Written by Brian Sommer. Sommer is of counsel with IME Law, PC, where he represents influencers, brands, leading talent, companies and financiers in traditional, interactive, and immersive media industries.
Last month, social networking app Musical.ly, now known as TikTok, agreed to settle and pay a $5.7 million fine to the United States government.
The fine is connected to allegations that TikTok illegally collected children’s personal information in violation of the Children’s Online Privacy Protection Act (COPPA).
This was the largest civil penalty obtained by the Federal Trade Commission (FTC), the U.S. federal agency charged with enforcing COPPA violations. This article explores how and why TikTok fell victim to FTC discipline, and how TikTok’s fate was easily avoidable.
'Age of Consent' is the New Order
COPPA was enacted in 1998 as a comprehensive body of U.S. law intended to protect the online privacy of American children under the age of 13. A similar framework exists under the General Data Protection Regulation (GDPR), which went into effect in the European Union last year.
Between GDPR regulations in the European Union and COPPA rules in the United States, social networking apps that attract children must navigate a complicated web of worldwide online regulations.
The GDPR includes a subset of sweeping protections similar to COPPA that are intended to protect EU children. For example, the GDPR rule sets the default age at 16 before apps can collect the personal information of an EU minor citizen.
However, member EU states can elect to lower the under-age threshold from 16 to 13. For example, Great Britain set the age limit at 13, Austria elected 14, France 15 and Italy has kept with 16. Between COPPA and GDPR, social networking apps with a worldwide presence face a complex web of varied ages of consent and rules to follow.
With COPPA, the primary goal is to empower parents with control over what information apps collect from their children under the age of 13. Operators of apps “directed to children” must comply with COPPA.
Factors the FTC considers when evaluating whether a website or app is directed at children under 13 include: subject matter of the site or service, its visual content, the use of animated characters or child-oriented activities and incentives, music or other audio content.
It also considers the age of models, the presence of child celebrities or celebrities who appeal to children, language or other characteristics of the website or online service or whether advertising, promoting or appearing on the website or online service is directed to children.
For apps such as TikTok intended for a general audience but that will surely attract children under the age of 13, such apps must employ reasonable ways to age-screen its users.
What 'Tiked' Off the FTC?
The FTC asserts in the complaint that a significant percentage of TikTok users are children under 13, and numerous press articles between 2016 and 2018 highlight the popularity of the app among tweens and younger children.
TikTok also allegedly violated COPPA rules by failing to notify parents about the app’s collection and use of personal information from users under 13, obtain parental consent before such collection and use, and delete personal information at the request of parents.
TikTok allegedly violated COPPA rules by failing to notify parents about the app’s collection and use of personal information from users under 13. User accounts were public by default.
User accounts were public by default, which meant that a child’s profile bio, username, picture, and videos could be seen by other users. While the site allowed users to change their default setting from public to private so that only approved users could follow them, users’ profile pictures and bios remained public, and users could still send them direct messages, according to the complaint.
In response to the settlement, TikTok released a statement that it is working with the FTC to implement changes to accommodate users under the age of 13 via a limited, separate app experience that introduces additional safety and privacy protections designed specifically for this COPPA-protected audience.
The FTC lawsuit was only against two different TikTok corporations (the Chinse corporation and related American corporation) no executives of TikTok were charged with wrongdoing. It is worth noting the joint statement issued by two of the five commissioners (note- the FTC is headed by five commissioners) related to the TikTok settlement:
The statement reads: "FTC investigations typically focus on individual accountability only in certain circumstances - and the effect has been that individuals at large companies have often avoided scrutiny. We should move away from this approach. Executives of big companies who call the shots as companies break the law should be held accountable.
"When any company appears to have a made a business decision to violate or disregard the law, the Commission should identify and investigate those individuals who made or ratified that decision and evaluate whether to charge them. As we continue to pursue violations of law, we should prioritize uncovering the role of corporate officers and directors and hold accountable everyone who broke the law."
The fate suffered by TikTok was avoidable. COPPA includes a “safe harbor” provision that allows a highly-qualified service provider to develop a COPPA safe harbor program and seek FTC approval for implementation.
The program must consist of rules at least or more stringent than COPPA rules. TikTok could have retained one of the FTC-approved service providers to try and ensure its compliance with COPPA.
For example, The Walt Disney Family of Companies implements COPPA compliance through PRIVO, one of the FTC-approved COPPA safe harbor service providers.
Understandably, implementing a best-in-class, worldwide online child compliance program is a tremendous business expense. But TikTok is owned by Bytedance, a privately held Chinese company with a $75 billion dollar valuation.
Additionally, the TikTok app has been downloaded over a billion times, with nearly 80 million of those installs being in the U.S. alone. Between its significant financial resources and substantial U.S. presence, it is unclear why TikTok did not make U.S. compliance a priority.
As part of the FTC settlement, TikTok for the next five to ten years must follow significant compliance and reporting obligations for the FTC. Given the wealth amassed by TikTok’s parent company, the $5.7 million fine was a relatively paltry sum and cost of doing business.
The real pain point for TikTok will be years of ongoing scrutiny it faces by the FTC, a suffocating oversight that money can’t make go away.