Sponsored Content

Are Children Using Your Website or Online Service?

© Ice Miller LLP © Ice Miller LLP

The FTC reached a $5.7 million settlement agreement with TikTok (formerly known as Musical.ly)[1] for violations of the Children's Online Privacy Protection Act (COPPA), the largest fine since the enactment of COPPA.

TikTok's Practices Which Led to the Violation

TikTok operates a social media website and corresponding app (App) in which users can create profiles to lip-synch to popular songs, instantly share videos of them doing so, and interact with other users and the accounts of celebrities (including popular users who enjoy celebrity-like followings). To register, users were required to provide an email address, phone number, name, bio, and profile photo, all of which became publicly available by default. Since July 2017, the App prevented users who indicated they were under 13 from joining. However, for the users who created accounts prior to July 2017, the App did not retroactively request or verify age information. The App's online library has millions of song tracks, including songs from popular children and younger teen movies. Users can send direct messages to each other, and media reports have shown that adults have tried to contact children directly via the App. Overall, the App is known for its ease of use, particularly among children.

For more information click here.

TikTok was aware children were using its App and also received thousands of complaints from parents that their child was under 13 and still had managed to create an account without their knowledge. Some parents requested that these accounts close, and while TikTok did close those accounts, user videos and profile information were not deleted from TikTok's servers.

FTC's Allegations Against TikTok

The FTC's complaint[2] stated that TikTok violated COPPA, because it failed to:

  1. provide general notice of its information collection practices;
  2. provide direct notice of its information collection practices to parents of children under 13;
  3. obtain verifiable parental consent prior to collection, use, and disclosure of children’s personal information; and
  4. completely delete personal information of children at the request of parents. TikTok also retained children’s personal information for longer than reasonably necessary.

The settlement[3] includes the $5.7 million fine, a permanent injunction requiring COPPA compliance moving forward, and a requirement that TikTok develop a separate App experience[4] for children that will limit their ability to interact with other users or share any personal information. TikTok must also delete personal information held under user accounts or take steps to verify the age of users.

You Know It When You See It

COPPA is applicable to all websites or services that are "directed to children." Determination of whether a website or online service is "directed to children" is a totality of the circumstances test; in other words, such determinations are made on a case-by-case basis.

The COPPA rule states:

"In determining whether a Web site or online service, or a portion thereof, is directed to children, the Commission will consider its subject matter, visual content, use of animated characters or child-oriented activities and incentives, music or other audio content, age of models, presence of child celebrities or celebrities who appeal to children, language or other characteristics of the Web site or online service, as well as whether advertising promoting or appearing on the Web site or online service is directed to children. The Commission will also consider competent and reliable empirical evidence regarding audience composition, and evidence regarding the intended audience." Anchor[5]

Thus, the key takeaway is that whether a website or online service is or is not explicitly directed towards children is not what matters. Rather, the FTC will look at the site’s overall appearance and function, as well as evidence the company had actual knowledge that some users are under 13. "Actual knowledge" is a key term that can result in enforcement or not. In the case of TikTok, the company clearly had user-supplied information, received complaints from parents, and built its App to appeal to children. Thus, the actual knowledge threshold in this case was obvious and apparent. In other cases, only user information may be sufficient or any other evidence that a company knew children under 13 were using its service.

Does COPPA Apply to My Company and if so, How Do We Comply?

The FTC has published a six-step compliance plan[6] for businesses to determine whether COPPA is applicable to them and how to comply, along with a comprehensive frequently asked questions[7] resource. This compliance plan was last updated in July 2017 and may be modified with additional best practices extrapolated from the TikTok case. We note that although these resources represent the views of the FTC staff, they are not binding on the FTC. Though COPPA allows the FTC to conduct a case-by-case analysis, which may cause concern of regulatory uncertainty, the enforcement action against TikTok is not surprising given TikTok's prolific engagement with child users. Nevertheless, all businesses and their data collection practices are different; thus, COPPA compliance for one business may not be the same for another. At best, businesses should not collect information from children under 13 at all, and only do so if the business model requires it and only if such collection can fully comply with COPPA. Should your business require collection of information from children or to determine its feasibility given COPPA, please contact our Data Security and Privacy Group for further information. 

The FTC currently enjoys bipartisan support for its enforcement priorities, particularly as the market power of technology companies has increasingly come into question. Regarding the TikTok case, we note that two commissioners of the FTC separately issued a joint statement, stating "the Commission should identify and investigate those individuals who made or ratified that decision and evaluate whether to charge them" and made reference to companies that make “a business decision to violate or disregard the law.”[8] Though individual TikTok executives have not currently been charged, this statement may indicate a more assertive enforcement posture in the future, particularly towards companies and individuals who appear to flagrantly disregard the regulations.

