Holyoak Sees Potential Changes for FTC’s COPPA Rule

The commission is reviewing a COPPA rule update finalized in the final days of the Biden administration. The rule hasn’t been published in the Federal Register, so it’s subject to administrative review under President Donald Trump’s regulatory freeze (see 2501230053). Chairman Andrew Ferguson suggested some changes to the proposal in his concurring statement when he voted as a commissioner (see 2501160068).

Holyoak said during a George Mason University event she’s supportive of some of the COPPA changes related to privacy program updates, expanded definitions for personal information and new notice requirements allowing parents to opt out of data-sharing activity. Some of the language regarding indefinite data retention, however, raises concerns, she said.

The final rule proposes that companies must “establish and maintain a written children’s data retention policy specifying the purposes for which children’s personal information is collected, the business need for retaining the information, and the timeframe for deleting it, precluding indefinite retention.”

Holyoak said she’s not sure the change is “necessary” because COPPA already stated that companies can’t retain data beyond what’s necessary for delivering services. This change could add confusion in certain situations, like when a consumer buys a lifetime subscription, she said.

Holyoak questioned potential requirements for companies to get new consent from third parties when the data changes hands from one company to another due to new business agreements. She said obtaining new consent might be valid if the new company has ties to a foreign adversaries, for example. But it might not be necessary if the companies are basically identical in purpose and structure, she said.

Holyoak said there are “good” changes in terms of requiring companies to reassess their general privacy compliance programs. The final rule would require companies to “maintain a written children’s personal information security program that contains safeguards that are appropriate to the sensitivity of personal information collected from children and the operator’s size, complexity, and nature and scope of activities.”

Holyoak said she agrees with Ferguson that the U.S. Supreme Court’s unanimous decision in Humphrey’s Executor is “unconstitutional.” Trump’s DOJ said it will argue that the Supreme Court reverse the decision (see 2502200060). Holyoak said she “absolutely” agrees the 1935 decision and its for-cause firing protections violate the Constitution. A reversal would mean “I could get fired any minute,” she said: The commission’s bipartisan work will continue, regardless.

Holyoak said she hopes for swift confirmation of Mark Meador, Trump’s FTC nominee (see 2503030044). Meador cleared the Senate Commerce Committee on a 20-8 vote Wednesday. Ranking member Maria Cantwell, D-Wash., said she opposed the nomination in part because he “hedged” when asked if he would refuse to carry out “illegal orders” from the president. Meador isn’t currently the “right person for the FTC,” she said. “We need somebody who believes that they’re not just a rubber stamp for the president but have responsibilities and duties to carry out.”

Chairman Ted Cruz, R-Texas, said he expects Meador to help Ferguson return “integrity and effectiveness” at the FTC after years of “mismanagement” under the Biden administration.

Holyoak on Wednesday explained why she opposed the FTC’s January settlement with Mobilewalla, a data broker accused of violating consumer consent when selling location data (see 2501140072). She said she supported the FTC’s case against Kochava (see 2503100024) because there were very specific claims about geolocation data: The FTC went after Mobilewalla for several, separate claims on collection, retention and categorization of data. It’s akin to the FTC going after a phone-based scammer for buying the phone and using the device, instead of just pursuing claims against the fraud itself, she said.