Data Privacy Alert: TikTok to Pay $5.7 Million for Violating COPPA
By Hanne-Lore M. Gambrell & Craig S. Horbus on March 13, 2019
Last week, the operators of the lip sync music video app, Musical(dot)ly, known as TikTok, agreed to pay a record-setting $5.7 million penalty for illegally collecting children’s data in the United States. The company was penalized for allowing children to use the application without parental consent, in violation of the Children’s Online Privacy Protection Act (“COPPA” or the “Act”).
The TikTok app allows users to create short videos lip-syncing to music, share those videos and interact with other users. It has become popular over the last five years, having been downloaded more than 200 million times worldwide since 2014, with 65 million accounts registered in the United States. The FTC reported that a “significant percentage” of those users were under 13. The FTC noted that those user accounts, including names, profile pictures, and email addresses were made public by default, and there were public reports of adults trying to contact children through the app. Additionally, according to the complaint, until October 2016, the app included a feature that allowed users to view other users within 50 miles of their location.
In addition to the extensive fine TikTok is required to pay, TikTok also agreed to take all videos made by U.S. users under 13 offline. FTC Chairman Joe Simons stated in a press release, “This record penalty should be a reminder to all online services and websites that target children: We take enforcement of COPPA very seriously, and we will not tolerate companies that flagrantly ignore the law.” TikTok stated that, moving forward, it would “prompt new and existing users to enter their age into the app, and that younger users would be offered a limited, separate app experience that introduces additional safety and privacy protections designed specifically for this audience.”
TikTok’s record setting fine tops the $4.95 million previous top fine under COPPA, which was issued to AOL Inc., who also agreed to no longer allow advertisers to target children under 13 with online ads.
In light of this recent story, we cannot stress how important it is for our clients to remain diligent to ensure compliance to the various regulations, including COPPA regulations, when it comes to data privacy and cybersecurity. A website or application audit to determine what data your company is handling is step one in that process. Even if you do not actively target or market to children you may be required to follow certain COPPA provisions. Brouse McDowell is here to help our clients navigate these tricky waters. Brouse McDowell offers legal services related to data privacy and cybersecurity, including pre-breach and cybersecurity planning services, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery and response). Contact us for more information.