In the context of mergers and acquisitions, this enforcement action should remind all potential buyers that detailed due diligence on a company's data security and privacy practices is essential before closing a deal. Acquiring a large user base or other technology asset is always attractive, not so when the package comes with potential civil or even criminal liabilities. The App in question here was first developed and operated by Musical.ly (operating in the U.S. through Musical.ly, Inc.), a Chinese company. Musical.ly was acquired in December 2017 by ByteDance Ltd., another Chinese company, and it is ByteDance that has inherited, and will now pay for, Musical.ly's COPPA violations and subsequent penalties.

For more information, contact Nick MerkerMoein Khawaja or another member of our Data Security and Privacy Group

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.

[1]  Federal Trade Commission, Video Social Networking App Musical.ly Agrees to Settle FTC Allegations That it Violated Children’s Privacy Law (Feb. 27, 2019), 

[2]  Complaint for Civil Penalties, Permanent Injunction, and Other Equitable Relief, United States v. Musical.ly and Musical.ly, Inc., No. 2:19-cv-1439 (Dist. Ct. Central California), available at  https://www.ftc.gov/system/files/documents/cases/musical.ly_complaint_ecf_2-27-19.pdf.

[3]  Stipulated Order for Civil Penalties, Permanent Injunction, and Other Relief, United States v. Musical.ly and Musical.ly, Inc., No. 2:19-cv-1439 (Dist. Ct. Central California), available athttps://www.ftc.gov/system/files/documents/cases/musical.ly_proposed_order_ecf_2-27-19.pdf.

[4]  TikTok, Musical.ly's Agreement With FTC (Feb. 27, 2019), http://newsroom.tiktok.com/musical-lys-agreement-with-ftc/.  

[5]  16 C.F.R. § 312.2.

[6]  Federal Trade Commission, Children's Online Privacy Protection Rule: A Sex-Step Compliance Plan for Your Businesshttps://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacy-protection-rule-six-step-compliance.

[7]  Federal Trade Commission, Complying with COPPA: Frequently Asked Questions (Mar. 20, 2015), https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions

[8]  Joint Statement of Commissioner Rohit Chopra and Commissioner Rebecca Kelly Slaughter, In the Matter of Musical.ly Inc. (now known as TikTok), Commission File Number 1723004, February 27, 2019, https://www.ftc.gov/system/files/documents/public_statements/1463167/chopra_and_slaughter_musically_tiktok_joint_statement_2-27-19.pdf

  • Perspectives

    • What’s Your Biggest Waste of Money?

      Americans are in the age of reducing waste. There’s a big push to purchase sustainable products, reduce our usage of plastics, and recycle. But has this trend carried over to our personal finances?  Not really.  In a study by The Ascent, the financial expertise arm of The Motley Fool, more than 60 percent of respondents felt they have wasteful financial tendencies. Why is that?



Company Name:
Confirm Email:
INside Edge
Morning Briefing
BigWigs & New Gigs
Life Sciences Indiana
Indiana Connections


  • Most Popular Stories

    • POET ethanol co. announced in Aug 2019 it was closing the plant in Cloverdale. (photo courtesy: POET)

      Cloverdale Ethanol Plant Closes

      South Dakota-based POET LLC, the nation’s largest biofuels producer, is moving forward with a plan to shut down its biorefining plant in Cloverdale, leaving 50 Hoosiers without jobs effective Friday. The company tells Inside INdiana Business that it is not making any changes to the plans announced two months ago. 

    • (Image of downtown Shelbyville courtesy of Mainstreet Shelbyville Inc.)

      Shelbyville Unveils Major Downtown Redevelopment

      The city of Shelbyville is announcing what it calls a major downtown redevelopment project to boost overall quality of life. The project plans feature green spaces, increased parking, market-rate housing, and infrastructure for public entertainment and community events. 

    • (IIB Photo/Joe Ulery)

      Neighborhood Concerned About Old GM Site, Too

      As the city of Indianapolis and Ambrose Property Group squabble about the future of the old GM Stamping plant site in downtown Indy, a fight that could end up in court, residents who live near the property are weighing in with their concerns. Jay Napoleon, president of The Valley Neighborhood Association, says it’s important the mixed-use vision for the property remain intact. Napoleon and Ambrose Property Group Vice President Mali Simone Jeffers talked about the future of...

    • What’s Your Biggest Waste of Money?

      Americans are in the age of reducing waste. There’s a big push to purchase sustainable products, reduce our usage of plastics, and recycle. But has this trend carried over to our personal finances?  Not really.  In a study by The Ascent, the financial expertise arm of The Motley Fool, more than 60 percent of respondents felt they have wasteful financial tendencies. Why is that?

    • The IU School of Informatics, Computing and Engineering will now be named for Fred Luddy for his $60M gift. (photo courtesy James Brosher/IU)

      $60M Gift to Fund AI Center

      An Indiana University alumnus who founded the information technology firm, ServiceNow, has given his alma mater $60 million to establish an artificial intelligence center. The university says the gift from cloud-computing pioneer Fred Luddy is the second largest in the history of the IU.