Within days of two parents of underage children filing a putative class action against TikTok’s parent company, asserting violations of the Children’s Online Privacy Protection Act (COPPA), the parties have reached a deal to settle the case.

The California and Illinois residents alleged that Musical.ly, the creator of the music-based video social networking platform, and ByteDance—the Chinese-based technology company that purchased the app for $1 billion in December 2017—tracked, collected and disclosed the personally identifiable information and/or viewing data of children under the age of 13 without parental consent, as required by COPPA.

Since 2014, the app has been downloaded more than 200 million times, with at least 65 million Musical.ly accounts registered in the United States, the parents said. The app consistently targeted those under the age of 13, the plaintiffs added, by promoting musicians and entertainers popular with tweens, including song folders with music that appealed to children and deploying tools that made it easy for children to create and upload videos.

But the defendants “failed to deploy appropriate safeguards,” according to the Illinois federal court complaint, which permitted adults to contact minor children via the app, to send them inappropriate messages and even engage in stalking.

“Defendants operated their app in a reckless and unlawful manner for commercial gain,” the plaintiffs alleged. “In their quest for profits … defendants failed to safeguard minor children’s personally identifiable information and/or viewing data and ensure that the sale and/or transfer of said data to third parties was lawful.”

The defendants were well aware that children under the age of 13 constituted a significant portion of the app’s users, the plaintiffs claimed, as it received “thousands” of complaints from parents (more than 300 just in the two-week period between September 15 and September 30, 2016) and had information that some of the users whose accounts were among the most popular in terms of followers were under the age of 13.

In their complaint, the parents cited the Federal Trade Commission (FTC) action against the defendants based on similar allegations of COPPA violations, which resulted in the largest civil penalty ever obtained by the agency—$5.7 million—in a children’s privacy case.

The defendants responded by settling the lawsuit for $1.1 million. The money will be paid to an estimated 6 million parents or guardians whose children used or signed up for Musical.ly or TikTok when they were younger than 13.

“TikTok is firmly committed to safeguarding the data of its users, especially our younger users,” a spokesperson for the company said in a statement. “Although we disagree with much of what is alleged in the complaint, we have been working with the parties involved and are pleased to have come to a resolution of the issues.”

To read the complaint in T.K. v. ByteDance Technology Co., Ltd., click here.

Why it matters: Although COPPA does not provide a private right of action, a recent spate of consumer class actions have attempted to use the law as a predicate for asserting violations of common-law privacy-related torts and various state consumer protection statutes. COPPA imposes requirements on operators of commercial websites or online services (such as mobile applications like TikTok) that collect, maintain, or use a third party to collect or maintain the personal information of children under 13 years of age. COPPA applies to websites or online service providers that direct services to children under 13, have actual knowledge that they collect personal information of children under 13, or collect such personal information from a third party. Third parties that collect personal information from users of websites directed at children also must comply with COPPA.

Under COPPA, covered entities must:

  • Provide notice of the information they collect, how they use the information, and their disclosure practices.
  • Obtain verifiable parental consent before collecting, using or disclosing a child’s personal information. “Obtaining verifiable consent” means that the provider must use reasonable efforts to ensure a child’s parent receives the requisite notice and provides authorization.
  • Give each child’s parent reasonable means to review the collected information and the ability to exercise his or her right to refuse the use or maintenance of such information.

Both the FTC and state attorneys general have the authority to enforce COPPA. Violators may be assessed civil penalties of up to $40,654 per violation, depending on factors including the egregiousness of the violations, the number of children involved, how the information was collected and used, and the offender’s prior violations.

In a recent trend, plaintiffs have attempted to use COPPA to target mobile application developers and ad networks or software development kit developers. In these cases, the plaintiffs have asserted common-law claims for intrusion upon seclusion (or invasion of privacy), violations of state constitutional rights to privacy and violations of various state consumer protection statutes.

If TikTok had not settled this case, its first line of defense would have been that COPPA expressly pre-empts inconsistent state laws. However, in the few cases premised on COPPA to date, COPPA’s pre-emptive effect has been narrowly construed. For example, in 2014, the FTC filed an amicus brief with the Ninth Circuit disagreeing with a district court’s ruling that COPPA displaces state laws that regulate the privacy of children over 13 years of age, a position that was later adopted by the appellate court. Also, the Third Circuit previously found that an intrusion upon seclusion claim based on an alleged COPPA violation was not pre-empted. In that case, the plaintiffs argued that the defendant collected personal information despite creating reasonable privacy expectations by assuring parents that it would not collect children’s personal information. The court found that because COPPA does not regulate deceitful tactics in connection with the collection of personal information, states may police such conduct. 

In addition to a potential pre-emption defense, other defenses may exist depending on the state law claims asserted. For example, to prove an intrusion upon seclusion claim in California, a plaintiff must demonstrate that there was an egregious breach of social norms. Plaintiffs may have difficulty meeting such a high bar for a number of reasons, including the prevalence of data collection in virtually all online services (e.g., Internet searches, social media and online shopping). Ultimately, however, the defenses available in future cases must necessarily be analyzed on a case-by-case basis depending on the claims asserted by plaintiffs and the development of case law premised on COPPA.

COPPA has received much renewed attention lately as the FTC is in the process of considering comments on the effectiveness of the agency’s 2013 COPPA amendments and whether additional changes are needed based on the rapid changes in technology. The deadline for submitting comments recently passed on December 11, 2019. We will be watching closely in 2020 to see if the FTC makes further changes to COPPA, so stay tuned for more COPPA updates in the coming year.