Google reportedly wants the US Federal Trade Commission (FTC) to end Microsoft’s exclusive cloud deal with OpenAI that requires anyone wanting access to OpenAI’s models to go through Microsoft’s servers.
Someone “directly involved” in Google’s effort told The Information that Google’s request came after the FTC began broadly probing how Microsoft’s cloud computing business practices may be harming competition.
As part of the FTC’s investigation, the agency apparently asked Microsoft’s biggest rivals if the exclusive OpenAI deal was “preventing them from competing in the burgeoning artificial intelligence market,” multiple sources told The Information. Google reportedly was among those arguing that the deal harms competition by saddling rivals with extra costs and blocking them from hosting OpenAI’s latest models themselves.
In 2024 alone, Microsoft generated about $1 billion from reselling OpenAI’s large language models (LLMs), The Information reported, while rivals were stuck paying to train staff to move data to Microsoft servers if their customers wanted access to OpenAI technology. For one customer, Intuit, it cost millions monthly to access OpenAI models on Microsoft’s servers, The Information reported.
Microsoft benefits from the arrangement—which is not necessarily illegal—of increased revenue from reselling LLMs and renting out more cloud servers. It also takes a 20 percent cut of OpenAI’s revenue. Last year, OpenAI made approximately $3 billion selling its LLMs to customers like T-Mobile and Walmart, The Information reported.
Microsoft’s agreement with OpenAI could be viewed as anti-competitive if businesses convince the FTC that the costs of switching to Microsoft’s servers to access OpenAI technology is so burdensome that it’s unfairly disadvantaging rivals. It could also be considered harming the market and hampering innovation by seemingly disincentivizing Microsoft from competing with OpenAI in the market.
To avoid any disruption to the deal, however, Microsoft could simply point to AI models sold by Google and Amazon as proof of “robust competition,” The Information noted. The FTC may not buy that defense, though, since rivals’ AI models significantly fall behind OpenAI’s models in sales. Any perception that the AI market is being foreclosed by an entrenched major player could trigger intense scrutiny as the US seeks to become a world leader in AI technology development.
No more jumping through endless hoops to cancel subscriptions, FTC rule says.
It will soon be easy to “click to cancel” subscriptions after the US Federal Trade Commission (FTC) adopted a final rule on Wednesday that makes it challenging for businesses to opt out of easy cancellation methods.
“Too often, businesses make people jump through endless hoops just to cancel a subscription,” FTC chair Lina Khan said in a press release. “The FTC’s rule will end these tricks and traps, saving Americans time and money. Nobody should be stuck paying for a service they no longer want.”
The heart of the new rule requires businesses to provide simple ways to cancel subscriptions. Under the rule, any subscription that can be signed up for online must be able to be canceled online. And cancellation paths for in-person sign-ups must be just as easy, offered either by phone or online.
In guidance released Wednesday, the FTC recommended that businesses keep “three guardrails in mind” to ensure cancellation methods comply with the law. First, customers cannot be required to talk to a live agent or chatbot to cancel if that wasn’t required for sign-up. Next, any phone cancellation methods cannot include charges and must be offered during normal business hours. And finally, canceling services in person must always be optional.
To comply with the rule, businesses offering “negative option marketing” such as subscriptions, automatic renewals, and free trial offers—to both consumers and other businesses—are prohibited from misleading customers. They must clearly disclose all terms of the deal prior to accepting payment, including explaining how much and how often customers will be charged, when free trials or promotions end, any deadlines to avoid charges, and, importantly, how to cancel.
“All this information should be clear, conspicuous, and available to your customers before they enroll. And certain key information related to charges and cancellation must appear right when and where the customer agrees to the negative option, every time,” the FTC said.
Under the “click to cancel” rule, businesses must also get consumers’ informed consent before issuing charges and maintain records of consent for a minimum of three years. Those records could be in the form of a ticked checkbox or a signature, the FTC said, noting the agency offers “some flexibility on what that proof looks like.”
“Don’t try to distract people with other information,” the FTC said. “Get proof of consent and maintain it for at least three years.”
That provision is designed to end unfair and deceptive practices that the FTC found, such as inadequate disclosures about free trials or sneaky auto-enrollments. Those “practices have been a persistent source of consumer harm for decades,” the FTC’s notice on the final rule said, “saddling shoppers with recurring payments for products and services they never intended to purchase nor wanted to continue buying.”
