Bloomberg Law
Jan. 2, 2020, 11:31 AMUpdated: Jan. 3, 2020, 1:24 AM

U.S., EU Enforcers Target Big Tech, Children’s Privacy in 2020 (1)

Daniel R. Stoller
Daniel R. Stoller
Senior Legal Editor

European and U.S. regulators are likely to ramp up enforcement of privacy laws this year, especially children’s privacy, and wrap up probes of big technology companies.

The Federal Trade Commission is looking to update Children’s Online Privacy Protection Act rules. State attorneys general offices have said they’ll focus on protecting kids’ data. Irish data privacy enforcers said children’s privacy protections will be a major focus.

There’s “no indication” of a pull back on privacy enforcement, said Joseph Facciponti of Murphy & McGonigle in New York, who counsels companies on privacy and data security issues. “Regulators continue to respond to pressure to address the public’s profound unease -- whether justified or not -- with how personal data is being used by businesses,” Facciponti said.

The scrutiny creates a risk for tech companies, including Facebook and Google, that regulators will seek fines or force changes in how they process data as children flock to their platforms. Google’s YouTube in September agreed to a $170 million settlement with the FTC for children’s privacy violations. China-based TikTok faced lawmaker and regulatory scrutiny for its collection of kids’ data.

The FTC should decide early this year whether it will update the children’s privacy law rules, attorneys said. The push for the rules has worried social media content creators, who say changes may lower online revenue, according to comments filed to the FTC.

State Enforcer Investigations

State attorneys general, including those in Colorado, Washington, and New York, want their legislatures to pass laws that give them robust enforcement powers, privacy attorneys said.

The attorneys general will likely continue to investigate large technology companies in particular, said Phyllis Sumner, leader of King & Spalding LLP’s data, privacy, and security practice in Atlanta, who advises corporate clients.

“Privacy and security issues continue to receive much public attention and many state regulators are seeking to strengthen their capabilities and amend existing data breach notification, privacy and data protection laws,” Sumner said. State attorneys general “may find their role vastly expanded” as states enact laws, she said.

The D.C. Attorney General’s office plans to focus on artificial intelligence, such as how automated decision-making affects the housing market, said Elizabeth Wilkins, senior policy counsel for the office. Colorado Attorney General Phil Weiser (D) said he’ll focus on health privacy and regulating sensitive children’s data.

Companies will also watch how state attorneys general wrap up a multi-state privacy investigation and multiple local enforcer privacy lawsuits into Facebook. The enforcement actions could show how aggressive state regulators will be as they continue their pursuit of tech giants that allegedly flout consumer protection standards, privacy attorneys said.

Ireland Big Tech Probes

Ireland is likely to make the most noise in EU privacy enforcement, with major probes and an interest in children’s privacy that will take up much of big tech’s focus in 2020.

Ireland wants companies to increase their focus on protecting kids’ data. The Irish Data Protection Commission expects to introduce guidance early in the new year, said Graham Doyle, the commission’s director of communications. The privacy office also wants to encourage social media platforms to develop an industry code of conduct on children’s data protection, he said.

The Irish privacy office has 21 open investigations into big tech companies, including Facebook, Google, Apple Inc., and Twitter Inc.. New investigations are likely to open this year as the office continues its enforcement of the European Union’s privacy law. Probes into WhatsApp and a data-breach probe into Twitter are likely to lead the way, Doyle said.

An Apple representative didn’t immediately respond to requests to comment. A Facebook representative didn’t immediately comment. A spokesman for Twitter declined to comment. Jose Castaneda, a spokesman for Google, pointed to a Sept. 4 blog post regarding the YouTube settlement.

Enforcement fines will likely top the previous record of 50 million euro that France levied against Google in 2019, privacy attorneys predicted. Under Europe’s privacy law, the General Data Protection Regulation, companies can be fined up to four percent of their annual revenue. Meanwhile, Google is appealing the 50 million euro fine.

Ireland’s commission is empowered to impose “massive” fines, Facciponti said. The commission also can force businesses to change how they process data, he said.

“Companies should be concerned,” Facciponti said.

(Updated with additional reporting. Earlier version corrected attribution in seventh paragraph.)

To contact the reporter on this story: Daniel R. Stoller in Washington at

To contact the editor responsible for this story: John Hughes at; Keith Perine at