On February 27, 2019, the Federal Trade Commission (FTC) agreed to settle for $5.7 million allegations that Musical.ly, a video sharing app now known as TikTok, violated the Children’s Online Privacy Protection Act (COPPA). This is the largest civil penalty ever obtained by the FTC in a children’s privacy case. The complaint alleged that the app failed to comply with basic COPPA requirements, including notifying parents about its collection and use of personal information from users under 13, obtaining parental consent, and deleting personal information at the request of parents. In addition to the steep monetary penalty, the settlement also requires TikTok to comply with COPPA requirements going forward and to remove all videos made by children under the age of 13.

The TikTok app allowed users to create short videos and share those videos with other users. In order to register, the app required an email address, phone number, username, first and last name, short biography, and a profile picture. Additionally, the app allowed users to interact with other users through comment and direct message features. Until October 2016, the app even collected location data and had a feature allowing users to view other users within a 50-mile radius. The accounts were public by default, meaning that a child’s personal information, picture, and videos were available for any user to view. Even if a user made their account private, the profile pictures and biographies remained public, and other users could continue to send direct messages. The FTC complaint notes that there were public reports of adults trying to contact children via the app.

In support of its penalty, the FTC pointed out that the app was aware that a significant number of users were under 13 and that it even received thousands of complaints from parents. The Better Business Bureau’s Children’s Advertising Review Unit (CARU) also helped to alert the FTC to the app’s COPPA violations.

FTC Commissioners Rohit Chopra and Rebecca Kelly Slaughter issued a separate statement, which calls the settlement a “major milestone” and puts companies on notice of how seriously the FTC takes COPPA violations. Further, the statement indicates FTC trends for COPPA enforcement in the future, noting that in the past, “individuals at large companies have often avoided scrutiny,” but that “as we continue to pursue violations of law, we should prioritize uncovering the role of corporate officers and directors and hold accountable everyone who broke the law” and consider whether to charge them. The FTC Chairman also commented that “This record penalty should be a reminder to all online services and websites that target children: We take enforcement of COPPA very seriously, and we will not tolerate companies that flagrantly ignore the law.”

A copy of the order stipulating the penalties is available here.