Sponsored Content

Are Children Using Your Website or Online Service?

© Ice Miller LLP © Ice Miller LLP

The FTC reached a $5.7 million settlement agreement with TikTok (formerly known as Musical.ly)[1] for violations of the Children's Online Privacy Protection Act (COPPA), the largest fine since the enactment of COPPA.

TikTok's Practices Which Led to the Violation

TikTok operates a social media website and corresponding app (App) in which users can create profiles to lip-synch to popular songs, instantly share videos of them doing so, and interact with other users and the accounts of celebrities (including popular users who enjoy celebrity-like followings). To register, users were required to provide an email address, phone number, name, bio, and profile photo, all of which became publicly available by default. Since July 2017, the App prevented users who indicated they were under 13 from joining. However, for the users who created accounts prior to July 2017, the App did not retroactively request or verify age information. The App's online library has millions of song tracks, including songs from popular children and younger teen movies. Users can send direct messages to each other, and media reports have shown that adults have tried to contact children directly via the App. Overall, the App is known for its ease of use, particularly among children.

For more information click here.

TikTok was aware children were using its App and also received thousands of complaints from parents that their child was under 13 and still had managed to create an account without their knowledge. Some parents requested that these accounts close, and while TikTok did close those accounts, user videos and profile information were not deleted from TikTok's servers.

FTC's Allegations Against TikTok

The FTC's complaint[2] stated that TikTok violated COPPA, because it failed to:

  1. provide general notice of its information collection practices;
  2. provide direct notice of its information collection practices to parents of children under 13;
  3. obtain verifiable parental consent prior to collection, use, and disclosure of children’s personal information; and
  4. completely delete personal information of children at the request of parents. TikTok also retained children’s personal information for longer than reasonably necessary.

The settlement[3] includes the $5.7 million fine, a permanent injunction requiring COPPA compliance moving forward, and a requirement that TikTok develop a separate App experience[4] for children that will limit their ability to interact with other users or share any personal information. TikTok must also delete personal information held under user accounts or take steps to verify the age of users.

You Know It When You See It

COPPA is applicable to all websites or services that are "directed to children." Determination of whether a website or online service is "directed to children" is a totality of the circumstances test; in other words, such determinations are made on a case-by-case basis.

The COPPA rule states:

"In determining whether a Web site or online service, or a portion thereof, is directed to children, the Commission will consider its subject matter, visual content, use of animated characters or child-oriented activities and incentives, music or other audio content, age of models, presence of child celebrities or celebrities who appeal to children, language or other characteristics of the Web site or online service, as well as whether advertising promoting or appearing on the Web site or online service is directed to children. The Commission will also consider competent and reliable empirical evidence regarding audience composition, and evidence regarding the intended audience." Anchor[5]

Thus, the key takeaway is that whether a website or online service is or is not explicitly directed towards children is not what matters. Rather, the FTC will look at the site’s overall appearance and function, as well as evidence the company had actual knowledge that some users are under 13. "Actual knowledge" is a key term that can result in enforcement or not. In the case of TikTok, the company clearly had user-supplied information, received complaints from parents, and built its App to appeal to children. Thus, the actual knowledge threshold in this case was obvious and apparent. In other cases, only user information may be sufficient or any other evidence that a company knew children under 13 were using its service.

Does COPPA Apply to My Company and if so, How Do We Comply?

The FTC has published a six-step compliance plan[6] for businesses to determine whether COPPA is applicable to them and how to comply, along with a comprehensive frequently asked questions[7] resource. This compliance plan was last updated in July 2017 and may be modified with additional best practices extrapolated from the TikTok case. We note that although these resources represent the views of the FTC staff, they are not binding on the FTC. Though COPPA allows the FTC to conduct a case-by-case analysis, which may cause concern of regulatory uncertainty, the enforcement action against TikTok is not surprising given TikTok's prolific engagement with child users. Nevertheless, all businesses and their data collection practices are different; thus, COPPA compliance for one business may not be the same for another. At best, businesses should not collect information from children under 13 at all, and only do so if the business model requires it and only if such collection can fully comply with COPPA. Should your business require collection of information from children or to determine its feasibility given COPPA, please contact our Data Security and Privacy Group for further information. 

The FTC currently enjoys bipartisan support for its enforcement priorities, particularly as the market power of technology companies has increasingly come into question. Regarding the TikTok case, we note that two commissioners of the FTC separately issued a joint statement, stating "the Commission should identify and investigate those individuals who made or ratified that decision and evaluate whether to charge them" and made reference to companies that make “a business decision to violate or disregard the law.”[8] Though individual TikTok executives have not currently been charged, this statement may indicate a more assertive enforcement posture in the future, particularly towards companies and individuals who appear to flagrantly disregard the regulations.

