Are Children Using Your Website or Online Service?
The FTC reached a $5.7 million settlement agreement with TikTok (formerly known as Musical.ly) for violations of the Children’s Online Privacy Protection Act (COPPA), the largest fine since the enactment of COPPA.
TikTok’s Practices Which Led to the Violation
TikTok operates a social media website and corresponding app (App) in which users can create profiles to lip-synch to popular songs, instantly share videos of them doing so, and interact with other users and the accounts of celebrities (including popular users who enjoy celebrity-like followings). To register, users were required to provide an email address, phone number, name, bio, and profile photo, all of which became publicly available by default. Since July 2017, the App prevented users who indicated they were under 13 from joining. However, for the users who created accounts prior to July 2017, the App did not retroactively request or verify age information. The App’s online library has millions of song tracks, including songs from popular children and younger teen movies. Users can send direct messages to each other, and media reports have shown that adults have tried to contact children directly via the App. Overall, the App is known for its ease of use, particularly among children.
For more information click here.
TikTok was aware children were using its App and also received thousands of complaints from parents that their child was under 13 and still had managed to create an account without their knowledge. Some parents requested that these accounts close, and while TikTok did close those accounts, user videos and profile information were not deleted from TikTok’s servers.
FTC’s Allegations Against TikTok
The FTC’s complaint stated that TikTok violated COPPA, because it failed to:
- provide general notice of its information collection practices;
- provide direct notice of its information collection practices to parents of children under 13;
- obtain verifiable parental consent prior to collection, use, and disclosure of children’s personal information; and
- completely delete personal information of children at the request of parents. TikTok also retained children’s personal information for longer than reasonably necessary.
The settlement includes the $5.7 million fine, a permanent injunction requiring COPPA compliance moving forward, and a requirement that TikTok develop a separate App experience for children that will limit their ability to interact with other users or share any personal information. TikTok must also delete personal information held under user accounts or take steps to verify the age of users.
You Know It When You See It
COPPA is applicable to all websites or services that are "directed to children." Determination of whether a website or online service is "directed to children" is a totality of the circumstances test; in other words, such determinations are made on a case-by-case basis.
The COPPA rule states:
"In determining whether a Web site or online service, or a portion thereof, is directed to children, the Commission will consider its subject matter, visual content, use of animated characters or child-oriented activities and incentives, music or other audio content, age of models, presence of child celebrities or celebrities who appeal to children, language or other characteristics of the Web site or online service, as well as whether advertising promoting or appearing on the Web site or online service is directed to children. The Commission will also consider competent and reliable empirical evidence regarding audience composition, and evidence regarding the intended audience." Anchor
Thus, the key takeaway is that whether a website or online service is or is not explicitly directed towards children is not what matters. Rather, the FTC will look at the site’s overall appearance and function, as well as evidence the company had actual knowledge that some users are under 13. "Actual knowledge" is a key term that can result in enforcement or not. In the case of TikTok, the company clearly had user-supplied information, received complaints from parents, and built its App to appeal to children. Thus, the actual knowledge threshold in this case was obvious and apparent. In other cases, only user information may be sufficient or any other evidence that a company knew children under 13 were using its service.
Does COPPA Apply to My Company and if so, How Do We Comply?
The FTC has published a six-step compliance plan for businesses to determine whether COPPA is applicable to them and how to comply, along with a comprehensive frequently asked questions resource. This compliance plan was last updated in July 2017 and may be modified with additional best practices extrapolated from the TikTok case. We note that although these resources represent the views of the FTC staff, they are not binding on the FTC. Though COPPA allows the FTC to conduct a case-by-case analysis, which may cause concern of regulatory uncertainty, the enforcement action against TikTok is not surprising given TikTok’s prolific engagement with child users. Nevertheless, all businesses and their data collection practices are different; thus, COPPA compliance for one business may not be the same for another. At best, businesses should not collect information from children under 13 at all, and only do so if the business model requires it and only if such collection can fully comply with COPPA. Should your business require collection of information from children or to determine its feasibility given COPPA, please contact our Data Security and Privacy Group for further information.
The FTC currently enjoys bipartisan support for its enforcement priorities, particularly as the market power of technology companies has increasingly come into question. Regarding the TikTok case, we note that two commissioners of the FTC separately issued a joint statement, stating "the Commission should identify and investigate those individuals who made or ratified that decision and evaluate whether to charge them" and made reference to companies that make “a business decision to violate or disregard the law.” Though individual TikTok executives have not currently been charged, this statement may indicate a more assertive enforcement posture in the future, particularly towards companies and individuals who appear to flagrantly disregard the regulations.
In the context of mergers and acquisitions, this enforcement action should remind all potential buyers that detailed due diligence on a company’s data security and privacy practices is essential before closing a deal. Acquiring a large user base or other technology asset is always attractive, not so when the package comes with potential civil or even criminal liabilities. The App in question here was first developed and operated by Musical.ly (operating in the U.S. through Musical.ly, Inc.), a Chinese company. Musical.ly was acquired in December 2017 by ByteDance Ltd., another Chinese company, and it is ByteDance that has inherited, and will now pay for, Musical.ly’s COPPA violations and subsequent penalties.
For more information, contact Nick Merker, Moein Khawaja or another member of our Data Security and Privacy Group
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
 Federal Trade Commission, Video Social Networking App Musical.ly Agrees to Settle FTC Allegations That it Violated Children’s Privacy Law (Feb. 27, 2019),
 Complaint for Civil Penalties, Permanent Injunction, and Other Equitable Relief, United States v. Musical.ly and Musical.ly, Inc., No. 2:19-cv-1439 (Dist. Ct. Central California), available at https://www.ftc.gov/system/files/documents/cases/musical.ly_complaint_ecf_2-27-19.pdf.
 Stipulated Order for Civil Penalties, Permanent Injunction, and Other Relief, United States v. Musical.ly and Musical.ly, Inc., No. 2:19-cv-1439 (Dist. Ct. Central California), available athttps://www.ftc.gov/system/files/documents/cases/musical.ly_proposed_order_ecf_2-27-19.pdf.
 TikTok, Musical.ly’s Agreement With FTC (Feb. 27, 2019), http://newsroom.tiktok.com/musical-lys-agreement-with-ftc/.
 16 C.F.R. § 312.2.
 Federal Trade Commission, Children’s Online Privacy Protection Rule: A Sex-Step Compliance Plan for Your Business, https://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacy-protection-rule-six-step-compliance.
 Federal Trade Commission, Complying with COPPA: Frequently Asked Questions (Mar. 20, 2015), https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions.
 Joint Statement of Commissioner Rohit Chopra and Commissioner Rebecca Kelly Slaughter, In the Matter of Musical.ly Inc. (now known as TikTok), Commission File Number 1723004, February 27, 2019, https://www.ftc.gov/system/files/documents/public_statements/1463167/chopra_and_slaughter_musically_tiktok_joint_statement_2-27-19.pdf.