Senate Confirms Meador to the FTC on 50-46 Vote

The Senate voted 50-46 Thursday to confirm Mark Meador as an FTC commissioner, as expected (see 2503030044).

Chairman Andrew Ferguson now has a 3-0 Republican majority with the addition of Meador. Recently fired Democrats Rebecca Kelly Slaughter and Alvaro Bedoya are suing the Trump administration to be reinstated on the commission (see 2503270056).

Ferguson in his congratulatory statement cited Meador's antitrust background, saying he will be a "great asset" to the Trump administration FTC.

DOJ Confirms April 8 as Effective Date for Data Transfer Rule

DOJ’s data transfer rule is scheduled to go into effect April 8, the department confirmed Wednesday.

A large group of global American companies requested an extension to the deadline, citing potential complications with compliance (see 2503180058).

“As indicated in the federal register, the rule is scheduled to go into effect on April 8, 2025,” the department said in a statement. “We’ll decline to comment further at this time."

District Court Grants Preliminary Injunction Against Calif. Age-Appropriate Design Code

The U.S. District Court for Northern California on Thursday granted NetChoice’s request for a preliminary injunction against California’s Age-Appropriate Design Code Act (CAADCA) aimed at protecting the privacy and safety of children online. California Attorney General Rob Bonta (D) and his office are enjoined from enforcing the act.

“This Court finds that the CAADCA’s coverage definition is content-based,” said Judge Beth Labson Freeman in case 22-cv-08861. “Under well-established precedent, a plaintiff’s showing that a statute is content-based shifts the burden to the State to show that the statute is narrowly tailored to promote a compelling Government interest… The demonstration of a compelling interest is not sufficient to satisfy strict scrutiny, however. The State must show that ‘the recited harms are real, not merely conjectural, and that the regulation will in fact alleviate these harms in a direct and material way,’” which the state does not do.

“Today’s ruling reaffirms -- for the third time in California -- that the government cannot control what lawful speech Americans see, say, or share online,” said Chris Marchese, NetChoice’s director of litigation. “While protecting children online is a goal we all share, California’s Speech Code is a trojan horse for censoring constitutionally protected but politically disfavored speech. This decision puts other states on notice that censorship regimes masquerading as ‘privacy protections’ will not survive judicial review.”

California DOJ Is "reviewing the order and will respond appropriately in court," a spokesperson said.

Honda Promises to Change Privacy Ways Amid CPPA Auto Sweep

Honda must pay $632,500 and change various privacy practices under an agreement with the California Privacy Protection Agency announced Wednesday. The CPPA board decided Friday to approve a settlement resolving the privacy agency's claims that the car manufacturer’s North American subsidiary violated the California Consumer Privacy Act (CCPA).

American Honda takes “our responsibility to protect consumer privacy seriously and are committed to continually striving to ensure that our practices meet the highest standards,” a spokesperson said in an emailed statement. “We have cooperated fully with the CPPA throughout their investigation and have already begun implementing the changes to our processes required by the order. These changes include modifications to our methods for submitting consumer privacy requests, enhancing our cookie management tools, and updating our contract management processes.”

The California agency’s Enforcement Bureau found that American Honda Motor Co. violated the CCPA by (1) requiring Californians to verify themselves and give "excessive personal information" to exercise their privacy rights to opt out and to limit use and disclosure of their sensitive personal information; (2) using an online cookie management tool that failed to offer consumers privacy choices in a symmetrical or equal way; (3) making it hard for consumers to select authorized agents to exercise privacy rights on their behalf; and (4) sharing consumers’ personal information with ad tech companies without producing contracts with necessary privacy terms. The CPPA action came as part of an ongoing sweep of connected car manufacturers' data privacy practices.

Honda also agreed to simplify the process for Californians to assert their privacy rights, the CPPA said. Additionally, Honda must certify its compliance, train its employees and consult a user-experience designer to evaluate its methods for submitting privacy requests; change its contracting process to ensure appropriate mechanisms are in place to protect personal information; and support the Global Privacy Control, a browser-based universal opt-out mechanism.

