrowly.[2] Notably, the EDPB decided in December 2022 that Facebook and Instagram shouldn’t have relied on that ground for personalisation of advertising.[3] Subsequently, the EDPB decided that Meta should also not rely on the legitimate interests basis.[4]

The adoption of a narrow interpretation of contractual necessity created an interpretative puzzle. If we set aside the legitimate interests basis under Article 6(1)(f)), in many commercial contexts, we are only left with consent as an option (Article 6(1)(a)). This is especially true where consent is required not due to the GDPR but under national laws implementing the ePrivacy Directive (Directive 2002/58/EC), including the UK Privacy and Electronic Communications Regulations (PECR). That is, for solutions like cookies or browser storage. Importantly, though, these are not always needed for personalised advertising. Perhaps the biggest puzzle is how to deal with consent to processing needed to fund the provision of a service that does not fit the narrow interpretation of contractual necessity.

Consent, as we know from Articles 4(11) and 7(4) GDPR, must be “freely given.” In addition, Recital 42 states that: “Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.” The EDPB provided self-contradictory guidance by first saying that withdrawing consent should “not lead to any costs for the data subjects,” but soon after adding that the GDPR “does not preclude all incentives” for consenting.[5]

Despite some differences, at least the Austrian, Danish, French, German (DSK), and Spanish data protection authorities generally acknowledge that paid alternatives to consent may be lawful.[6] Notably, the Norwegian Privacy Board—in a Gridnr appeal—also explicitly allowed that possibility.[7] I discuss below the conditions those authorities focus on in their assessment of “pay or consent” implementations.

The CJEU and ‘Necessity’ to Charge ‘An Appropriate Fee’

In its Meta decision from July 2023, the EU Court of Justice weighed in, though in the context of third-party-collected data, by saying that if that kind of data processing by Meta does not fall under contractual necessity, then:

(…) those users must be free to refuse individually, in the context of the contractual process, to give their consent to particular data processing operations not necessary for the performance of the contract, without being obliged to refrain entirely from using the service offered by the online social network operator, which means that those users are to be offered, if necessary for an appropriate fee, an equivalent alternative not accompanied by such data processing operations.[8]

Intentionally or not, the Court highlighted the interpretative problem stemming from a narrow interpretation of contractual necessity. The Court said that even if processing does not fall under contractual necessity, it may still be “necessary” to charge data subjects “an appropriate fee” if they refuse to consent. Disappointing some activists, the Court did not endorse the EDPB’s first comment I cited (that refusal to consent should not come with “any costs”).

Even though the Court did not explain this further, we can speculate that the Court was not willing to accept the view that all business models simply have to be adjusted to a maximally prohibitive interpretation of the GDPR. The Court may have attempted to save the GDPR from a likely political backlash to an attempt to use the GDPR to deny Europeans a choice of free-of-charge services funded by personalised advertising. Perhaps, the Court also noted that other EU laws rely on the GDPR’s definition of consent (e.g., the Digital Markets Act) and that this gives an additional reason to be very cautious in interpreting this concept in ways that are not in line with current expectations.

Remaining Questions

Several questions will likely be particularly important for future assessments of “pay or consent” implementations under the GDPR and ePrivacy/PECRs. The following list may not be exhaustive but aims to identify the main issues.

How Specific Should the Choice Be?

The extent to which service providers batch consent to processing for different purposes, especially if users cannot (in a “second step”) adjust consent more granularly, is likely to be questioned. This is problematic because giving users complete freedom to adjust their consent could also defeat the purpose of having a paid alternative.

In a different kind of bundling, service providers may make the paid alternative to consent more attractive by adding incentives like access to additional content or the absence of ads (including non-personalised ads). On the one hand, this means that service providers incentivise users not to consent, making consent less attractive. This could be seen as reducing the pressure to consent and making the choice more likely to be freely given. On the other hand, a more attractive paid option could be more costly for the service provider and thus require a higher price.

What Is an ‘Appropriate’ Price?

The pricing question is a potential landmine for data protection authorities, who are decidedly ill-suited to deal with it. Just to show one aspect of the complexity: setting as a benchmark the service’s historical average revenue per user (ARPU) from (personalised) advertising may be misleading. Users are not identical. Wealthier, less price-sensitive users, who may be more likely to pay for a no-ads option, are also worth more to advertisers. Hence, the loss of income from advertising may be higher than just “old ARPU multiplied by the number of users on a no-ads tier,” suggesting a need to charge the paying users more than historical ARPU merely to retain the same level of revenue. Crucially, the situation will likely be dynamic due to subscription “churn” (users canceling their subscriptions) and other market factors. The economic results of the “pay or consent” scheme may continue to change, and setting the price level will always involve business judgment based on predictions and intuition.

Some authorities may be tempted to approach the issue from the perspective of users’ willingness to pay, but this also raises many issues. First, the idea of price regulation by privacy authorities, capping prices at a level defined by the authorities’ view of what is acceptable to a user, may face jurisdictional scrutiny. Second, taking users’ willingness to pay as a benchmark implicitly assumes a legally protected entitlement to access the service for a price they like. In other words, to assume that users are entitled to specific private services, like social media services.[9] This is not something that can be simply assumed; it would require a robust argument—and arguably constitute a legal change that is appropriate only for the political, legislative process.

Imbalance

Recital 43 of the GDPR explains that consent may not be free when there is “a clear imbalance between the data subject and the controller.” In the Meta decision, the EU Court of Justice admitted the possibility of such an imbalance between a business with a dominant position, as understood in competition law, and its customers.[10] This, too, may be a difficult issue for data protection authorities to deal with, both for expertise and competence reasons.

The Scale of Processing and Impact on Users

Distinct from market power (dominance), though sometimes conflated with it, are the issues of the scale of processing and its impact on users. An online service provider, e.g., a newspaper publisher, may have relatively little market power but may be using a personalised advertising framework (e.g., an RTB scheme facilitated by third parties[11]) that is very large in scale and with more potential for a negative impact on users than an advertising system internal to a large online platform. A large online platform can offer personalised advertising to its business customers (advertisers) while sharing little or no information about who the ads are being shown to. Large platforms have economic incentives to keep user data securely within the platform’s “walled garden,” not sharing it with outsiders. Smaller publishers participate in open advertising schemes (RTB), where user data is shared more widely with advertisers and other participants.

Given the integration of smaller publishers in such open advertising schemes, an attempt by data protection authorities to set a different standard for consent just for large platforms may fail as based on an arbitrary distinction. In other words, however attractive it may seem for the authorities to target Meta without targeting the more politically powerful legacy media, this may not be an option.

[1] The comments below build on my ‘“Pay or consent:” Personalized ads, the rules and what’s next’ (IAPP, 20 November 2023) < https://iapp.org/news/a/pay-or-consent-personalized-ads-the-rules-and-whats-next/ >.

[2] On this issue, I highly recommend the article by Professor Martin Nettesheim on ‘Data Protection in Contractual Relationships (Art. 6 (1) (b) GDPR)’ (May 2023) < https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4427134 >.

[3] https://www.edpb.europa.eu/news/news/2023/facebook-and-instagram-decisions-important-impact-use-personal-data-behavioural_en

[4] https://www.edpb.europa.eu/news/news/2023/edpb-urgent-binding-decision-processing-personal-data-behavioural-advertising-meta_en

[5] https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf

[6] David Pfau, ‘PUR models: Status quo on the European market’ (BVDW, October 2023) < https://iabeurope.eu/knowledge_hub/bvdws-comprehensive-market-overview-pur-models-in-europe-legal-framework-and-future-prospects-in-english/ >; for the view of the Spanish authority, see ??https://www.aepd.es/prensa-y-comunicacion/notas-de-prensa/aepd-actualiza-guia-cookies-para-adaptarla-a-nuevas-directrices-cepd

[7] https://www.personvernnemnda.no/pvn-2022-22

[8] https://curia.europa.eu/juris/document/document.jsf?mode=lst&pageIndex=1&docid=276478&part=1&doclang=EN&text=&dir=&occ=first&cid=163129

[9] See also Peter Caddock, ‘Op-ed: “Pay or data” has its reasons – even if you disagree’, https://www.linkedin.com/pulse/op-ed-pay-data-has-its-reasons-even-you-disagree-peter-craddock

[10] See para [149]. This is also referenced in the Joint EDPB-EDPS contribution to the public consultation on the draft template relating to the description of consumer profiling techniques (Art.15 DMA) (September 2023), page 14.

[11] https://en.wikipedia.org/wiki/Real-time_bidding

Continue reading
Data Security & Privacy

Does the DMA Let Gatekeepers Protect Data Privacy and Security?

TOTM It’s been an eventful two weeks for those following the story of the European Union’s implementation of the Digital Markets Act. On April 18, the . . .

It’s been an eventful two weeks for those following the story of the European Union’s implementation of the Digital Markets Act. On April 18, the European Commission began a series of workshops with the companies designated as “gatekeepers” under the DMA: Apple, Meta, Alphabet, Amazon, ByteDance, and Microsoft. And even as those workshops were still ongoing, the Commission announced noncompliance investigations against Alphabet, Apple, and Meta. Finally, the European Parliament’s Internal Market and Consumer Protection Committee (IMCO) held its own session on DMA implementation.

Many aspects of those developments are worth commenting on, and you can expect more competition-related analysis on Truth on the Market soon. Here, I will focus on what these developments mean for data privacy and security.

Read the full piece here.

Continue reading
Data Security & Privacy

A Choice-of-Law Alternative to Federal Preemption of State Privacy Law

Scholarship Executive Summary A prominent theme in debates about US national privacy legislation is whether federal law should preempt state law. A federal statute could create . . .

Executive Summary

A prominent theme in debates about US national privacy legislation is whether federal law should preempt state law. A federal statute could create one standard for markets that are obviously national in scope. Another approach is to allow states to be “laboratories of democracy” that adopt different laws so they can discover the best ones.

We propose a federal statute requiring states to recognize contractual choice-of-law provisions, so companies and consumers can choose what state privacy law to adopt. Privacy would continue to be regulated at the state level. However, the federal government would provide for jurisdictional competition among states, such that companies operating nationally could comply with the privacy laws of any one state.

Our proposed approach would foster a double competition aimed at discerning and delivering on consumers’ true privacy interests: market competition to deliver privacy policies that consumers prefer and competition among states to develop the best privacy laws.

Unlike a single federal privacy law, this approach would provide 50 competing privacy regimes for national firms. The choice-of-law approach can trigger competition and innovation in privacy practices while preserving a role for meaningful state privacy regulation.

