that the operators of the video social networking application Musical.ly, now known as TikTok, agreed to pay $5.7 million to settle allegations that it violated the Children’s Online Privacy Protection Act (COPPA). According to the FTC, this is the largest civil penalty obtained in a children’s privacy case. The proposed consent order also requires TikTok to destroy all user data for users under the age of 13 and for users who are over 13 but were under 13 when TikTok collected their data, unless TikTok has verifiable parental consent to collect, use, and disclose such data.
The application at issue allows users to create videos, edit them and synchronize them to music clips, and then share them with other users. To register, users had to provide their email address, phone number, first and last name, bio, and profile picture. User accounts were set to “public” by default, meaning other users could search for and view the user’s profile. And for a period of time, the application collected geolocation data and had a “my city” function that allowed users to view a list of other users within a 50-mile radius. According to the FTC, the defendants had received thousands of parental complaints and there were numerous public reports of adults attempting to contact children through the application.
The FTC’s complaint, which the Department of Justice filed on its behalf, alleged several longstanding COPPA violations. Specifically, the FTC alleged that the defendants failed to provide required privacy notices, failed to obtain parental consent before collecting children’s personal information, failed to delete children’s personal information upon parental request, and retained children’s personal information for longer than was reasonably necessary to fulfill the purpose for which the information was collected.
The FTC also alleged that the application was directed, at least in part, to children under the age of 13 and that the defendants knew that children were using the application. Many users stated their age in their profile bio or provided grade school information that showed they were under 13. Many of the music clips available from the application’s library are popular with children, such as clips from Disney movies or clips from musical artists who are popular with “tweens and younger children.” And while the application began requesting age information in July 2017 and prevented users under 13 from creating accounts, it had no restrictions in place before then, and it did not request age information from users who created accounts before that date.
In conjunction with the announced civil penalty, Commissioners Rohit Chopra and Rebecca Kelly Slaughter issued a notable joint statement advocating for greater individual accountability for COPPA violators. The statement expressed Chopra’s and Slaughter’s belief that the violations showed “the company’s willingness to pursue growth even at the expense of endangering children.” They went on to say, “When any company appears to have made a business decision to violate or disregard the law, the Commission should identify and investigate those individuals who made or ratified that decision and evaluate whether to charge them.”
Of course, Chopra and Slaughter are only two of the five Commissioners. It therefore remains to be seen whether the Commission as a whole will adopt a more aggressive approach to enforcement against individuals or will reserve going after individuals only in the most egregious cases. But given the record amount of the civil penalty, the Commission is certainly wary of companies that elevate profits over privacy.