“We won’t hesitate to use our cease-and-desist authority to change business practices, and we’ll tally fines based on the number of violations," said Michael Macko, head of the CPPA's Enforcement Division. "Today’s resolution reflects Honda’s early cooperation and commitment to make things right.”

CPPA Takes Action Against National Public Data for Registration Failure

National Public Data faces a $46,000 fine from the California Privacy Protection Agency for failing to register as a data broker and pay an annual fee, the CPPA said Thursday. It's the CPPA’s sixth action stemming from an investigative sweep of California Delete Act compliance that it announced Oct. 30.

Last October, the CPPA Enforcement Division filed a claim against the Florida-based data broker in the U.S. Bankruptcy Court for the Southern District of Florida, alleging that the company had to pay an administrative fine for failing to register with the CPPA, the agency said. The company had filed for bankruptcy after confirming that a data breach in April 2024 exposed 2.9 billion records, including names and social security numbers. Since the court dismissed the company’s bankruptcy petition, the Enforcement Division has filed an administrative action against National Public Data to recover the $46,000 fine, the CPPA said.

Under state law, data brokers must pay $200 every day they fail to register with the CPPA. Companies that operated as data brokers in 2023 were required to register on Jan. 31, 2024, but National Public Data registered 230 days late, on Sept. 18, the CPPA alleged.

“We will pursue data brokers who violate the law, plain and simple,” said Michael Macko, CPPA enforcement head. “The Enforcement Division will use all available tools, including litigation, to make sure that data brokers aren’t operating in the dark.”

National Public Data has closed, according to its website.

Unanimous Supreme Court Upholds TikTok Divestment Law

A unanimous U.S. Supreme Court on Friday upheld a law forcing ByteDance to divest TikTok, citing Congress’ “well-supported national security concerns.”

After oral argument Friday, the court in its “expedited" decision said TikTok’s “scale and susceptibility to foreign adversary control, together with the vast swaths of sensitive data the platform collects, justify differential treatment to address the government’s national security concerns.”

Free speech standards are satisfied because the regulation “promotes a substantial government interest that would be achieved less effectively absent the regulation” and it does not “burden substantially more speech than is necessary.”

The court said TikTok offers a “distinctive and expansive outlet for expression, means of engagement, and source of community” for 170 million users in America, but Congress “has determined that divestiture is necessary to address its well-supported national security concerns regarding TikTok’s data collection practices and relationship with a foreign adversary.”

TikTok didn’t immediately comment. ByteDance attorney Noel Francisco argued Friday that Congress could have passed a less restrictive law banning the company from sharing sensitive data with ByteDance or China. The law's divestment deadline goes into effect Sunday.

FTC Issues Long-Awaited COPPA Rule Update

The FTC is finalizing changes to its children’s online privacy regulations “to set new requirements around the collection, use and disclosure of children’s personal information and give parents new tools and protections to help them control what data is provided to third parties about their children,” it said in a Thursday news release.

Under the long-awaited final rule, websites and online service operators covered by the Children’s Online Privacy Protection Act (COPPA) will be required to get opt-in parental consent before disclosing children’s personal information to third-party companies for targeted advertising or other purposes. The rule also sets limits on data retention, and requires FTC-approved COPPA Safe Harbor programs to disclose membership lists and other information. The commission voted 5-0 to finalize the changes.

The FTC declined to adopt proposed requirements that would have limited the use of push notifications to children without parental consent, as well as changes involving requirements for educational technology companies operating in schools.

The changes to the FTC’s COPPA regulations take effect 60 days after publication in the Federal Register. Entities subject to the final rule then will have a year to come into full compliance with most provisions, though compliance is required earlier for provisions involving COPPA Safe Harbor programs. A Federal Register publication date has not yet been scheduled, the FTC said.

“The updated COPPA rule strengthens key protections for kids’ privacy online,” said FTC Chair Lina Khan in the news release. “By requiring parents to opt in to targeted advertising practices, this final rule prohibits platforms and service providers from sharing and monetizing children’s data without active permission. The FTC is using all its tools to keep kids safe online.”