The cost for violating the Children’s Online Privacy Protection Act (COPPA) has been steadily rising, and companies subject to the law should take heed. Last week, the Federal Trade Commission (FTC) announced a record-setting $5.7 million settlement with the mobile app company Musical.ly for a myriad of COPPA violations, exceeding even the December 2018 $4.95 million COPPA settlement by the New York Attorney General. Notably, two Commissioners issued a statement accompanying the settlement, arguing that the FTC should prioritize holding executives personally responsible for their roles in deliberate violations of the law in the future.
COPPA is intended to ensure parents are informed about, and can control, the online collection of personal information (PI) from their children under age thirteen. Musical.ly (now operating as “TikTok”) is a popular social media application that allows users to create and share lip-sync videos to popular songs. The FTC cited the Shanghai-based company for numerous violations of COPPA, including failure to obtain parental consent and failure to properly delete children’s PI upon a parent’s request.
COPPA Clearly Applied to the Musical.ly App
COPPA applies to an operator of a website, mobile application, or other online service that either (1) is directed to children under thirteen, or (2) has actual knowledge that it collects PI from children under thirteen. According to the FTC complaint, Musical.ly satisfied both prongs. First, citing the factors set forth in the FTC’s COPPA Rule for determining whether an online service is directed to children, the FTC charged that the Musical.ly app was “directed to children” because it targeted children “as one audience.” Specifically, a large portion of users were underage, the app had song categories like “Disney” and “School,” and the app was used by celebrities who are popular with tweens. The FTC further stated that the “core activity of the app” – creating lip-sync videos – is a “child-oriented activity.”
That final point may arguably be a stretch. (Who doesn’t love karaoke?) But the FTC also accused Musical.ly of having actual knowledge of its users’ ages. The company received thousands of complaints from parents whose children used the app without their consent, and merely perusing the user profile pages and photos (many of which featured a user’s self-reported age, birthdate, or school) would reveal that many users were underage. Finally, in 2016, the company was made aware that many of its most “followed” users were under thirteen.
What Not to Do When You’re Subject to COPPA
The FTC complaint details the myriad ways in which Musical.ly allegedly failed to comply with COPPA, and companies should take care not to mirror any of its mistakes.
The company allegedly failed to both obtain parental consent before collecting PI from children and post appropriate notices of its practices with respect to its collection of PI from children. Thousands of parents complained to the company that they were never asked for consent before their children signed up. From the app’s launch in 2014 until July 2017, Musical.ly did not request the age of its users, but it did require users to enter a short bio and submit their email, phone number, first and last names, and a photo. After July 2017, the company screened new users for age, but it did not confirm the age of existing users, nor did it seek parental consent for profiles clearly belonging to children under thirteen.
As reflected in complaints received by the company, the lack of parental notice and consent appalled many parents, particularly given how the application permitted the disclosure of PI. In addition to enabling children to publicly share videos of themselves, all user profiles were by default set to “public,” while “private” profiles hid only a user’s uploaded videos (that is, the “private” user’s profile and contact information were still viewable). By default, any user could directly message any other user, leading to reports of adults contacting minors. Moreover, up until 2016, the app collected geolocation, which it used to display a list of other users within a 50-mile radius of the user (with whom the user could then interact).
The company also allegedly violated COPPA’s data deletion and retention obligations: if a parent contacted Musical.ly to close his or her child’s account, Musical.ly would close the account but not delete the child’s videos or profile information from its servers. As the FTC recently reminded businesses, COPPA requires deletion of children’s PI if the information no longer serves the purpose for which it was collected.
A Record-Setting Settlement Means “Think Twice About COPPA”
Given the number of missteps by Musical.ly, it may not be surprising that the company ultimately agreed to a record-setting $5.7 million settlement with the FTC. The company agreed to delete the PI of children under thirteen lacking the required parental consent, and it is now subject to a multi-year consent order that imposes a variety of compliance, reporting, and recordkeeping obligations on it.
In the FTC’s own blog post describing the settlement, companies were warned to “think twice before concluding ‘We’re not covered by COPPA.’” Indeed, the Musical.ly case highlights the many ways in which a consumer-facing service might be subject to the law. The settlement also closely follows on a $4.95 million COPPA settlement from the New York Attorney General, potentially signaling an upwards trend in COPPA settlement appetite by regulators. Even the $5.7 million settlement with Musical.ly likely represents a mere fraction of the company’s total potential liability under COPPA: the FTC is authorized to seek up to approximately $40,000 per violation (i.e., per child) in civil penalties (in addition to injunctive relief) for violations of COPPA.
The two Democrat Commissioners also issued a public statement suggesting that the Musical.ly settlement should have gone even further. Commissioners Slaughter and Chopra argue that the FTC should move away from the status quo, where individuals at companies largely avoid personal liability for grievous violations of the law, and hold individuals personally liable if they “made or ratified decisions to knowingly violate the law.” The statement was not specifically limited to COPPA. While such an expansion of enforcement may be unlikely to occur during the administration of the current Republican-led FTC, the Commissioners’ statement serves as a useful reminder to all companies: effective privacy compliance starts at the top of any organization.