The Federal Trade Commission (“FTC”) has handed down its largest civil penalty ever for violations of the Children’s Online Privacy Protection Act (“COPPA”). Musical.ly, now known as TikTok after a 2018 merger, agreed to a fine of $5.7 million for its violations. The settlement was significant not only because of its record amount, but also because it includes a specific agreement on how the website will operate going forward.
According to COPPA, operators of apps and websites aimed at young users under the age of 13 cannot collect personal data such as email addresses, IP addresses, geolocation information or other identifiers without parental consent. Musical.ly, however, required users to provide an email address, phone number, username, first and last name, a short biography and a profile picture, and made user accounts public by default. The app lets users create and share videos of themselves lip-syncing to songs and otherwise interact with other users. Musical.ly – like Snapchat, Instagram, Vine, and Youtube – is a mixed audience app. Although it does not specifically cater to users under 13, the type of content created and shared in the app has – unsurprisingly – made it popular with the younger age demographic.
COPPA requires that operators of websites and online services get consent from parents to collect the personal information of children under 13 if they 1) are directed to children and collect personal information from them, or 2) are directed to a general audience, but have actual knowledge they are collecting personal information from kids. In its complaint, the FTC found that Musical.ly satisfied both. It knew many of its users were children and still failed to seek parental consent. It had actual knowledge because many users listed their ages or grades, and several press articles had highlighted the popularity of the app among tweens. Additionally, Musical.ly had received thousands of complaints from parents, some of whom were concerned about the app’s location feature, which allowed users to find others within a 50-mile radius. The FTC also said that Musical.ly met COPPA’s definition of “directed to children.” In making that determination, it looked at a variety of factors including user composition data, visual content, the presence of child celebrities, and song folders with themes aimed at children – such as Disney and songs about school.
The complaint charges that Musical.ly violated COPPA by:
- Failing to provide notice on their site of the information they collect online from children, how they use it, and their disclosure practices,
- Failing to provide direct notice to parents,
- Failing to get consent from parents before collecting personal information from children,
- Failing to honor parents’ requests to delete personal information collected from kids, and
- Retaining that personal information for longer than reasonably necessary.
Since July 2017, Musical.ly has asked for the age of new users, and prevented users under 13 from creating accounts. But it did not go back to verify the ages of existing users, running afoul of COPPA requirements. Just days after the settlement, TikTok released a significant privacy update to its app. The app will now bifurcate its experiences for those over and under 13 years of age. Users will need to enter their date of birth before entering the app. Younger users will not be able to share personal information or videos to the app, and TikTok will take down videos by children under 13. Younger users will be able to continue to participate in the TikTok community by “liking” content and following users.
The settlement demonstrates that the FTC is serious about COPPA enforcement, and that companies cannot hide behind a “general audience” or “mixed audience” cloak to avoid putting in place strict COPPA parental consent requirements if they have actual knowledge that children under 13 are using their app. It also demonstrates that the FTC will take a wide array of factors into account when determining that a website is directed to children. Companies that view themselves as falling in a “gray area” should exercise caution in establishing their personal data collection practices.
In a unanimous vote, the FTC authorized staff to refer the complaint to the Department of Justice and approved the proposed consent decree. The Department of Justice then filed the complaint and proposed consent decree on behalf of the FTC in the U.S. District Court for the Central District of California. Once approved and signed by a District Court judge, the consent decree will have the force of law. Democratic Commissioners Rohit Chopra and Rebecca Kelly Slaughter issued a separate statement saying that corporate executives should be held accountable when companies break the law.