The FTC confirmed that some provisions of the final rule will go into effect within 60 days, but most will take effect after 180 days. Violators risk civil penalties and other forms of consumer redress that weren’t previously available under the FTC act, the notice in the federal register said.
Some frustrated individual commenters asked for stiff penalties, the FTC’s notice said.
“There needs to be a substantial penalty when a service is requested to be cancelled, but the charges continue,” one commenter urged the FTC. “I dropped my TV service from Comcast three months ago and they continue to charge me. Every time I need to re-contact them, I waste an hour.”
FTC made few concessions to critics
More than 16,000 comments were submitted during proposed rulemaking, including concerns raised by cable firms who worried that the FTC’s rule might make it so easy to cancel a subscription that customers miss out on benefits, including deals often offered to retain their business.
At that time, Michael Powell, CEO of The Internet & Television Association (NCTA), defended using live agents to process cancellation requests. He warned that “a consumer may easily misunderstand the consequences of canceling,” incurring unexpected costs in situations like “canceling part of a discounted bundle” that “may increase the price for remaining services.”
Powell further argued that the rule could raise costs for customers, alleging that the FTC had significantly underestimated compliance costs that “could easily exceed $100 million for initial implementation by” the cable industry alone.
But the FTC strongly disagreed with some estimates of compliance costs. For example, in the notice in the federal register, the FTC noted that “because NCTA members who enroll consumers online already, clearly, have websites, the Commission rejects the notion that adding ‘click to cancel’ functionality to websites that already include an order path for enrolling, and likely also include functionality for registering a payment mechanism for automated billing, would cost $12–$25 million.”
Ultimately, the FTC disputed the NCTA’s data and rejected the notion that the rule would “require building online cancellation systems virtually from the ground up and expensive ongoing recordkeeping requirements across all services,” pointing any concerned commenters to “the detailed cost-benefit analysis” of the rule provided in the federal register notice.
There were only a few major changes to the final rule following the public commenting period. Notably, the FTC dropped a provision that would have required businesses to send annual reminders about recurring charges, as well as another prohibiting promotions or deals offered during the cancellation process in efforts to retain customers without customers opting in to seeing those offers.
The FTC said that it’s only dropped these provisions for now, noting that the Commission plans to keep the record “open on these issues” and may seek additional comments.
Exemptions available but seem unlikely
Perhaps of greatest interest to businesses, the FTC also added “a provision allowing requests for exemptions.” But those will likely be reserved for businesses already complying with the rule, the FTC said, while explaining that each request for exemptions will be weighed individually.
“Because such decisions are highly fact dependent, the Commission must consider exemptions, even of larger groups, on an individualized basis pursuant to the FTC’s Rules of Practice,” the FTC’s notice said.
Some businesses may qualify for recordkeeping exemptions, the FTC said, but only if “it is technologically feasible to make it impossible for customers to enroll without providing unambiguously affirmative consent.”
“Sellers must either maintain records of each consumer’s unambiguously affirmative consent or demonstrate they satisfy the technological exemption provision,” the FTC’s notice said.
The Commission specifically confirmed that it will not be granting “blanket exemptions to sellers who contract with third parties while offering subscription services.” While some businesses claimed this leaves them on the hook for cancellations they cannot process, the FTC found that “an exemption for all sellers who contract with third parties to manage aspects of their negative option programs would effectively nullify the Rule by incentivizing less than legitimate sellers to contract with actors engaged in deceptive practices to maximize negative option enrollments and frustrate cancellation with impunity.”
“A seller cannot evade its responsibility to deal honestly with consumers by contracting with a third party who does not,” the FTC’s notice said.
Official: FTC rule “may not survive legal challenge”
The final rule narrowly passed by a vote of 3–2, with commissioner Melissa Holyoak providing a dissenting statement accusing the agency of rushing the rule to score political points for the Biden administration ahead of the presidential election.
Vice President Kamala Harris will likely continue Biden’s war on “junk fees” if elected, Reuters reported, and Holyoak claimed that Khan pushed for the rule’s adoption to help follow “through on a campaign pledge made by the Chair’s favored presidential candidate.”
According to Holyoak, the final rule is deeply flawed, “improperly generalizing” unfair and deceptive practices “from narrow industry-specific complaints and evidence to the entire American economy.” She argued that the FTC only based the rule on 35 cases, which is allegedly not enough to establish that harmful practices are “prevalent.”