Introduction

The question of preemption of state law by the federal government has bedeviled debates about privacy regulation in the United States. A prominent theme is to propose a national privacy policy that largely preempts state policies to create one standard for markets that are obviously national. Another approach is to allow states to be “laboratories of democracy” that adopt different laws, with the hope that they will adopt the best rules over time. Both approaches have substantial costs and weaknesses.

The alternative approach we propose would foster a double competition aimed at discerning and delivering on consumers’ true privacy interests: market competition to deliver privacy policies that consumers prefer and competition among states to develop the best privacy laws. Indeed, our proposal aims to obtain the best features—and avoid the worst features—of both a federal regime and a multistate privacy law regime by allowing firms and consumers to agree on compliance with the single regime of their choosing.

Thus, we propose a federal statute requiring states to recognize contractual choice-of-law provisions, so companies and consumers can choose what state privacy law to adopt. Privacy would continue to be regulated at the state level. However, the federal government would provide for jurisdictional competition among states, and companies operating nationally could comply with the privacy laws of any one state.

Unlike a single federal privacy law, this approach would provide 50 competing privacy regimes for national firms. Protecting choice of law can trigger competition and innovation in privacy practices while preserving a role for meaningful state privacy regulation.

The Emerging Patchwork of State Privacy Statutes Is a Problem for National Businesses

A strong impetus for federal privacy legislation is the opportunity national and multinational businesses see to alleviate the expense and liability of having a patchwork of privacy statutes with which they must comply in the United States. Absent preemptive legislation, they could conceivably operate under 50 different state regimes, which would increase costs and balkanize their services and policies without coordinate gains for consumers. Along with whether a federal statute should have a private cause of action, preempting state law is a top issue when policymakers roll up their sleeves and discuss federal privacy legislation.

But while the patchwork argument is real, it may be overstated. There are unlikely ever to be 50 distinct state regimes; rather, a small number of state legislation types is likely, as jurisdictions follow each other’s leads and group together, including by promulgating model state statutes.[1] States don’t follow the worst examples from their brethren, as the lack of biometric statutes modeled on Illinois’s legislation illustrates.[2]

Along with fewer “patches,” the patchwork’s costs will tend to diminish over time as states land on relatively stable policies, allowing compliance to be somewhat routinized.

Nonetheless, the patchwork is far from ideal. It is costly to firms doing business nationally. It costs small firms more per unit of revenue, raising the bar to new entry and competition. And it may confuse consumers about what their protections are (though consumers don’t generally assess privacy policies carefully anyway).

But a Federal Privacy Statute Is Far from Ideal as Well

Federal preemption has many weaknesses and costs as well. Foremost, it may not deliver meaningful privacy to consumers. This is partially because “privacy” is a congeries of interests and values that defy capture.[3] Different people prioritize different privacy issues differently. In particular, the elites driving and influencing legislation may prioritize certain privacy values differently from consumers, so legislation may not serve most consumers’ actual interests.[4]

Those in the privacy-regulation community sometimes assume that passing privacy legislation ipso facto protects privacy, but that is not a foregone conclusion. The privacy regulations issued under the Gramm-Leach-Bliley Act (concerning financial services)[5] and the Health Insurance Portability and Accountability Act (concerning health care)[6] did not usher in eras of consumer confidence about privacy in their respective fields.

The short-term benefits of preempting state law may come with greater long-term costs. One cost is the likely drop in competition among firms around privacy. Today, as some have noted, “Privacy is actually a commercial advantage. . . . It can be a competitive advantage for you and build trust for your users.”[7] But federal privacy regulation seems almost certain to induce firms to treat compliance as the full measure of privacy to offer consumers. Efforts to outperform or ace out one another will likely diminish.[8]

Another long-term cost of preempting state law is the drop in competition among states to provide well-tuned privacy and consumer-protection legislation. Our federal system’s practical genius, which Justice Louis Brandeis articulated 90 years ago in New State Ice v. Liebmann, is that state variation allows natural experiments in what best serves society—business and consumer interests alike.[9] Because variations are allowed, states can amend their laws individually, learn from one another, adapt, and converge on good policy.

The economic theory of federalism draws heavily from the Tiebout model.[10] Charles Tiebout argued that competing local governments could, under certain conditions, produce public goods more efficiently than the national government could. Local governments act as firms in a marketplace for taxes and public goods, and consumer-citizens match their preferences to the providers. Efficient allocation requires mobile people and resources, enough jurisdictions with the freedom to set their own laws, and limited spillovers among jurisdictions (effects of one jurisdiction’s policies on others).

A related body of literature on “market-preserving federalism” argues that strong and self-reinforcing limits on national and local power can preserve markets and incentivize economic growth and development.[11] The upshot of this literature is that when local jurisdictions can compete on law, not only do they better match citizens’ policy preferences, but the rules tend toward greater economic efficiency.

In contrast to the economic gains from decentralization, moving authority over privacy from states to the federal government may have large political costs. It may deepen Americans’ growing dissatisfaction with their democracy. Experience belies the ideal of responsive national government when consumers, acting as citizens, want to learn about or influence the legislation and regulation that governs more and more areas of their lives. The “rejectionist” strain in American politics that Donald Trump’s insurgency and presidency epitomized may illustrate deep dissatisfaction with American democracy that has been growing for decades. Managing a highly personal and cultural

issue like privacy through negotiation between large businesses and anonymous federal regulators would deepen trends that probably undermine the government’s legitimacy.

To put a constitutional point on it, preempting states on privacy contradicts the original design of our system, which assigned limited powers to the federal government.[12] The federal government’s enumerated powers generally consist of national public goods—particularly defense. The interstate commerce clause, inspired by state parochialism under the Articles of Confederation, exists to make commerce among states (and with tribes) regular; it is not rightly a font of power to regulate the terms and conditions of commerce generally.[13]

Preempting state law does not necessarily lead to regulatory certainty, as is often imagined. Section 230 of the Communications Decency Act may defeat once and for all the idea that federal legislation creates certainty.[14] More than a quarter century after its passage, it is hotly debated in Congress and threatened in the courts.[15]

The Fair Credit Reporting Act (FCRA) provides a similar example.[16] Passed in 1970, it comprehensively regulated credit reporting. Since then, Congress has amended it dozens of times, and regulators have made countless alterations through interpretation and enforcement.[17] The Consumer Financial Protection Bureau recently announced a new inquiry into data brokering under the FCRA.[18] That is fine, but it illustrates that the FCRA did not solve problems and stabilize the law. It just moved the jurisdiction to Washington, DC.

Meanwhile, as regulatory theory predicts, credit reporting has become a three-horse race.[19] A few slow-to-innovate firms have captured and maintained dominance thanks partially to the costs and barriers to entry that uniform regulation creates.

Legal certainty may be a chimera while business practices and social values are in flux. Certainty develops over time as industries settle into familiar behaviors and roles.

An Alternative to Preemption: Business and Consumer Choice

One way to deal with this highly complex issue is to promote competition for laws. The late, great Larry Ribstein, with several coauthors over the years, proposed one such legal mechanism: a law market empowered by choice-of-law statutes.[20] Drawing on the notion of market competition as a discovery process,[21] Ribstein and Henry Butler explained:

In order to solve the knowledge problem and to create efficient legal technologies, the legal system can use the same competitive process that encourages innovation in the private sector—that is, competition among suppliers of law. As we will see, this entails enforcing contracts among the parties regarding the applicable law. The greater the knowledge problem the more necessary it is to unleash markets for law to solve the problem.[22]

The proposal set forth below promotes just such competition and solves the privacy-law patchwork problem without the costs of federal preemption. It does this through a simple procedural regulation requiring states to enforce choice-of-law terms in privacy contracts, rather than through a heavy-handed, substantive federal law. Inspired by Butler and Ribstein’s proposal for pluralist insurance regulation,[23] the idea is to make the choice of legal regime a locus of privacy competition.

Modeled on the US system of state incorporation law, our proposed legislation would leave firms generally free to select the state privacy law under which they do business nationally. Firms would inform consumers, as they must to form a contract, that a given state’s laws govern their policies. Federal law would ensure that states respect those choice-of-law provisions, which would be enforced like any other contract term.

This would strengthen and deepen competition around privacy. If firms believed privacy was a consumer interest, they could select highly protective state laws and advertise that choice, currying consumer favor. If their competitors chose relatively lax state law, they could advertise to the public the privacy threats behind that choice. The process would help hunt out consumers’ true interests through an ongoing argument before consumers. Businesses’ and consumers’ ongoing choices— rather than a single choice by Congress followed by blunt, episodic amendments—would shape the privacy landscape.

The way consumers choose in the modern marketplace is a broad and important topic that deserves further study and elucidation. It nevertheless seems clear—and it is rather pat to observe—that consumers do not carefully read privacy policies and balance their implications. Rather, a hive mind of actors including competitors, advocates, journalists, regulators, and politicians pore over company policies and practices. Consumers take in branding and advertising, reputation, news, personal recommendations, rumors, and trends to decide on the services they use and how they use them.

That detail should not be overlooked: Consumers may use services differently based on the trust they place in them to protect privacy and related values. Using an information-intensive service is not a proposition to share everything or nothing. Consumers can and do shade their use and withhold information from platforms and services depending on their perceptions of whether the privacy protections offered meet their needs.

There is reason to be dissatisfied with the modern marketplace, in which terms of service and privacy policies are offered to the individual consumer on a “take it or leave it” basis. There is a different kind of negotiation, described above, between the hive mind and large businesses. But when the hive mind and business have settled on terms, individuals cannot negotiate bespoke policies reflecting their particular wants and needs. This collective decision-making may be why some advocates regard market processes as coercive. They do not offer custom choices to all but force individual consumers into channels cut by all.

The solution that orthodox privacy advocates offer does not respond well to this problem, because they would replace “take it or leave it” policies crafted in the crucible of the marketplace with “take it or leave it” policies crafted in a political and regulatory crucible. Their prescriptions are sometimes to require artificial notice and “choice,” such as whether to accept cookies when one visits websites. This, as experience shows, does not reach consumers when they are interested in choosing.

Choice of law in privacy competition is meant to preserve manifold choices when and where consumers make their choices, such as at the decision to transact, and then let consumers choose how they use the services they have decided to adopt. Let new entrants choose variegated privacy-law regimes, and consumers will choose among them. That does not fix the whole problem, but at least it doesn’t replace consumer choice with an “expert” one-size-fits-all choice.

