Exploring COPPA through the FTC’s Complaint against TikTok

Crystal Lowery

Associate Editor

Loyola University Chicago School of Law, JD 2020

The Children’s Online Privacy Protection Act (“COPPA”) prohibits unfair or deceptive collection, use, and disclosure of the personal information of children on the internet. COPPA covers both website operators and app developers, and prevents collection of personal information without verified, written consent of parents. On February 27, 2019, the Federal Trade Commission (“FTC”) filed a complaint in U.S. District Court against TikTok, previously known as Music.ly. The complaint alleged that Music.ly knowingly violated COPPA when it collected data from children without written consent of parents. Music.ly settled for $5,700,000.00, the largest civil penalty obtained by the FTC for violations of COPPA.

What Is COPPA?

Children, who cannot consent to the collection and use of their data, deserve stronger protection to prevent misuse of the data for marketing, the possibility of stolen identities, and other corrupt acts which could have life-long impacts on children. COPPA prohibits the collection of personal data from children under thirteen years old without parental consent. It also requires that websites and apps provide Parents with methods to review personal data collected by the website or app, and methods to refuse collection or use of the data. Further, refusal for collection of the data cannot limit the child’s participation in the website or app. Parents can opt in to some collection or use and out of others for the same website. Parental review of the collection and use processes provides children with increased safety of their personal information.

Websites and apps must establish privacy policies to prevent unauthorized use or access of the data. These privacy policies should be publicly available on the website, with clear and comprehensive information available to parents who are making decisions on whether to allow the website or app to access the child’s data. When the website or app no longer has use for the data collected, or when a parent revokes consent to have or use the data, the website must also have policies in place to determine the process of immediate deletion of private data.

COPPA applies to websites and apps that are either directed to children or are directed to the general public, but have actual knowledge they are collecting personal information from children. Additionally, safe harbors exist to protect websites and apps. Safe Harbors must meet explicit standards under the COPPA guidelines, and are established to ensure privacy for children and to allow websites and apps to run smoothly, with limited concern of violating COPPA. Violations of COPPA are treated as unfair and deceptive practices and can incur financial penalties and oversight by the FTC. The FTC’s enforcement mechanisms also include excessive penalties and damages that are calculated per each record violated.

How did TikTok Violate COPPA?

The FTC explained that TikTok met the definition of a website or app covered under COPPA because it is an app directed toward children. The FTC further noted that a significant percentage of TikTok users were under the age of 13. TikTok was aware of the apps popularity among children, and in fact the app targeted young users by highlighting videos about school, children’s movies, and other youth activities. The app also promoted child celebrities and celebrities who appealed to children.

Next, the FTC found that TikTok was aware of its young consumers and took advantage of the users by requesting expansive personal data including name, email address, date of birth, picture,  and grade in school. Prior features of the app also allowed users to find other users within a 50-mile radius, potentially putting children at risk for predators. The app also allows users to comment on photos and videos and send direct, private messages to other users. TikTok received thousands of complaints from parents who were concerned about the collection and use of their children’s data, however the complaints were summarily ignored and TikTok did not strengthen their data collection policies or privacy policies.

Collection of children’s data without consent is a violation of COPPA. Not long to TikTok knowingly collect the personal data of children, it refused to honor many parental requests to delete the data and remove user accounts. Parents often requested the deletion of the child’s account, requests went ignored by TikTok, and the accounts continued to live on TikTok’s servers. When accounts were deleted, TikTok did not delete the videos or profile information from their servers.

The FTC’s complaint alleged that TikTok violated COPPA by failing to provide notice that they were collecting information from children, failing to inform how that data would be used, and failing to provide collection notices to parents. The FTC also alleged that TikTok failed to get consent from parents before collecting children’s data, and failed to honor parents request to delete information already collected. Finally, the FTC kept children’s data longer than necessary, in violation of COPPA regulations. TikTok settled with the FTC for $5,700,000.00 and agreed to comply with COPPA by removing all videos made by children under 13, removing deleted profiles and videos from its servers. TikTok will remain under COPPA regulations and under the watch of the FTC for future violations.