“Whatever the merits of the past cases, the Majority does not remotely come close to explaining how the evidence in those limited cases are similar to the myriad contexts an economy-wide rule would inevitably apply to,” Holyoak suggested.
She also claimed that “if similarity among complaints and cases only at the highest level of generality constitutes the ‘prevalence’ sufficient to ground an economy-wide rulemaking, then a ‘prevalence’ determination is in fact no meaningful guardrail on the Commission’s conduct at all.”
In the press release, the FTC discussed the wide reach of harms, noting that it “receives thousands of complaints about negative option and recurring subscription practices each year,” with the number “steadily increasing over the past five years.”
But Holyoak insisted that the final rule is such an overreach that it “may not survive legal challenge.”
“The Chair has put political expediency over getting things right,” Holyoak said, raising “the possibility that foreordained outcomes and political goals curtailed considering the rulemaking record with an open mind and without prejudgment, as law requires.”
A key legal flaw, Holyoak claimed, is that the rule prohibits any misrepresentations of a negative option, not just those relating to “deceptive terms.” That means businesses risk civil penalties for any material fact deemed misleading, which she alleged “fails to meet” the level of “specificity” required for FTC rulemaking. That seeming textual oversight “will no doubt invite serious legal challenge on this basis,” Holyoak predicted.
Should any portion of the rule be struck down through a legal challenge, the FTC included a provision on severability, allowing the remainder of the rule to remain in force.
Too soon to guess impact on subscription prices
According to Holyoak, the broad final rule “tilts the playing field in ways that are likely to pervert business incentives,” perhaps leading businesses to stop offering negative option billing models, “even when businesses and consumers could derive significant value from them.”
“Even honest businesses will have reason to reconsider the use of negative option billing now that it means subjecting themselves to potential civil penalties for misreading Commission tea leaves,” Holyoak said.
Further, she alleged that consumers could be harmed if the rule preempts state laws or potentially increases transaction costs for businesses that potentially stop offering cheaper negative option billing. Businesses could also pass on to customers the costs of legal fees incurred in efforts to obtain an exemption, Holyoak suggested.
“Raising the transaction costs will reduce a business’ sales and the utility consumers derive from these services. In other words, in our good intentions, we may harm the consumers and competition we are supposed to protect,” Holyoak warned.
But while Holyoak seems sure that consumers could be harmed by the rule potentially limiting negative option billing and spiking subscription costs, the FTC argued that “consumers cannot realize these benefits when sellers make material misrepresentations to induce consumers to enroll in such programs, fail to provide important information, bill consumers without their consent, or make cancellation difficult or impossible.”
At least one individual customer the FTC notice cited insisted that the rule was necessary to end a wide range of abusive charges draining the wallets of many Americans.
“Implementing this consumer-protection rule has the potential to save American consumers millions of dollars and prevent unscrupulous companies from using byzantine cancellation procedures to squeeze unwarranted funds out of their customers,” the commenter said.
Ashley is a senior policy reporter for Ars Technica, dedicated to tracking social impacts of emerging policies and new technologies. She is a Chicago-based journalist with 20 years of experience.
Enlarge/ Taylor’s C709 Soft Serve Freezer isn’t so much mechanically complicated as it is a software and diagnostic trap for anyone without authorized access.
Many devices have been made difficult or financially nonviable to repair, whether by design or because of a lack of parts, manuals, or specialty tools. Machines that make ice cream, however, seem to have a special place in the hearts of lawmakers. Those machines are often broken and locked down for only the most profitable repairs.
The Federal Trade Commission and the antitrust division of the Department of Justice have asked the US Copyright Office (PDF) to exempt “commercial soft serve machines” from the anti-circumvention rules of Section 1201 of the Digital Millennium Copyright Act (DMCA). The governing bodies also submitted proprietary diagnostic kits, programmable logic controllers, and enterprise IT devices for DMCA exemptions.
“In each case, an exemption would give users more choices for third-party and self-repair and would likely lead to cost savings and a better return on investment in commercial and industrial equipment,” the joint comment states. Those markets would also see greater competition in the repair market, and companies would be prevented from using DMCA laws to enforce monopolies on repair, according to the comment.
The joint comment builds upon a petition filed by repair vendor and advocate iFixit and interest group Public Knowledge, which advocated for broad reforms while keeping a relatable, ingestible example at its center. McDonald’s soft serve ice cream machines, which are famously frequently broken, are supplied by industrial vendor Taylor. Taylor’s C709 Soft Serve Freezer requires lengthy, finicky warm-up and cleaning cycles, produces obtuse error codes, and, perhaps not coincidentally, costs $350 per 15 minutes of service for a Taylor technician to fix. iFixit tore down such a machine, confirming the lengthy process between plugging in and soft serving.