In parallel to business competition around privacy choice of law, states would compete with one another to provide the most felicitous environment for consumers and businesses. Some states would choose more protection, seeking the rules businesses would choose to please privacy-conscious consumers. Others might choose less protection, betting that consumers prefer goods other than information control, such as free, convenient, highly interactive, and custom services.

Importantly, this mechanism would allow companies to opt in to various privacy regimes based on the type of service they offer, enabling a degree of fine-tuning appropriate for different industries and different activities that no alternative would likely offer. This would not only result in the experimentation and competition of federalism but also enable multiple overlapping privacy-regulation regimes, avoiding the “one-size-doesn’t-fit-all” problem.

While experimentation continued, state policies would probably rationalize and converge over time. There are institutions dedicated to this, such as the Uniform Law Commission, which is at its best when it harmonizes existing laws based on states’ experience.[24]

It is well within the federal commerce power to regulate state enforcement of choice-of-law provisions, because states may use them to limit interjurisdictional competition. Controlling that is precisely what the commerce power is for. Utah’s recent Social Media Regulation Act[25] barred enforcement of choice-of-law provisions, an effort to regulate nationally from a state capital. Federally backing contractual choice-of-law selections would curtail this growing problem.

At the same time, what our proposed protections for choice-of-law rules do is not much different from what contracts already routinely do and courts enforce in many industries. Contracting parties often specify the governing state’s law and negotiate for the law that best suits their collective needs.

Indeed, sophisticated business contracts increasingly include choice-of-law clauses that state the law that the parties wish to govern their relationship. In addition to settling uncertainty, these clauses might enable the contracting parties to circumvent those states’ laws they deem to be undesirable.[26]

This practice is not only business-to-business. Consumers regularly enter into contracts that include choice-of-law clauses—including regarding privacy law. Credit card agreements, stock and mutual fund investment terms, consumer-product warranties, and insurance contracts, among many other legal agreements, routinely specify the relevant state law that will govern.

In these situations, the insurance company, manufacturer, or mutual fund has effectively chosen the law. The consumer participates in this choice only to the same extent that she participates in any choices related to mass-produced products and services, that is, by deciding whether to buy the product or service.[27]

Allowing contracting parties to create their own legal certainty by contract would likely rankle states. Indeed, “we might expect governments to respond with hostility to the enforcement of choice-of-law clauses. In fact, however, the courts usually do enforce choice-of-law clauses.”[28] With some states trying to regulate nationally and some effectively doing so, the choice the states collectively face is having a role in privacy regulation or no role at all. Competition is better for them than exclusion from the field or minimization of their role through federal preemption of state privacy law. This proposal thus advocates simple federal legislation that preserves firms’ ability to make binding choice-of-law decisions and states’ ability to retain a say in the country’s privacy-governance regime.

Avoiding a Race to the Bottom

Some privacy advocates may object that state laws will not sufficiently protect consumers.[29] Indeed, there is literature arguing that federalism will produce a race to the bottom (i.e., competition leading every state to effectively adopt the weakest law possible), for example, when states offer incorporation laws that are the least burdensome to business interests in a way that arguably diverges from public or consumer interests.[30]

The race-to-the-bottom framing slants the issues and obscures ever-present trade-offs, however. Rules that give consumers high levels of privacy come at a cost in social interaction, price, and the quality of the goods they buy and services they receive. It is not inherently “down” or bad to prefer cheap or free goods and plentiful, social, commercial interaction. It is not inherently “up” or good to opt for greater privacy.

The question is what consumers want. The answers to that question—yes, plural—are the subject of constant research through market mechanisms when markets are free to experiment and are functioning well. Consumers’ demands can change over time through various mechanisms, including experience with new technologies and business models. We argue for privacy on the terms consumers want. The goal is maximizing consumer welfare, which sometimes means privacy and sometimes means sharing personal information in the interest of other goods. There is no race to the bottom in trading one good for another.

Yet the notion of a race to the bottom persists—although not without controversy. In the case of Delaware’s incorporation statutes, the issue is highly contested. Many scholars argue that the state’s rules are the most efficient—that “far from exploiting shareholders, . . . these rules actually benefit shareholders by increasing the wealth of corporations chartered in states with these rules.”[31]

As always, there are trade-offs, and the race-to-the-bottom hypothesis requires some unlikely assumptions. Principally, as Jonathan Macey and Geoffrey Miller discuss, the assumption that state legislators are beholden to the interests of corporations over other constituencies vying for influence. As Macey and Miller explain, the presence of a powerful lobby of specialized and well-positioned corporate lawyers (whose interests are not the same as those of corporate managers) transforms the analysis and explains the persistence and quality of Delaware corporate law.[32]

In much the same vein, there are several reasons to think competition for privacy rules would not succumb to a race to the bottom.

First, if privacy advocates are correct, consumers put substantial pressure on companies to adopt stricter privacy policies. Simply opting in to the weakest state regime would not, as with corporate law, be a matter of substantial indifference to consumers but would (according to advocates) run contrary to their interests. If advocates are correct, firms avoiding stronger privacy laws would pay substantial costs. As a result, the impetus for states to offer weaker laws would be diminished. And, consistent with Macey and Miller’s “interest-group theory” of corporate law,[33] advocates themselves would be important constituencies vying to influence state privacy laws. Satisfying these advocates may benefit state legislators more than satisfying corporate constituencies does.

Second, “weaker” and “stronger” would not be the only dimensions on which states would compete for firms to adopt their privacy regimes. Rather, as mentioned above, privacy law is not one-size-fits-all. Different industries and services entail different implications for consumer interests. States could compete to specialize in offering privacy regimes attractive to distinct industries based on interest groups with particular importance to their economies. Minnesota (home of the Mayo Clinic) and Ohio (home of the Cleveland Clinic), for example, may specialize in health care and medical privacy, while California specializes in social media privacy.

Third, insurance companies are unlikely to be indifferent to the law that the companies they cover choose. Indeed, to the extent that insurers require covered firms to adopt specific privacy practices to control risk, those insurers would likely relish the prospect of outsourcing the oversight of these activities to state law enforcers. States could thus compete to mimic large insurers’ privacy preferences—which would by no means map onto “weaker” policies—to induce insurers to require covered firms to adopt their laws.

If a race to the bottom is truly a concern, the federal government could offer a 51st privacy alternative (that is, an optional federal regime as an alternative to the states’ various privacy laws). Assuming federal privacy regulation would be stricter (an assumption inherent in the race-to-the-bottom objection to state competition), such an approach would ensure that at least one sufficiently strong opt-in privacy regime would always be available. Among other things, this would preclude firms from claiming that no option offers a privacy regime stronger than those of the states trapped in the (alleged) race to the bottom.

Choice of law exists to a degree in the European Union, a trading bloc commonly regarded as uniformly regulated (and commonly regarded as superior on privacy because of a bias toward privacy over other goods). The General Data Protection Regulation (GDPR) gives EU member states broad authority to derogate from its provisions and create state-level exemptions. Article 23 of the GDPR allows states to exempt themselves from EU-wide law to safeguard nine listed broad governmental and public interests.[34] And Articles 85 through 91 provide for derogations, exemptions, and powers to impose additional requirements relative to the GDPR for a number of “specific data processing situations.”[35]

Finally, Article 56 establishes a “lead supervisory authority” for each business.[36] In the political, negotiated processes under the GDPR, this effectively allows companies to shade their regulatory obligations and enforcement outlook through their choices of location. For the United States’ sharper rule-of-law environment, we argue that the choice of law should be articulate and clear.

Refining the Privacy Choice-of-Law Proposal

The precise contours of a federal statute protecting choice-of-law terms in contracts will determine whether it successfully promotes interfirm and interstate competition. Language will also determine its political salability.

Questions include: What kind of notice, if any, should be required to make consumers aware that they are dealing with a firm under a law regime not their own? Consumers are notoriously unwilling to investigate privacy terms—or any other contract terms—in advance, and when considering the choice of law, they would probably not articulate it to themselves. But the competitive dynamics described earlier would probably communicate relevant information to consumers even without any required notice. As always, competitors will have an incentive to ensure consumers are appropriately well-informed when they can diminish their rivals or elevate themselves in comparison by doing so.[37]

Would there be limits on which state’s laws a firm could choose? For example, could a company choose the law of a state where neither the company nor the consumer is domiciled? States would certainly argue that a company should not be able to opt out of the law of the state where it is domiciled. The federal legislation we propose would allow unlimited choice. Such a choice is important if the true benefits of jurisdictional competition are to be realized.

A federal statute requiring states to enforce choice-of-law terms should not override state law denying enforcement of choice-of-law terms that are oppressive, unfair, or improperly bargained for. In cases such as Carnival Cruise Lines v. Shute[38] and The Bremen v. Zapata Off-Shore Co.,[39] the Supreme Court has considered whether forum-selection clauses in contracts might be invalid. The Court has generally upheld such clauses, but they can be oppressive if they require plaintiffs in Maine to litigate in Hawaii, for example, without a substantial reason why Hawaii courts are the appropriate forum. Choice-of-law terms do not impose the cost of travel to remote locations, but they could be used not to establish the law governing the parties but rather to create a strategic advantage unrelated to the law in litigation. Deception built into a contract’s choice-of-law terms should remain grounds for invalidating the contract under state law, even if the state is precluded from barring choice-of-law terms by statute.

The race-to-the-bottom argument raises the question of whether impeding states from overriding contractual choice-of-law provisions would be harmful to state interests, especially since privacy law concerns consumer rights. However, there are reasons to believe race-to-the-bottom incentives would be tempered by greater legal specialization and certainty and by state courts’ ability to refuse to enforce choice-of-law clauses in certain limited circumstances. As Erin O’Hara and Ribstein put it:

Choice-of law clauses reduce uncertainty about the parties’ legal rights and obligations and enable firms to operate in many places without being subject to multiple states’ laws. These reduced costs may increase the number of profitable transactions and thereby increase social wealth. Also, the clauses may not change the results of many cases because courts in states that prohibit a contract term might apply the more lenient law of a state that has close connections with the parties even without a choice-of-law clause.[40]

Determining when, exactly, a state court can refuse to enforce a firm’s choice of privacy law because of excessive leniency is tricky, but the federal statute could set out a framework for when a court could apply its own state’s law. Much like the independent federal alternative discussed above, specific minimum requirements in the federal law could ensure that any race to the bottom that does occur can go only so far. Of course, it would be essential that any such substantive federal requirements be strictly limited, or else the benefits of jurisdictional competition would be lost.