In the context of mergers and acquisitions, this enforcement action should remind all potential buyers that detailed due diligence on a company's data security and privacy practices is essential before closing a deal. Acquiring a large user base or other technology asset is always attractive, not so when the package comes with potential civil or even criminal liabilities. The App in question here was first developed and operated by Musical.ly (operating in the U.S. through Musical.ly, Inc.), a Chinese company. Musical.ly was acquired in December 2017 by ByteDance Ltd., another Chinese company, and it is ByteDance that has inherited, and will now pay for, Musical.ly's COPPA violations and subsequent penalties.

For more information, contact Nick MerkerMoein Khawaja or another member of our Data Security and Privacy Group

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.

[1]  Federal Trade Commission, Video Social Networking App Musical.ly Agrees to Settle FTC Allegations That it Violated Children’s Privacy Law (Feb. 27, 2019), 

[2]  Complaint for Civil Penalties, Permanent Injunction, and Other Equitable Relief, United States v. Musical.ly and Musical.ly, Inc., No. 2:19-cv-1439 (Dist. Ct. Central California), available at  https://www.ftc.gov/system/files/documents/cases/musical.ly_complaint_ecf_2-27-19.pdf.

[3]  Stipulated Order for Civil Penalties, Permanent Injunction, and Other Relief, United States v. Musical.ly and Musical.ly, Inc., No. 2:19-cv-1439 (Dist. Ct. Central California), available athttps://www.ftc.gov/system/files/documents/cases/musical.ly_proposed_order_ecf_2-27-19.pdf.

[4]  TikTok, Musical.ly's Agreement With FTC (Feb. 27, 2019), http://newsroom.tiktok.com/musical-lys-agreement-with-ftc/.  

[5]  16 C.F.R. § 312.2.

[6]  Federal Trade Commission, Children's Online Privacy Protection Rule: A Sex-Step Compliance Plan for Your Businesshttps://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacy-protection-rule-six-step-compliance.

[7]  Federal Trade Commission, Complying with COPPA: Frequently Asked Questions (Mar. 20, 2015), https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions

[8]  Joint Statement of Commissioner Rohit Chopra and Commissioner Rebecca Kelly Slaughter, In the Matter of Musical.ly Inc. (now known as TikTok), Commission File Number 1723004, February 27, 2019, https://www.ftc.gov/system/files/documents/public_statements/1463167/chopra_and_slaughter_musically_tiktok_joint_statement_2-27-19.pdf

  • Perspectives

    • The Race for a Winning Credit Score

      It’s May in Indy and the sound of revving racecar engines signals good times to come. But try to keep your spending under the yellow flag. Overspending on credit cards during the festivities could turn that May engine roar into a dreaded credit score “dent” come June. That’s not a great way to kick off summer. Here’s what to watch out for so your credit score will be a winner! FICO Credit-Scoring System The FICO (Fair Isaac Corporation) is the most...


Company Name:
Confirm Email:
INside Edge
Morning Briefing
BigWigs & New Gigs
Life Sciences Indiana
Indiana Connections


  • Most Popular Stories

    • New Owners Coming For Indiana Casinos

      Two Indiana casinos will soon be under new ownership. Las Vegas-based Pinnacle Entertainment Inc. (Nasdaq: PNK), which owns Ameristar Casino and Hotel in East Chicago and Belterra Casino Resort in Florence, is set to be acquired by Penn National Gaming Inc. (Nasdaq: PENN) in a $2.8 billion deal.

    • Governor Announces OMB Director Change

      Governor Eric Holcomb has named Cris Johnston Office of management and budget director. He previously served eight years for then Gov. Mitch Daniels as the executive director of the Office of Management and Budget’s division of government efficiency and later, as deputy chief of staff. Johnston will take over for Micah Vincent who is leaving the administration.
    • (photo courtesy of ArcelorMittal)

      ArcelorMittal Investing $160M at Burns Harbor

      Luxembourg-based ArcelorMittal has announced plans to invest more than $160 million in its Burns Harbor steel mill. Our partners at The Times of Northwest Indiana report the steelmaker's investment will focus on several areas within the facility over the next several years.

    • I-65 INDOT construction map

      I-65 Construction Update

      Construction work is scheduled to start next week on I-65 near downtown Indianapolis. Indiana Department of Transportation crews will begin to clean up the interstates after two years of freeze/thaw cycles. Crews will be working in segments, including patching and repaving work. INDOT crews will begin work in earnest on northbound and southbound in segments, beginning on weekend nights from April 26 through August.  

    • (photo courtesy of Reid Health)

      Reid Health To Acquire Fayette Regional Health System

      Reid Health has entered into an agreement to acquire the assets of Fayette Regional Health System of Connersville. The announcement comes after Fayette Regional filed for protection under Chapter 11 in October 2018. Specific terms will be disclosed in the bankruptcy case and will include a $12.75M payment to the bankruptcy estate of Fayette. The deal requires bankruptcy and regulatory approval and is expected to be finalized in mid-July this year.