After one company built a Raspberry Pi-powered device, the Kytch, that could provide better diagnostics and insights, Taylor moved to ban franchisees from installing the device, then offered up its own competing product. Kytch has sued Taylor for $900 million in a case that is still pending.
Beyond ice cream, the petitions to the Copyright Office would provide more broad exemptions for industrial and commercial repairs that require some kind of workaround, decryption, or other software tinkering. Going past technological protection measures (TPMs) was made illegal by the 1998 DMCA, which was put in place largely because of the concerns of media firms facing what they considered rampant piracy.
Every three years, the Copyright Office allows for petitions to exempt certain exceptions to DMCA violations (and renew prior exemptions). Repair advocates have won exemptions for farm equipment repair, video game consoles, cars, and certain medical gear. The exemption is often granted for device fixing if a repair person can work past its locks, but not for the distribution of tools that would make such a repair far easier. The esoteric nature of such “release valve” offerings has led groups like the EFF to push for the DMCA’s abolishment.
DMCA exemptions occur on a parallel track to state right-to-repair bills and broader federal action. President Biden issued an executive order that included a push for repair reforms. The FTC has issued studies that call out unnecessary repair restrictions and has taken action against firms like Harley-Davidson, Westinghouse, and grill maker Weber for tying warranties to an authorized repair service.
Disclosure: Kevin Purdy previously worked for iFixit. He has no financial ties to the company.
Avast, a name known for its security research and antivirus apps, has long offered Chrome extensions, mobile apps, and other tools aimed at increasing privacy.
Avast’s apps would “block annoying tracking cookies that collect data on your browsing activities,” and prevent web services from “tracking your online activity.” Deep in its privacy policy, Avast said information that it collected would be “anonymous and aggregate.” In its fiercest rhetoric, Avast’s desktop software claimed it would stop “hackers making money off your searches.”
All of that language was offered up while Avast was collecting users’ browser information from 2014 to 2020, then selling it to more than 100 other companies through a since-shuttered entity known as Jumpshot, according to the Federal Trade Commission. Under a proposed recent FTC order (PDF), Avast must pay $16.5 million, which is “expected to be used to provide redress to consumers,” according to the FTC. Avast will also be prohibited from selling future browsing data, must obtain express consent on future data gathering, notify customers about prior data sales, and implement a “comprehensive privacy program” to address prior conduct.
Reached for comment, Avast provided a statement that noted the company’s closure of Jumpshot in early 2020. “We are committed to our mission of protecting and empowering people’s digital lives. While we disagree with the FTC’s allegations and characterization of the facts, we are pleased to resolve this matter and look forward to continuing to serve our millions of customers around the world,” the statement reads.
Data was far from anonymous
The FTC’s complaint (PDF) notes that after Avast acquired then-antivirus competitor Jumpshot in early 2014, it rebranded the company as an analytics seller. Jumpshot advertised that it offered “unique insights” into the habits of “[m]ore than 100 million online consumers worldwide.” That included the ability to “[s]ee where your audience is going before and after they visit your site or your competitors’ sites, and even track those who visit a specific URL.”
While Avast and Jumpshot claimed that the data had identifying information removed, the FTC argues this was “not sufficient.” Jumpshot offerings included a unique device identifier for each browser, included in data like an “All Clicks Feed,” “Search Plus Click Feed,” “Transaction Feed,” and more. The FTC’s complaint detailed how various companies would purchase these feeds, often with the express purpose of pairing them with a company’s own data, down to an individual user basis. Some Jumpshot contracts attempted to prohibit re-identifying Avast users, but “those prohibitions were limited,” the complaint notes.
The connection between Avast and Jumpshot became broadly known in January 2020, after reporting by Vice and PC Magazine revealed that clients, including Home Depot, Google, Microsoft, Pepsi, and McKinsey, were buying data from Jumpshot, as seen in confidential contracts. Data obtained by the publications showed that buyers could purchase data including Google Maps look-ups, individual LinkedIn and YouTube pages, porn sites, and more. “It’s very granular, and it’s great data for these companies, because it’s down to the device level with a timestamp,” one source told Vice.