The converse to the problem of a race to the bottom resulting from state competition is the “California effect”—the prospect of states adopting onerous laws from which no company (or consumer) can opt out. States can regulate nationally through one small tendril of authority: the power to prevent businesses and consumers from agreeing on the law that governs their relationships. If a state regulates in a way that it thinks will be disfavored, it will bar choice-of-law provisions in contracts so consumers and businesses cannot exercise their preference.

Utah’s Social Media Regulation Act, for example, includes mandatory age verification for all social media users,[41] because companies must collect proof that consumers are either of age or not in Utah. To prevent consumers and businesses from avoiding this onerous requirement, Utah bars waivers of the law’s requirements “notwithstanding any contract or choice-of-law provision in a contract.”[42] If parties could choose their law, that would render Utah’s law irrelevant, so Utah cuts off that avenue. This demonstrates the value of a proposal like the one contemplated here.

Proposed Legislation

Creating a federal policy to stop national regulation coming from state capitols, while still preserving competition among states and firms, is unique. Congress usually creates its own policy and preempts states in that area to varying degrees. There is a well-developed law around this type of preemption, which is sometimes implied and sometimes expressed in statute.[43] Our proposal does not operate that way. It merely withdraws state authority to prevent parties from freely contracting about the law that applies to them.

A second minor challenge exists regarding the subject matter about which states may not regulate choice of law. Barring states from regulating choice of law entirely is an option, but if the focus is on privacy only, the preemption must be couched to allow regulation of choice of law in other areas. Thus, the scope of “privacy” must be in the language.

Finally, the withdrawal of state authority should probably be limited to positive enactments, such as statutes and regulations, leaving intact common-law practice related to choice-of-law provisions.[44] “Statute,” “enactment,” and “provision” are preferable in preemptive language to “law,” which is ambiguous.

These challenges, and possibly more, are tentatively addressed in the following first crack at statutory language, inspired by several preemptive federal statutes, including the Employee Retirement Income Security Act of 1974,[45] the Airline Deregulation Act,[46] the Federal Aviation Administration Authorization Act of 1994,[47] and the Federal Railroad Safety Act.[48]

A state, political subdivision of a state, or political authority of at least two states may not enact or enforce any statute, regulation, or other provision barring the adoption or application of any contractual choice-of-law provision to the extent it affects contract terms governing commercial collection, processing, security, or use of personal information.

Conclusion

This report introduces a statutory privacy framework centered on individual states and consistent with the United States’ constitutional design. But it safeguards companies from the challenge created by the intersection of that design and the development of modern commerce and communication, which may require them to navigate the complexities and inefficiencies of serving multiple regulators. It fosters an environment conducive to jurisdictional competition and experimentation.

We believe giving states the chance to compete under this approach should be explored in lieu of consolidating privacy law in the hands of one central federal regulator. Competition among states to provide optimal legislation and among businesses to provide optimal privacy policies will help discover and deliver on consumers’ interests, including privacy, of course, but also interactivity, convenience, low costs, and more.

Consumers’ diverse interests are not known now, and they cannot be predicted reliably for the undoubtedly interesting technological future. Thus, it is important to have a system for discovering consumers’ interests in privacy and the regulatory environments that best help businesses serve consumers. It is unlikely that a federal regulatory regime can do these things. The federal government could offer a 51st option in such a system, of course, so advocates for federal involvement could see their approach tested alongside the states’ approaches.

[1] See Uniform Law Commission, “What Is a Model Act?,” https://www.uniformlaws.org/acts/overview/modelacts.

[2] 740 Ill. Comp. Stat. 14/15 (2008).

[3] See Jim Harper, Privacy and the Four Categories of Information Technology, American Enterprise Institute, May 26, 2020, https://www.aei.org/research-products/report/privacy-and-the-four-categories-of-information-technology.

[4] See Jim Harper, “What Do People Mean by ‘Privacy,’ and How Do They Prioritize Among Privacy Values? Preliminary Results,” American Enterprise Institute, March 18, 2022, https://www.aei.org/research-products/report/what-do-people-mean-by-privacy-and-how-do-they-prioritize-among-privacy-values-preliminary-results.

[5] Gramm-Leach-Bliley Act, 15 U.S.C. 6801, § 501 et seq.

[6] Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, § 264.

[7] Estelle Masse, quoted in Ashleigh Hollowell, “Is Privacy Only for the Elite? Why Apple’s Approach Is a Marketing Advantage,” VentureBeat, October 18, 2022, https://venturebeat.com/security/is-privacy-only-for-the-elite-why-apples-approach-is-a-marketing-advantage.

[8] Competition among firms regarding privacy is common, particularly in digital markets. Notably, Apple has implemented stronger privacy protections than most of its competitors have, particularly with its App Tracking Transparency framework in 2021. See, for example, Brain X. Chen, “To Be Tracked or Not? Apple Is Now Giving Us the Choice,” New York Times, April 26, 2021, https://www.nytimes.com/2021/04/26/technology/personaltech/apple-app-tracking-transparency.html. For Apple, this approach is built into the design of its products and offers what it considers a competitive advantage: “Because Apple designs both the iPhone and processors that offer heavy-duty processing power at low energy usage, it’s best poised to offer an alternative vision to Android developer Google which has essentially built its business around internet services.” Kif Leswing, “Apple Is Turning Privacy into a Business Advantage, Not Just a Marketing Slogan,” CNBC, June 8, 2021, https://www.cnbc.com/2021/06/07/apple-is-turning-privacy-into-a-business-advantage.html. Apple has built a substantial marketing campaign around these privacy differentiators, including its ubiquitous “Privacy. That’s Apple.” slogan. See Apple, “Privacy,” https://www.apple.com/privacy. Similarly, “Some of the world’s biggest brands (including Unilever, AB InBev, Diageo, Ferrero, Ikea, L’Oréal, Mars, Mastercard, P&G, Shell, Unilever and Visa) are focusing on taking an ethical and privacy-centered approach to data, particularly in the digital marketing and advertising context.” Rachel Dulberg, “Why the World’s Biggest Brands Care About Privacy,” Medium, September 14, 2021, https://uxdesign.cc/who-cares-about-privacy-ed6d832156dd.

[9] New State Ice Co. v. Liebmann, 285 US 262, 311 (1932) (Brandeis, J., dissenting) (“To stay experimentation in things social and economic is a grave responsibility. Denial of the right to experiment may be fraught with serious consequences to the Nation. It is one of the happy incidents of the federal system that a single courageous State may, if its citizens choose, serve as a laboratory; and try novel social and economic experiments without risk to the rest of the country.”).

[10] See Charles M. Tiebout, “A Pure Theory of Local Expenditures,” Journal of Political Economy 64, no. 5 (1956): 416–24, https://www.jstor.org/stable/1826343.

[11] See, for example, Barry R. Weingast, “The Economic Role of Political Institutions: Market-Preserving Federalism and Economic Development,” Journal of Law, Economics, & Organization 11, no. 1 (April 1995): 1 31, https://www.jstor.org/stable/765068; Yingyi Qian and Barry R. Weingast, “Federalism as a Commitment to Preserving Market Incentives,” Journal of Economic Perspectives 11, no. 4 (Fall 1997): 83–92, https://www.jstor.org/stable/2138464; and Rui J. P. de Figueiredo Jr. and Barry R. Weingast, “Self-Enforcing Federalism,” Journal of Law, Economics, & Organization 21, no. 1 (April 2005): 103–35, https://www.jstor.org/stable/3554986.

[12] See US Const. art. I, § 8 (enumerating the powers of the federal Congress).

[13] See generally Randy E. Barnett, Restoring the Lost Constitution: The Presumption of Liberty (Princeton, NJ: Princeton University Press, 2014), 274–318.

[14] Protection for Private Blocking and Screening of Offensive Material, 47 U.S.C. 230.

[15] See Geoffrey A. Manne, Ben Sperry, and Kristian Stout, “Who Moderates the Moderators? A Law & Economics Approach to Holding Online Platforms Accountable Without Destroying the Internet,” Rutgers Computer & Technology Law Journal 49, no. 1 (2022): 39–53, https://laweconcenter.org/wp-content/uploads/2021/11/Stout-Article-Final.pdf (detailing some of the history of how Section 230 immunity expanded and differs from First Amendment protections); Meghan Anand et al., “All the Ways Congress Wants to Change Section 230,” Slate, August 30, 2023, https://slate.com/technology/2021/03/section-230 reform-legislative-tracker.html (tracking every proposal to amend or repeal Section 230); and Technology & Marketing Law Blog, website, https://blog.ericgoldman.org (tracking all Section 230 cases with commentary).

[16] Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.

[17] See US Federal Trade Commission, Fair Credit Reporting Act: 15 U.S.C. § 1681, May 2023, https://www.ftc.gov/system/files/ftc_gov/pdf/fcra-may2023-508.pdf (detailing changes to the Fair Credit Reporting Act and its regulations over time).

[18] US Federal Reserve System, Consumer Financial Protection Bureau, “CFPB Launches Inquiry into the Business Practices of Data Brokers,” press release, May 15, 2023, https://www.consumerfinance.gov/about-us/newsroom/cfpb-launches-inquiry-into-the-business-practices-of-data-brokers.

[19] US Federal Reserve System, Consumer Financial Protection Bureau, List of Consumer Reporting Companies, 2021, 8, https://files.consumerfinance.gov/f/documents/cfpb_consumer-reporting-companies-list_03-2021.pdf (noting there are “three big nationwide providers of consumer reports”).

[20] See, for example, Erin A. O’Hara and Larry E. Ribstein, The Law Market (Oxford, UK: Oxford University Press, 2009); Erin A. O’Hara O’Connor and Larry E. Ribstein, “Conflict of Laws and Choice of Law,” in Procedural Law and Economics, ed. Chris William Sanchirico (Northampton, MA: Edward Elgar Publishing, 2012), in Encyclopedia of Law and Economics, 2nd ed., ed. Gerrit De Geest (Northampton, MA: Edward Elgar Publishing, 2009); and Bruce H. Kobayashi and Larry E. Ribstein, eds., Economics of Federalism (Northampton, MA: Edward Elgar Publishing, 2007).

[21] See F. A. Hayek, “The Use of Knowledge in Society,” American Economic Review 35, no. 4 (September 1945): 519–30, https://www.jstor.org/stable/1809376?seq=12.

