The Federal Trade Commission (‘FTC’) announced, on 27 February 2019, that the social networking application Musical.ly Inc., now known as TikTok, had agreed to a $5.7 million settlement to resolve allegations that it had collected the personal information of children under the age of 13, including sensitive data such as location data, without obtaining parental consent, in violation of the Children’s Online Privacy Protection Act of 1998 (‘COPPA’). In addition, FTC Commissioners, Rohit Chopra and Rebecca Kelly Slaughter, released a joint statement (‘the Joint Statement’) on the settlement.
Kandi Parsons, Shareholder at ZwillGen PLLC, told DataGuidance, “This is the first case in which the FTC has enforced the position that a service that targets children as one of its audiences, even if not the primary audience, can be considered directed to children and subject to COPPA […] Some of the factors the FTC identified as contributing to the fact that Musical.ly was directed to children are characteristics that many online services include, [among other things,] simple tools enabling the use of the application’s features, colourful emojis, and users who self-identify in their biographies as under 13. [Additionally], the amount of the settlement indicates the FTC is willing to push beyond its past actions to hold companies accountable and deter others.”
Furthermore, the FTC noted that Musical.ly had failed to notify parents about its collection and use of children’s personal information, and delete such information at the request of parents. It also highlighted that Musical.ly’s operators are required to comply with COPPA going forward and to take offline all videos made by children under the age of 13, and outlined that this is the largest civil penalty it has ever obtained in a children’s privacy case.
Timothy Tobin, Partner at Hogan Lovells US LLP, told DataGuidance, “The size of the penalty suggests the FTC is taking COPPA violations seriously […] [It] has gradually been increasing its penalties in significant COPPA cases over the years and that trend will likely continue especially as the per violation maximum penalty has increased from $16,000 in 2016 to over $40,000 today. Each instance of non-compliant collection or use of the personal information of children under 13 is a separate COPPA violation. It would be difficult for companies at this point, nearly 20 years into the COPPA rules being in effect, to maintain that they were not aware of the potential consequences of non-compliance.”
The FTC is sending a message that COPPA enforcement actions will continue to be a priority
Moreover, the Joint Statement noted that Musical.ly’s practices reflected its willingness to pursue growth at the expense of children’s privacy, making the FTC’s action against the company a milestone for COPPA enforcement. In addition, it addressed the need for increased individual accountability for executives of businesses which make the decision to violate the law and noted that the FTC should identify and investigate those who made or ratified that decision and evaluate whether to charge them.
Emily Tabatabai, Partner at Orrick Herrington & Sutcliffe LLP, concluded, “The most interesting aspect of this enforcement action may be the Joint Statement, which suggests a willingness for the FTC to pursue enforcement activity against company executives who “made or ratified the decisions to break the law.” It provides a not-so-subtle hint that the current Commissioners may be more aggressive in holding executives individually liable for violations in the future. [Overall,] with this high-value settlement, the FTC is sending a message that COPPA enforcement actions will continue to be a priority.”
IANA GAYTANDJIEVA Junior Privacy Analyst