The FTC’s complaint provides more detail on how Avast, on its own web forums, sought to downplay its Jumpshot presence. Avast suggested both that only non-aggregated data was provided to Jumpshot and that users were informed during product installation about collecting data to “better understand new and interesting trends.” Neither of these claims proved true, the FTC suggests. And the data collected was far from harmless, given its re-identifiable nature:
For example, a sample of just 100 entries out of trillions retained by Respondents showed visits by consumers to the following pages: an academic paper on a study of symptoms of breast cancer; Sen. Elizabeth Warren’s presidential candidacy announcement; a CLE course on tax exemptions; government jobs in Fort Meade, Maryland with a salary greater than $100,000; a link (then broken) to the mid-point of a FAFSA (financial aid) application; directions on Google Maps from one location to another; a Spanish-language children’s YouTube video; a link to a French dating website, including a unique member ID; and cosplay erotica.
In a blog post accompanying its announcement, FTC Senior Attorney Lesley Fair writes that, in addition to the dual nature of Avast’s privacy products and Jumpshot’s extensive tracking, the FTC is increasingly viewing browsing data as “highly sensitive information that demands the utmost care.” “Data about the websites a person visits isn’t just another corporate asset open to unfettered commercial exploitation,” Fair writes.
FTC commissioners voted 3-0 to issue the complaint and accept the proposed consent agreement. Chair Lina Khan, along with commissioners Rebecca Slaughter and Alvaro Bedoya, issued a statement on their vote.
Since the time of the FTC’s complaint and its Jumpshot business, Avast has been acquired by Gen Digital, a firm that contains Norton, Avast, LifeLock, Avira, AVG, CCLeaner, and ReputationDefender, among other security businesses.
Disclosure: Condé Nast, Ars Technica’s parent company, received data from Jumpshot before its closure.
On Saturday, US District Judge Lynn Winmill denied Kochava’s motion to dismiss an amended FTC complaint, which he said plausibly argued that “Kochava’s data sales invade consumers’ privacy and expose them to risks of secondary harms by third parties.”
Winmill’s ruling reversed a dismissal of the FTC’s initial complaint, which the court previously said failed to adequately allege that Kochava’s data sales cause or are likely to cause a “substantial” injury to consumers.
The FTC has accused Kochava of selling “a substantial amount of data obtained from millions of mobile devices across the world”—allegedly combining precise geolocation data with a “staggering amount of sensitive and identifying information” without users’ knowledge or informed consent. This data, the FTC alleged, “is not anonymized and is linked or easily linkable to individual consumers” without mining “other sources of data.”
Kochava’s data sales allegedly allow its customers—whom the FTC noted often pay tens of thousands of dollars monthly—to target specific individuals by combining Kochava data sets. Using just Kochava data, marketers can create “highly granular” portraits of ad targets such as “a woman who visits a particular building, the woman’s name, email address, and home address, and whether the woman is African-American, a parent (and if so, how many children), or has an app identifying symptoms of cancer on her phone.” Just one of Kochava’s databases “contains ‘comprehensive profiles of individual consumers,’ with up to ‘300 data points’ for ‘over 300 million unique individuals,'” the FTC reported.
This harms consumers, the FTC alleged, in “two distinct ways”—by invading their privacy and by causing “an increased risk of suffering secondary harms, such as stigma, discrimination, physical violence, and emotional distress.”
In its amended complaint, the FTC overcame deficiencies in its initial complaint by citing specific examples of consumers already known to have been harmed by brokers sharing sensitive data without their consent. That included a Catholic priest who resigned after he was outed by a group using precise mobile geolocation data to track his personal use of Grindr and his movements to “LGBTQ+-associated locations.” The FTC also pointed to invasive practices by journalists using precise mobile geolocation data to identify and track military and law enforcement officers over time, as well as data brokers tracking “abortion-minded women” who visited reproductive health clinics to target them with ads about abortion and alternatives to abortion.
“Kochava’s practices intrude into the most private areas of consumers’ lives and cause or are likely to cause substantial injury to consumers,” the FTC’s amended complaint said.
The FTC is seeking a permanent injunction to stop Kochava from allegedly selling sensitive data without user consent.
Kochava considers the examples of consumer harms in the FTC’s amended complaint as “anecdotes” disconnected from its own activities. The data broker was seemingly so confident that Winmill would agree to dismiss the FTC’s amended complaint that the company sought sanctions against the FTC for what it construed as a “baseless” filing. According to Kochava, many of the FTC’s allegations were “knowingly false.”