[22] Henry N. Butler and Larry E. Ribstein, “Legal Process for Fostering Innovation” (working paper, George Mason University, Antonin Scalia Law School, Fairfax, VA), 2, https://masonlec.org/site/rte_uploads/files/Butler-Ribstein-Entrepreneurship-LER.pdf.

[23] See Henry N. Butler and Larry E. Ribstein, “The Single-License Solution,” Regulation 31, no. 4 (Winter 2008–09): 36–42, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1345900.

[24] See Uniform Law Commission, “Acts Overview,” https://www.uniformlaws.org/acts/overview.

[25] Utah Code Ann. § 13-63-101 et seq. (2023).

[26] O’Hara and Ribstein, The Law Market, 5.

[27] O’Hara and Ribstein, The Law Market, 5.

[28] O’Hara and Ribstein, The Law Market, 5.

[29] See Christiano Lima-Strong, “The U.S.’s Sixth State Privacy Law Is Too ‘Weak,’ Advocates Say,” Washington Post, March 30, 2023, https://www.washingtonpost.com/politics/2023/03/30/uss-sixth-state-privacy-law-is-too-weak-advocates-say.

[30] See, for example, William L. Cary, “Federalism and Corporate Law: Reflections upon Delaware,” Yale Law Journal 83, no. 4 (March 1974): 663–705, https://openyls.law.yale.edu/bitstream/handle/20.500.13051/15589/33_83YaleLJ663_1973_1974_.pdf (arguing Delaware could export the costs of inefficiently lax regulation through the dominance of its incorporation statute).

[31] Jonathan R. Macey and Geoffrey P. Miller, “Toward an Interest-Group Theory of Delaware Corporate Law,” Texas Law Review 65, no. 3 (February 1987): 470, https://openyls.law.yale.edu/bitstream/handle/20.500.13051/1029/Toward_An_Interest_Group_Theory_of_Delaware_Corporate_Law.pdf. See also Daniel R. Fischel, “The ‘Race to the Bottom’ Revisited: Reflections on Recent Developments in Delaware’s Corporation Law,” Northwestern University Law Review 76, no. 6 (1982): 913–45, https://chicagounbound.uchicago.edu/cgi/viewcontent.cgi?referer=&httpsredir=1&article=2409&context=journal_articles.

[32] Macey and Miller, “Toward an Interest-Group Theory of Delaware Corporate Law.”

[33] Macey and Miller, “Toward an Interest-Group Theory of Delaware Corporate Law.”

[34] Commission Regulation 2016/679, General Data Protection Regulation art. 23.

[35] Commission Regulation 2016/679, General Data Protection Regulation art. 85–91.

[36] Commission Regulation 2016/679, General Data Protection Regulation art. 56.

[37] See the discussion in endnote 8.

[38] Carnival Cruise Lines v. Shute, 499 US 585 (1991).

[39] The Bremen v. Zapata, 407 US 1 (1972).

[40] O’Hara and Ribstein, The Law Market, 8.

[41] See Jim Harper, “Perspective: Utah’s Social Media Legislation May Fail, but It’s Still Good for America,” Deseret News, April 6, 2023, https://www.aei.org/op-eds/utahs-social-media-legislation-may-fail-but-its-still-good-for-america.

[42] Utah Code Ann. § 13-63-401 (2023).

[43] See Bryan L. Adkins, Alexander H. Pepper, and Jay B. Sykes, Federal Preemption: A Legal Primer, Congressional Research Service, May 18, 2023, https://sgp.fas.org/crs/misc/R45825.pdf.

[44] Congress should not interfere with interpretation of choice-of-law provisions. These issues are discussed in Tanya J. Monestier, “The Scope of Generic Choice of Law Clauses,” UC Davis Law Review 56, no. 3 (February 2023): 959–1018, https://digitalcommons.law.buffalo.edu/cgi/viewcontent.cgi?article=2148&context=journal_articles.

[45] Employee Retirement Income Security Act of 1974, 29 U.S.C. § 1144(a).

[46] Airline Deregulation Act, 49 U.S.C. § 41713(b).

[47] Federal Aviation Administration Authorization Act of 1994, 49 U.S.C. § 14501.

[48] Federal Railroad Safety Act, 49 U.S.C. § 20106.

Continue reading
Data Security & Privacy

ICLE Comments to FTC on Children’s Online Privacy Protection Rule NPRM

Regulatory Comments Introduction We thank the Federal Trade Commission (FTC) for this opportunity to comment on the notice of proposed rulemaking (NPRM) to update the Children’s Online . . .

Introduction

We thank the Federal Trade Commission (FTC) for this opportunity to comment on the notice of proposed rulemaking (NPRM) to update the Children’s Online Privacy Protection Rule (“COPPA Rule”).

The International Center for Law and Economics (ICLE) is a nonprofit, nonpartisan research center whose work promotes the use of law & economics methodologies to inform public-policy debates. We believe that intellectually rigorous, data-driven analysis will lead to efficient policy solutions that promote consumer welfare and global economic growth.[1]

ICLE’s scholars have written extensively on privacy and data-security issues, including those related to children’s online safety and privacy. We also previously filed comments as part of the COPPA Rule Review and will make some of the same points below.[2]

The Children’s Online Privacy Protection Act (COPPA) sought to strike a balance in protecting children without harming the utility of the internet for children. As Sen. Richard Bryan (D-Nev.) put it when he laid out the purpose of COPPA:

The goals of this legislation are: (1) to enhance parental involvement in a child’s online activities in order to protect the privacy of children in the online environment; (2) to enhance parental involvement to help protect the safety of children in online fora such as chatrooms, home pages, and pen-pal services in which children may make public postings of identifying information; (3) to maintain the security of personally identifiable information of children collected online; and (4) to protect children’s privacy by limiting the collection of personal information from children without parental consent. The legislation accomplishes these goals in a manner that preserves the interactivity of children’s experience on the Internet and preserves children’s access to information in this rich and valuable medium.[3]

In other words, COPPA was designed to protect children from online threats by promoting parental involvement in a way that also preserves a rich and vibrant marketplace for children’s content online. Consequently, the pre-2013 COPPA Rule did not define personal information to include persistent identifiers standing alone. It is these persistent identifiers that are critical for the targeted advertising that funds the interactive online platforms and the creation of children’s content the legislation was designed to preserve.

COPPA applies to the “operator of any website or online service” that is either “directed to children that collects personal information from children” or that has “actual knowledge that it is collecting personal information from a child.”[4] These operators must “obtain verifiable parental consent for the collection, use, or disclosure of personal information.” The NPRM, following the mistaken 2013 amendments to the COPPA Rule, continues to define “personal information” to include persistent identifiers that are necessary for the targeted advertising undergirding the internet ecosystem.

Below, we argue that, before the FTC moves further toward restricting platform operators and content creators’ ability to monetize their work through targeted advertising, it must consider the economics of multisided platforms. The current path will lead to less available free content for children and more restrictions on their access to online platforms that depend on targeted advertising. Moreover, the proposed rules are inconsistent with the statutory text of COPPA, as persistent identifiers do not by themselves enable contacting specific individuals. Including them in the definition of “personal information” is also contrary to the statute’s purpose, as it will lead to a less vibrant internet ecosystem for children.

Finally, there are better ways to protect children online, including by promoting the use of available technological and practical solutions to avoid privacy harms. To comply with existing First Amendment jurisprudence regarding online speech, it is necessary to rely on these less-restrictive means to serve the goal of protecting children without unduly impinging their speech interests online.

I. The Economics of Online Multisided Platforms

Most of the “operators of websites and online services” subject to the COPPA Rule are what economists call multisided markets, or platforms.[5] Such platforms derive their name from the fact that they serve at least two different types of customers and facilitate their interaction. Multisided platforms generate “indirect network effects,” described by one economist as a situation where “participants on one side value being able to interact with participants on the other side… lead[ing] to interdependent demand.”[6]

Online platforms provide content to one side and access to potential consumers on the other side. In order to keep demand high, online platforms often offer free access to users, whose participation is subsidized by those participants on the other side of the platform (such as advertisers) that wish to reach them.[7] This creates a positive feedback loop in which more participants on one side of the platform leads to more participants on the other.

This dynamic is also true of platforms with content “directed to children.” Revenue is collected not from those users, but primarily from the other side of the platform—i.e., advertisers who pay for access to the platform’s users. To be successful, online platforms must keep enough—and the right type of—users engaged to maintain demand for advertising.

Moreover, many “operators” under COPPA are platforms that rely on user-generated content. Thus, they must also consider how to attract and maintain high-demand content creators, often accomplished by sharing advertising revenue. If platforms fail to serve the interests of high-demand content creators, those creators may leave the platform, thus reducing its value.

Online platforms acting within the market process are usually going to be the parties best-positioned to make decisions on behalf of platforms users. Operators with content directed to children may even compete on privacy policies and protections for children by providing tools to help users avoid what they (or, in this context, their parents and guardians) perceive to be harms, while keeping users on the platform and maintaining value for advertisers.[8]

There may, however, be examples where negative externalities[9] stemming from internet use are harmful to society more broadly. A market failure could result, for instance, if platforms’ incentives lead them to collect too much (or the wrong types of) information for targeted advertising, or to offer up content that is harmful for children or keeps them hooked to using the platform.

In situations where there are negative externalities from internet use, there may be a case to regulate online platforms in various ways. Any case for regulation must, however, acknowledge potential transaction costs, as well as how platforms and users may respond to changes in those costs. To get regulation right, the burden of avoiding a negative externality should fall on the least-cost avoider.

The Coase Theorem, derived from the work of Nobel-winning economist Ronald Coase[10] and elaborated on in the subsequent literature,[11] helps to explain the issue at-hand:

  1. The problem of externalities is bilateral;
  2. In the absence of transaction costs, resources will be allocated efficiently, as the parties bargain to solve the externality problem;
  3. In the presence of transaction costs, the initial allocation of rights does matter; and
  4. In such cases, the burden of avoiding the externality’s harm should be placed on the least-cost avoider, while taking into consideration the total social costs of the institutional framework.

In one of Coase’s examples, the noise from a confectioner using his candy-making machine is a potential cost to the doctor next door, who consequently cannot use his office to conduct certain testing. Simultaneously, the doctor moving his office next door to the confectioner is a potential cost to the confectioner’s ability to use his equipment.

