The Bottom Line
- The sheer size of the Musical.ly settlement illustrates that the FTC continues to have a strong interest in enforcing COPPA.
- Online services cannot hide behind language in their terms and conditions claiming not to be child-directed when they include numerous activities that appeal to children and have actual knowledge they have collected personal information from children in violation of COPPA.
- Notably, this case came as a referral from the Children’s Advertising Review Unit (CARU), the children’s arm of self-regulation, thereby demonstrating the importance of self-regulation unless companies are willing to face significant regulatory penalties in the future.
The Federal Trade Commission (FTC) recently obtained the largest civil settlement ever in a children’s privacy case.
The FTC’s Complaint
The FTC filed a complaint in the U.S. District Court for the Central District of California alleging that Musical.ly (now known as TikTok), a video social networking app, collected personal information from children in violation of the Children’s Online Privacy Protection Act (COPPA). According to the FTC, a significant percentage of Musical.ly’s users were children under 13 years of age, as the app allows users to create short videos lip-syncing to music and to share those videos with other users and engage in other activities that are appealing to children.
To register for Musical.ly, users had to provide an email address, phone number, username, first and last name, a short biography and a profile picture. The FTC claimed that until October 2016, Musical.ly also collected geolocation information from users of the app and allowed users to view other users within a 50 mile radius of their location. The FTC further asserted that users could interact with other users by sending direct messages to them and user accounts were public by default, which meant that a child’s profile bio, username, picture and videos could be seen by other users. According to the FTC, Musical.ly collected this personal information from children without obtaining their parent’s verifiable consent in violation of COPPA.
In addition to finding that the app was directed to children, the FTC alleged that the operators of Musical.ly had actual knowledge that many users were younger than 13 years of age, as it had received thousands of complaints from parents that their children had created accounts on the app. Since July 2017, Muiscal.ly requested age information from new users during the registration process but it did not request age information from existing users who had already created accounts on the app.
In its complaint, the FTC alleged that Musical.ly:
- Failed to provide notice of the information it collected online from children, how the information was used and its disclosure practices;
- Failed to provide direct notice to parents of the information collected online from children, how that information was used and its disclosure practices for that information;
- Failed to obtain consent from parents before collecting or using personal information from children;
- Failed to delete personal information collected from children at the request of parents; and
- Retained personal information collected online from children for longer than reasonably necessary to fulfill the purpose for which the information was collected.
The Proposed Settlement
Musical.ly agreed to pay $5.7 million to settle the FTC action. In addition, Musical.ly agreed to an injunction requiring it to comply with COPPA in the future. It also agreed to remove all videos made by children under the age of 13. Further, Musical.ly agreed to comply with various reporting and recordkeeping obligations. All five FTC commissioners voted to approve the settlement. Two commissioners – Rohit Chopra and Rebecca Kelly Slaughter – issued a joint statement that was notable in several respects.
The statement noted that the FTC’s action “to crack down on the privacy practices of Musical.ly” was a “major milestone” for COPPA enforcement. The commissioners referred to what they characterized as Musical.ly’s “disturbing practices, including collecting and exposing the location and other sensitive data of young children” and they highlighted the FTC’s securing a “record-setting civil penalty and deletion of ill-gotten data.” The FTC’s action was “a big win in the fight to protect children’s privacy.”