Ultimately, the court found no evidence that the FTC’s complaints were baseless. Instead of dismissing the case and ordering the FTC to pay sanctions, Winmill wrote in his order that Kochava’s motion to dismiss “misses the point” of the FTC’s filing, which was to allege that Kochava’s data sales are “likely” to cause alleged harms. Because the FTC had “significantly” expanded factual allegations, the agency “easily” satisfied the plausibility standard to allege substantial harms were likely, Winmill said.
Kochava CEO and founder Charles Manning said in a statement provided to Ars that Kochava “expected” Winmill’s ruling and is “confident” that Kochava “will prevail on the merits.”
“This case is really about the FTC attempting to make an end-run around Congress to create data privacy law,” Manning said. “The FTC’s salacious hypotheticals in its amended complaint are mere scare tactics. Kochava has always operated consistently and proactively in compliance with all rules and laws, including those specific to privacy.”
“Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” Levine said. “The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”
The Federal Trade Commission (FTC) is currently seeking comments on new rules that would further restrict platforms’ efforts to monetize children’s data.
Through the Children’s Online Privacy Protection Act (COPPA), the FTC initially sought to give parents more control over what kinds of information that various websites and apps can collect from their kids. Now, the FTC wants to update COPPA and “shift the burden from parents to providers to ensure that digital services are safe and secure for children,” the FTC’s press release said.
“By requiring firms to better safeguard kids’ data, our proposal places affirmative obligations on service providers and prohibits them from outsourcing their responsibilities to parents,” FTC chair Lina Khan said.
Among proposed rules, the FTC would require websites to turn off targeted advertising by default and prohibit sending push notifications to encourage kids to use services more than they want to. Surveillance in schools would be further restricted, so that data is only collected for educational purposes. And data security would be strengthened by mandating that websites and apps “establish, implement, and maintain a written children’s personal information security program that contains safeguards that are appropriate to the sensitivity of the personal information collected from children.”
Perhaps most significantly, COPPA would also be updated to stop companies from retaining children’s data forever, explicitly stating that “operators cannot retain the information indefinitely.” In a statement, commissioner Alvaro Bedoya called this a “critical protection” at a time when “new, machine learning-fueled systems require ever larger amounts of training data.”
These proposed changes were designed to address “the evolving ways personal information is being collected, used, and disclosed, including to monetize children’s data,” the FTC said.
Keeping up with advancing technology, the FTC said, also requires expanding COPPA’s definition of “personal information” to include biometric identifiers. That change was likely inspired by charges brought against Amazon earlier this year, when the FTC accused Amazon of violating COPPA by retaining tens of thousands of children’s Alexa voice recordings forever.
Once the notice of proposed rulemaking is published to the Federal Register, the public will have 60 days to submit comments. The FTC likely anticipates thousands of parents and stakeholders to weigh in, noting that the last time COPPA was updated in 2019, more than 175,000 comments were submitted.
Endless tracking of kids not a “victimless crime”
Bedoya said that updating the already-expansive children’s privacy law would prevent known harms. He also expressed concern that increasingly these harms are being overlooked, citing a federal judge in California who preliminarily enjoined California’s Age-Appropriate Design Code” in September. That judge had suggested that California’s law was “actually likely to exacerbate” online harm to kids, but Bedoya challenged that decision as reinforcing a “critique that has quietly proliferated around children’s privacy: the idea that many privacy invasions do not actually hurt children.”
For decades, COPPA has protected against the unauthorized or unnecessary collection, use, retention, and disclosure of children’s information, which Bedoya said “endangers children’s safety,” “exposes children and families to hacks and data breaches,” and “allows third-party companies to develop commercial relationships with children that prey on their trust and vulnerability.”
“I think each of these harms, particularly the latter, undermines the idea that the pervasive tracking of children online is [a] ‘victimless crime,'” Bedoya said, adding that “the harms that COPPA sought to prevent remain real, and COPPA remains relevant and profoundly important.”
According to Bedoya, COPPA is more vital than ever, as “we are only at the beginning of an era of biometric fraud.”
Khan characterized the proposed changes as “much-needed” in an “era where online tools are essential for navigating daily life—and where firms are deploying increasingly sophisticated digital tools to surveil children.”
“Kids must be able to play and learn online without being endlessly tracked by companies looking to hoard and monetize their personal data,” Khan said.