In a world of well-defined property rights and low transaction costs, the initial allocation of rights would not matter, because the parties could bargain to overcome the harm in a mutually beneficial manner—i.e., the confectioner could pay the doctor for lost income or to set up sound-proof walls, or conversely, the doctor could pay the confectioner to reduce the sound of his machines.[12] But since there are transaction costs that prevent this sort of bargain, it is important whether the initial right is allocated to the doctor or the confectioner. To maximize societal welfare, the cost should be placed on the entity that can avoid the harm at the lowest cost.[13]

In the context of the COPPA Rule, website operators and online services create incredible value for their users, but they also can, at times, impose negative externalities relevant to children who use their services. In the absence of transaction costs, it would not matter whether operators must obtain verifiable parental consent before collecting, using, or disclosing personal information, or whether the initial burden is placed on parents and children to avoid the harms associated with such collection, use, or disclosure.

But given that there are transaction costs involved in obtaining (and giving) verifiable parental consent,[14] it matters how the law defines personal information (which serves as a proxy for a property right, in Coase’s framing). If personal information is defined too broadly and the transaction costs for providers to gain verifiable parental consent are too high, the result may be that the societal benefits of children’s internet use will be lost, as platform operators restrict access beyond the optimum level.

The threat of liability for platform operators under COPPA also risks excessive collateral censorship.[15] This arguably has already occurred, as operators like YouTube have restricted content creators’ ability to monetize their work through targeted advertising, leading on balance to less children’s content. By wrongly placing the burden on operators to avoid harms associated with targeted advertising, societal welfare is reduced, including the welfare of children who no longer get the benefits of that content.

On the other hand, there are situations where website operators and online services are the least-cost avoiders. For example, they may be the parties best-placed to monitor and control harms associated with internet use in cases where it is difficult or impossible to hold those using their platforms accountable for the harms they cause.[16] In other words, operators should still be held liable under COPPA when they facilitate adults’ ability to message children, or to identify a child’s location without parental consent, in ways that could endanger children.[17] Placing the burden on children or their parents to avoid such harms could allow operators to impose un- or undercompensated harms on society.

Thus, in order to get the COPPA Rule’s balance right, it is important to determine whether it is the operators or their users who are the least-cost avoiders. Placing the burden on the wrong parties would harm societal welfare, either by reducing the value that online platforms confer to their users, or in placing more uncompensated negative externalities on society.

II. Persistent Identifiers and ‘Personal Information’

As mentioned above, under COPPA, a website operator or online service that is either directed to children or that has actual knowledge that it collects personal information from a child must obtain “verifiable parental consent” for the “collection, use or disclosure” of that information.[18] But the NPRM continues to apply the expanded definition of “personal information” to include persistent identifiers from the 2013 amendments.

COPPA’s definition for personal information is “individually identifiable information” collected online.[19] The legislation included examples such as first and last name; home or other physical address; as well as email address, telephone number, or Social Security number.[20] These are all identifiers obviously connected to people’s real identities. COPPA does empower the FTC to determine whether other identifiers should be included, but the commission must permit “the physical or online contacting of a specific individual”[21] or “information concerning the child or the parents of that child that the website collects online from the child and combines with an identifier described in this paragraph.”[22]

In 2013, the FTC amended the definition of personal information to include:

A persistent identifier that can be used to recognize a user over time and across different Web sites or online services. Such persistent identifier includes, but is not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier.[23]

The NPRM here continues this error.

Neither IP addresses nor device identifiers alone “permit the physical or online contacting of a specific individual,” as required by 15 U.S.C. §?6501(8)(F). A website or app could not identify personal identity or whether a person is an adult or child from these pieces of information alone. In order for persistent identifiers, like those relied upon for targeted advertising, to be counted as personal information under 15 U.S.C. §?6501(8)(G), they need to be combined with other identifiers listed in the definitions. In other words, it is only when a persistent identifier is combined with a first and last name, an address, an email, a phone number, or a Social Security number that it should be considered personal information protected by the statute.

While administrative agencies receive Chevron deference in court challenges when definitions are ambiguous, this text, when illuminated by canons of statutory construction,[24] is clear. The canon of ejusdem generis applies when general words follow an enumeration of two or more things.[25] The general words are taken to apply only to persons or things of the same general kind or class as those mentioned specifically. Persistent identifiers, such as cookies, bear little resemblance to the other examples of “personally identifiable information” listed in the statute, such as first and last name, address, phone, email, or Social Security number. Only when combined with such information could a persistent identifier become personal information.

The NPRM states that the Commission is “not persuaded” by this line of argumentation, pointing back to the same reasoning offered in the 2013 amendments. The NPRM states that it is “the reality that at any given moment a specific individual is using that device,” which “underlies the very premise behind behavioral advertising.”[26] Moreover the NPRM reasons that “while multiple people in a single home often use the same phone number, home address, and email address, Congress nevertheless defined these identifiers as ‘individually identifiable information’ in the COPPA statute.”[27] But this reasoning is flawed.

While multiple people regularly share an address, and sometimes even a phone number or email, each of these identifiers allows for contacting an individual person in a way that a persistent identifier simply does not. In each of those cases, bad actors can use such information to send direct messages to people (phone numbers and emails); find their physical location (address); and potentially to cause them harm.

A persistent identifier, on its own, is not the same. Without the subpoena of an internet service provider (ISP) or virtual private network (VPN), a bad actor that intended harm could not tell either where the person to whom the persistent identifier is assigned is located, or to message them directly. Persistent identifiers are useful primarily to online platforms in supporting their internal operations (which the NPRM continues to allow) and serving users targeted advertising.

Moreover, the fact that bills seeking to update COPPA—proposed but never passed by Congress—have proposed expanding the definition of personal information to include persistent identifiers suggests that the FTC has asserted authority that it does not have under the current statute.[28] Under Supreme Court precedent,[29] when considering whether an agency has the authority that it claims to pass rules, courts must consider whether Congress has rejected proposals to expand the agency’s jurisdiction in similar ways.

The NPRM also ignores the practical realities of the relationship between parents and children when it comes to devices and internet use. Parental oversight is already built into any type of advertisement (including targeted ads) that children see. Few children can view those advertisements without their parents providing them a device and the internet access to do so. Even fewer children can realistically make their own purchases. Consequently, the NPRM misunderstands targeted advertising in the context of children’s content, which is not based on any knowledge about the users as individuals, but on the browsing and search history of the device they happen to be using.

Children under age 13, in particular, are extremely unlikely to have purchased the devices they use; to have paid for the internet access to use those devices; or to have any disposable income or means to pay for goods and services online. Thus, contrary to the NPRM’s assumptions, the actual “targets” of this advertising—even on websites or online services that host children’s content—are the children’s parents.

This NPRM continues the 2013 amendments’ mistake and will continue to greatly reduce the ability of children’s content to generate revenue through the use of relatively anonymous persistent identifiers. As we describe in the next section, the damage done by the 2013 amendments is readily apparent, and the Commission should take this opportunity to rectify the problem.

III. More Parental Consent, Less Children’s Content

As outlined above, in a world without transaction costs—or, at least, one in which such costs are sufficiently low—verifiable parental consent would not matter, because it would be extremely easy for a bargain to be struck between operators and parents. In the real world, however, transaction costs exist. In fact, despite the FTC’s best efforts under the COPPA Rule, the transaction costs associated with obtaining verifiable parental consent continue to be sufficiently high as to prevent most operators from seeking that consent for persistent identifiers. As we stated in our previous comments, the economics are simple: if content creators lose access to revenue from targeted advertising, there will be less content created from which children can benefit.

FIGURE 1: Supply Curve for Children’s Online Content

The supply curve for children’s online content shifts left as the marginal cost of monetizing it increases. The marginal cost of monetizing such content is driven upward by the higher compliance costs of obtaining verifiable parental consent before serving targeted advertising. This supply shift means that less online content will be created for children.

These results are not speculative at this point. Scholars who have studied the issue have found the YouTube settlement, made pursuant to the 2013 amendments, has resulted in less child-directed online content, due to creators’ inability to monetize that content through targeted advertising. In their working paper “COPPAcalypse? The YouTube Settlement’s Impact on Kids Content,”[30] Garrett Johnson, Tesary Lin, James C. Cooper, & Liang Zhong summarized the issue as follows:

The Children’s Online Privacy Protection Act (COPPA), and its implementing regulations, broadly prohibit operators of online services directed at children under 13 from collecting personal information without providing notice of its data collection and use practices and obtaining verifiable parental consent. Because obtaining verifiable parental consent for free online services is difficult and rarely cost justified, COPPA essentially acts as a de facto ban on the collection of personal information by providers of free child-directed content. In 2013, the FTC amended the COPPA rules to include in the definition of personal information “persistent identifier that can be used to recognize a user over time and across different Web sites or online services,” such as a “customer number held in a cookie . . . or unique device identifier.” This regulatory change meant that, as a practical matter, online operators who provide child-directed content could no longer engage in personalized advertising.

On September 4, 2019, the FTC entered into a consent agreement with YouTube to settle charges that it had violated COPPA. The FTC’s allegations focused on YouTube’s practice of serving personalized advertising on child-directed content at children without obtaining verifiable parental consent. Although YouTube maintains it is a general audience website and users must be at least 13 years old to obtain a Google ID (which makes personalized advertising possible), the FTC complaint alleges that YouTube knew that many of its channels were popular with children under 13, citing YouTube’s own claims to advertisers. The settlement required YouTube to identify child-directed channels and videos and to stop collecting personal information from visitors to these channels. In response, YouTube required channel owners producing [“made-for-kids”] MFK content to designate either their entire channels or specific videos as MFK, beginning on January 1, 2020. YouTube supplemented these self-designations with an automated classifier designed to identify content that was likely directed at children younger than 13. In so doing, YouTube effectively shifted liability under COPPA to the channel owners, who could face up to $42,530 in fines per video if they fail to self-designate and are not detected by YouTube’s classifier.[31]

By requiring verifiable parental consent, the rule change and settlement increased the transaction costs imposed on online platforms that host content created by others. YouTube’s economically rational response was to restrict content creators’ ability to benefit from (considerably more lucrative) personalized advertising. The result was less content created for children, including by driving out less-profitable content creators:

Consistent with a loss in personalized ad revenue, we find that child-directed content creators produce 13% less content and pivot towards producing non-child-directed content. On the demand side, views of child-directed channels fall by 22%. Consistent with the platform’s degraded capacity to match viewers to content, we find that content creation and content views become more concentrated among top child-directed YouTube channels.[32]

This is not the only finding regarding COPPA’s role in reducing the production of content for children. Morgan Reed—president of the App Association, a global trade association for small and medium-sized technology companies—presented extensively at the FTC’s 2019 COPPA Workshop.[33] Reed’s testimony detailed that the transaction costs associated with obtaining verifiable parental consent did little to enhance parental control, but much to reduce the quality and quantity of content directed to children.

It is worth highlighting, in particular, Reed’s repeated use of the words “friction,” “restriction,” and “cost” to describe how COPPA’s institutional features affect the behavior of social-media platforms, parents, and children. While noting that general audience content is “unfettered, meaning that you do not feel restricted by what you can get to, how you do it. It’s easy, it’s low friction. Widely available. I can get it on any platform, in any case, in any context and I can get to it rapidly,” Reed said that COPPA-regulated apps and content are, by contrast, all about:

Friction, restriction, and cost. Every layer of friction you add alters parent behavior significantly. We jokingly refer to it as the over the shoulder factor. If a parent wants access to something and they have to pass it from the back seat to the front seat of the car more than one time, the parent moves on to the next thing. So the more friction you add to an application directed at children the less likely it is that the parent is going to take the steps necessary to get through it because the competition, of course, is as I said, free, unfettered, widely available. Restriction. Kids balk against some of the restrictions. I can’t get to this, I can’t do that. And they say that to the parent. And from the parent’s perspective, fine, I’ll just put in a different age date. They’re participating, they’re parenting but they’re not using the regulatory construction that we all understand.

The COPPA side, expensive, onerous or friction full. We have to find some way around that. Restrictive, fewer features, fewer capabilities, less known or available, and it’s entertaining-ish. …

Is COPPA the barrier? I thought this quote really summed it up. “Seamlessness is expected. But with COPPA, seamlessness is impossible.” And that has been one of the single largest areas of concern. Our folks are looking to provide a COPPA compliant environment. And they’re finding doing VPC is really hard. We want to make it this way, we just walked away. And why do they want to do it? We wanted to create a hub for kids to promote creativity. So these are not folks who are looking to take data and provide interest based advertising. They’re trying to figure out how to do it so they can build an engaging product. Parental consent makes the whole process very complicated. And this is the depressing part. …

We say that VPC is intentional friction. It’s clear from everything we’ve heard in the last two panels that the authors of COPPA, we don’t really want information collected on kids. So friction is intentional. And this is leading to the destruction of general audience applications basically wiping out COPPA apps off the face of the map.[34]

Reed’s use of the word “friction” is particularly enlightening. The economist Mike Munger of Duke University has often described transaction costs as frictions—explaining that, to consumers, all costs are transaction costs.[35] When higher transaction costs are imposed on social-media platforms, end users feel the impact. In this case, the result is that children and parents receive less quality children’s apps and content.

Thus, when the NPRM states that “the Commission [doesn’t] find compelling the argument that the 2013 persistent identifier modification has caused harm by hindering the ability of operators to monetize online content through targeted advertising,”[36] in part because “the 2013 Amendments permit monetization… through providing notice and seeking parental consent for the use of personal information for targeted advertising,”[37] it misses how transaction costs prevent this outcome. The FTC should not ignore the data provided by scholars who have researched the question, nor the direct testimony of app developers.

IV. Lower-Cost Ways to Avoid Harms to Children

Widely available practical and technological means are a lower-cost way to avoid the negative externalities associated with internet use, relative to verifiable-parental-consent laws. As NetChoice put it in the complaint the group filed against Arkansas’ social-media age-verification law, “[p]arents have myriad ways to restrict their children’s access to online services and to keep their children safe on such services.”[38]

NetChoice’s complaint recognized the subjective nature of negative externalities, stating:

Just as people inevitably have different opinions about what books, television shows, and video games are appropriate for minors, people inevitably have different views about whether and to what degree online services are appropriate for minors. While many minors use online services in wholesome and productive ways, online services, like many other technologies, can be abused in ways that may harm minors.[39]

They proceeded to list all the ways that parents can take control and help their children avoid online harms, including with respect to the decisions to buy devices for their children and to set terms for how and when they are permitted to use them.[40] Parents can also choose to use tools offered by cell-phone carriers and broadband providers to block certain apps and sites from their children’s devices, or to control with whom their children can communicate and for how long they can use the devices.[41]

NetChoice also pointed to wireless routers that allow parents to filter and monitor online content;[42] parental controls at the device level;[43] third-party filtering applications;[44] and numerous tools offered by NetChoice members that offer relatively low-cost monitoring and control by parents, or even by teen users acting on their own behalf.[45] Finally, they noted that, in response to market demand,[46] NetChoice members expend significant resources curating content to ensure that it is appropriate.[47]

Similarly, parents can protect their children’s privacy simply by taking control of the devices they allow their children to use. Tech-savvy parents can, if they so choose, install software or use ad-blockers to prevent collection of persistent identifiers.[48] Even less tech-savvy parents can make sure that their children are not subject to ads and tracking simply by monitoring their device usage and ensuring they only use YouTube Kids or other platforms created explicitly for children. In fact, most devices and operating systems now have built-in, easy-to-use controls that enable both monitoring and blocking of children’s access to specific apps and websites.[49]

This litany of less-restrictive means to accomplish the goal of protecting children online bears repeating, because even children have some First Amendment interests in receiving online speech.[50] If a court were to examine the COPPA Rule as a speech regulation that forecloses children’s access to online content, it would be subject to strict scrutiny. This means the rules would need to be the least-restrictive possible in order to fulfill the statute’s purpose. Educating parents and children on the available practical and technological means to avoid harms associated with internet use, including the collection of data for targeted advertising, would clearly be a less-restrictive alternative to a de facto ban of targeted advertising.

A less-restrictive COPPA rule could still enhance parental involvement and protect children from predators without impairing the marketplace for children’s online content significantly. Parents already have the ability to review their children’s content-viewing habits on devices they buy for them. A COPPA rule that enhances parental control by requiring verifiable parental consent when children are subject to sharing personal information—like first and last name, address, phone number, email address, or Social Security number—obviously makes sense, along with additions like geolocation data. But it is equally obvious that it is possible to avoid, at lower cost, the relatively anonymized collection of persistent identifiers used to support targeted ads through practical and technological means, without requiring costly verifiable parental consent.

V. Perils of Bringing More Entities Under the COPPA Rule

The costs of the COPPA Rule would be further exacerbated by the NPRM’s proposal to modify the criteria for determining whether a site or service is directed toward children.[51] These proposed changes, particularly the reliance on third-party services and comparisons with “similar websites or online services,” raise significant concerns about both their practical implementation and potential unintended consequences. The latter could include further losses of online content for both children and adults, as content creators drawn into COPPA’s orbit lose access to revenue from targeted advertising.

The FTC’s current practice employs a multi-factor test to ascertain whether a site or service is directed at children under 13. This comprehensive approach considers various elements, including subject matter, visual and audio content, and empirical evidence regarding audience composition.[52] The proposed amendments aim to expand this test by introducing such factors as marketing materials, representations to third parties and, notably, reviews by users or third parties and comparisons with similar websites or services.[53]

The inclusion of third-party reviews and comparisons with similar services as factors in determining a site’s target audience introduces a level of ambiguity and unreliability that would be counterproductive to COPPA’s goals. Without clear standards to evaluate their competence or authority, relying on third-party reviews would leave operators without a solid foundation upon which to assess compliance. This ambiguity could lead to overcompliance. In particular, online platforms that carry third-party content may err on the side of caution in order to align with the spirit of the rule. This threatens to stifle innovation and free expression by restricting creators’ ability to monetize content that has any chance to be considered “directed to children.” Moreover, to avoid this loss of revenue, content creators could shift their focus exclusively to content clearly aimed only at adults, rather than that which could be interesting to adults and children alike.

Similarly, the proposal to compare operators with “similar websites or online services” is fraught with challenges. The lack of guidance on how to evaluate similarity or to determine which service sets the standard for compliance would increase burdens on operators, with little evidence of tangible realized benefits. It’s also unclear who would make these determinations and how disputes would be resolved, leading to further compliance costs and potential litigation. Moreover, operators may be left in a position where it is impractical to accurately assess the audience of similar services, thereby further complicating compliance efforts.

Given these considerations, the FTC should not include reliance on third-party services or comparisons with similar websites or online services in its criteria for determining whether content is directed at children under 13. These approaches introduce a level of uncertainty and unreliability that could lead to overcompliance, increased costs, and unintended negative impacts on online content and services, including further restrictions on content creators who create content interesting to both adults and children. Instead, the FTC should focus on providing clear, direct guidelines that allow operators to assess their compliance with COPPA confidently, without the need to rely on potentially biased or manipulative third-party assessments. This approach will better serve the FTC’s goal of protecting children’s online privacy, while ensuring a healthy, innovative online ecosystem.

Conclusion

The FTC should reconsider the inclusion of standalone persistent identifiers in the definition of “personal information.” The NPRM continues to enshrine the primary mistake of the 2013 amendments. This change was inconsistent with the purposes and text of the COPPA statute. It already has reduced, and will continue to reduce, the availability of children’s online content.

[1] ICLE has received financial support from numerous companies, organizations, and individuals, including firms with interests both supportive of and in opposition to the ideas expressed in this and other ICLE-supported works. Unless otherwise noted, all ICLE support is in the form of unrestricted, general support. The ideas expressed here are the authors’ own and do not necessarily reflect the views of ICLE’s advisors, affiliates, or supporters.

[2] Much of these comments are adapted from ICLE’s 2019 COPPA Rule Review Comments, available at https://laweconcenter.org/wp-content/uploads/2019/12/COPPA-Comments-2019.pdf; Ben Sperry, A Law & Economics Approach to Social-Media Regulation, CPI TechREG Chronicle (Feb. 29, 2022), https://laweconcenter.org/resources/a-law-economics-approach-to-social-media-regulation; Ben Sperry, A Coasean Analysis of Online Age-Verification and Parental-Consent Regimes (ICLE Issue Brief, Nov. 9, 2023), available at https://laweconcenter.org/wp-content/uploads/2023/11/Issue-Brief-Transaction-Costs-of-Protecting-Children-Under-the-First-Amendment-.pdf.

[3] 144 Cong. Rec. 11657 (1998) (Statement of Sen. Richard Bryan), available at https://www.congress.gov/crec/1998/10/07/CREC-1998-10-07.pdf#page=303.

[4] 15 U.S.C. §?6502(b)(1)(A).

[5] See, e.g., Jean-Charles Rochet & Jean Tirole, Platform Competition in Two-Sided Markets, 1 J. Euro. Econ. Ass’n 990 (2003).

[6] David S. Evans, Multisided Platforms in Antitrust Practice, at 3 (Oct. 17, 2023), forthcoming, Michael Noel, Ed., Elgar Encyclopedia on the Economics of Competition and Regulation, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4606511.

[7] For instance, many nightclubs hold “ladies’ night” events in which female patrons receive free admission or discounted drinks in order to attract more men, who pay full fare for both.

[8] See, e.g., Ben Sperry, Congress Should Focus on Protecting Teens from Real Harms, Not Targeted Ads, The Hill (Feb. 16, 2023), https://thehill.com/opinion/congress-blog/3862238-congress-should-focus-on-protecting-teens-from-real-harms-not-targeted-ads.

[9] An externality is a side effect of an activity that is not reflected in the cost of that activity—basically, what occurs when we do something whose consequences affect other people. A negative externality occurs when a third party does not like the effects of an action.

[10] See Ronald H. Coase, The Problem of Social Cost, 3 J. L. & Econ. 1 (1960)

[11] See Steven G. Medema, The Coase Theorem at Sixty, 58 J. Econ. Lit. 1045 (2020).

[12] See Coase, supra note 8, at 8-10.

[13] See id. at 34 (“When an economist is comparing alternative social arrangements, the proper procedure is to compare the total social product yielded by these different arrangements.”).

[14] See Part III below.

[15] See Felix T. Wu, Collateral Censorship and the Limits of Intermediary Liability, 87 Notre Dame L. Rev. 293, 295-96 (2011); Geoffrey A. Manne, Ben Sperry, & Kristian Stout, Who Moderates the Moderators: A Law & Economics Approach to Holding Online Platforms Accountable Without Destroying the Internet, 49 Rutgers Computer & Tech. L J. 26, 39 (2022); Ben Sperry, The Law & Economics of Children’s Online Safety: The First Amendment and Online Intermediary Liability, Truth on the Market (May 12 2023), https://truthonthemarket.com/2023/05/12/the-law-economics-of-childrens-online-safety-the-firstamendment-and-online-intermediary-liability.

[16] See Geoffrey A. Manne, Kristian Stout, & Ben Sperry, Twitter v. Taamneh and the Law & Economics of Intermediary Liability, Truth on the Market (Mar. 8, 2023), https://truthonthemarket.com/2023/03/08/twitter-v-taamneh-and-the-law-economics-of-intermediary-liability; Ben Sperry, Right to Anonymous Speech, Part 2: A Law & Economics Approach, Truth on the Market (Sep. 6, 2023), https://truthonthemarket.com/2023/09/06/right-to-anonymous-speech-part-2-a-law-economics-approach.

[17] See Statement of Commissioner Alvaro M. Bedoya On the Issuance of the Notice of Proposed Rulemaking to Update the Children’s Online Privacy Protection Rule (COPPA Rule), at 3-4 (Dec. 20, 2023), available at https://www.ftc.gov/system/files/ftc_gov/pdf/BedoyaStatementonCOPPARuleNPRMFINAL12.20.23.pdf (listing examples of these types of enforcement actions).

[18] 15 U.S.C. §?6502(b)(1)(A)(ii).

[19] 15 U.S.C. §?6501(8).

[20] 15 U.S.C. §?6501(8)(A)-(E).

[21] 15 U.S.C. §?6501(8)(F).

[22] 15 U.S.C. §?6501(8)(G).

[23] 16 CFR § 312.2 (Personal information)(7).

[24] See Chevron U.S.A. Inc. v. Natural Resources Defense Council, Inc., 467 U. S. 837, 843 n.9 (1984) (“If a court, employing traditional tools of statutory construction, ascertains that Congress had an intention on the precise question at issue, that intention is the law and must be given effect.”).

[25] What is EJUSDEM GENERIS?, The Law Dictionary: Featuring Black’s Law Dictionary Free Online Legal Dictionary 2nd Ed. (last accessed Dec. 9, 2019), https://thelawdictionary.org/ejusdem-generis.

[26] NPRM at 2043.

[27] Id.

[28] See, e.g., Children and Teens’ Online Privacy Protection Act, S. 1418, §2(a)(3) 118th Cong. (2024).

[29] See FDA v. Brown & Williamson, 529 U.S. 120, 148-50 (2000).

[30] Garrett A. Johnson, Tesary Lin, James C. Cooper, & Liang Zhong, COPPAcalypse? The YouTube Settlement’s Impact on Kids Content, SSRN (Apr. 26, 2023), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4430334.

[31] Id. at 6-7 (emphasis added).

[32] Id. at 1.

[33] The Future of the COPPA Rule: An FTC Workshop Part 2, Federal Trade Commission (Oct. 7, 2019), available at https://www.ftc.gov/system/files/documents/public_events/1535372/transcript_of_coppa_workshop_part_2_1.pdf.

[34] Id. at 6 (emphasis added).

[35] See Michael Munger, To Consumers, All Costs are Transaction Costs, Am. Inst. Econ. Rsch. (June 13, 2023), https://www.aier.org/article/to-consumers-all-costs-are-transaction-costs.

[36] NPRM at 2043.

[37] Id. at 2034, n. 121.

[38] See NetChoice Complaint, NetChoice LLC v. Griffin, NO. 5:23-CV-05105, 2023 U.S. Dist. LEXIS 154571 (W.D. Ark. 2023), available at https://netchoice.org/wp-content/uploads/2023/06/NetChoice-v-Griffin_-Complaint_2023-06-29.pdf.

[39] Id. at para. 13.

[40] See id. at para. 14

[41] See id.

[42] See id. at para 15.

[43] See id. at para 16.

[44] See id.

[45] See id. at para. 17, 19-21

[46] Sperry, supra note 8.

[47] See NetChoice Complaint, supra note 36, at para. 18.

[48] See, e.g., Mary James & Catherine McNally, The Best Ad Blockers 2024, all about cookies (last updated Feb. 29, 2024), https://allaboutcookies.org/best-ad-blockers.

[49] See, e.g., Parental Controls for Apple, Android, and Other Devices, internet matters (last accessed Mar. 7, 2024), https://www.internetmatters.org/parental-controls/smartphones-and-other-devices.

[50] See, e.g., Brown v. Ent. Merchants Ass’n, 564 U.S. 786, 794-95 (2011); NetChoice, LLC v. Griffin, 2023 WL 5660155, at *17 (W.D. Ark. Aug. 31, 2023) (finding Arkansas’s Act 689 “obviously burdens minors’ First Amendment rights” by “bar[ring] minors from opening accounts on a variety of social media platforms.”).

[51] See NPRM at 2047.

[52] See id. at 2046-47.

[53] Id. at 2047 (“Additionally, the Commission believes that other factors can help elucidate the intended or actual audience of a site or service, including user or third-party reviews and the age of users on similar websites or services.”).

Continue reading
Data Security & Privacy

Consent for Everything? EDPB Guidelines on URL, Pixel, IP Tracking

Popular Media You may know that the culprit behind cookie consent banners is not the GDPR but the older ePrivacy Directive, specifically its Article 5(3). The EDPB, a . . .

You may know that the culprit behind cookie consent banners is not the GDPR but the older ePrivacy Directive, specifically its Article 5(3). The EDPB, a representative body of EU national data protection authorities, has just issued new Guidelines on this law. Setting aside that they arguably didn’t have the authority to issue the Guidelines, this new interpretation is very expansive. They would expect consent for e-mail pixel tracking, URL tracking, and IP tracking. In general, in their view, consent would be required for all Internet communication unless very limited exceptions apply (even more restrictive than under the GDPR).

Read the full piece here.

Continue reading
Data Security & Privacy

EU’s Cybersecurity Draft Shifts Toward Hard Protectionism

TOTM Ayear ago, we cautioned that the EU Cybersecurity Certification Scheme for Cloud Services (EUCS) threatened to embed ill-conceived economic protectionism into the EU’s cybersecurity rules. And, indeed, . . .

Ayear ago, we cautioned that the EU Cybersecurity Certification Scheme for Cloud Services (EUCS) threatened to embed ill-conceived economic protectionism into the EU’s cybersecurity rules. And, indeed, the European Commission, which has made clear its commitment to pursue “digital sovereignty” for the European Union, can claim some preliminary successes on that front.

A recent draft of EUCS shows that the European Union Agency for Cybersecurity (ENISA) heeded the Commission’s call, contrary to ENISA’s own prior recommendations. Most notably, the draft would preclude entities outside the EU and those under foreign ownership or control from receiving  the highest level of cybersecurity certification.

Read the full piece here.

Continue reading
Data Security & Privacy

Net Neutrality II: Electric Boogaloo—Rate Regulation Hiding in Plain Sight

TOTM Federal Communications Commission (FCC) Chair Jessica Rosenworcel on Tuesday announced the agency’s proposal to regulate internet services under Title II of the Communications Act. Commonly referred . . .

Federal Communications Commission (FCC) Chair Jessica Rosenworcel on Tuesday announced the agency’s proposal to regulate internet services under Title II of the Communications Act. Commonly referred to as “net neutrality,” the chair plans to release proposed rules today, with a vote scheduled for Oct. 19 to begin the rulemaking process.

Read the full piece here.

Continue reading
Telecommunications & Regulated Utilities

The Law and Economics of Privacy

Scholarship Abstract Consumer welfare has been a north star of the Federal Trade Commission (FTC), providing an organizing principle for diverse issues under the Commission’s dual . . .

Abstract

Consumer welfare has been a north star of the Federal Trade Commission (FTC), providing an organizing principle for diverse issues under the Commission’s dual competition and consumer protection missions and, specifically, a uniform ground on which to examine the law and economics of privacy matters and the tradeoffs that privacy policies entail. This paper provides the first contemporary literature synthesis by former FTC staff that brings together the legal and economics literatures on privacy. Our observations are the following: (a) privacy is a complex subject, not a simple attribute of goods and services or a simple state of affairs; (b) privacy policies entail complex tradeoffs for and across individuals; (c) the economic literature finds diverse effects, both intended and unintended, of privacy policies, including on competition and innovation; (d) while there is diverse and growing evidence of the costs of privacy policies, countervailing benefits have been understudied and, as of yet, empirical evidence of such benefits remains slight; and (e) observed costs associated with omnibus policies suggest caution regarding one-size-fits-all regulation.

Continue reading
Data Security & Privacy