Don’t Believe Me Just Watch: Choose Profits over Privacy and the FTC may Funk You Up

By: Nicole Kardell

• An app for children–wee ones even–to publicize videos of themselves jamming to their favorite tunes.
• An app that, by default, allows its users to communicate directly with any other users, including wee ones.
• An app that provides its users a list of other users within a 50-mile radius who they can follow or contact directly (feature removed in 2016).

What could pervert-ibly go wrong? It sounds like the makings of a Law and Order Special Victims Unit episode and I don’t think I need to detail how.

Even the most laissez-faire of us cringe at the thought of exposing children in this very public way. If there is a place for online oversight, protecting children from predators stands out as an incontrovertible cause. This is why Congress enacted a children’s online privacy law, the Children’s Online Privacy Protection Act (COPPA), back in the almost prehistoric Internet days of 1998 (while it has yet to make headway in general privacy legislation some 20 years later).

Very generally, COPPA requires websites to provide clear notice on data collection practices; to obtain verifiable parental consent to collect, use or disclose the personal information of children under the age of 13-including location tracking; to limit to how long websites can hold onto children’s personal information; and to delete children’s information upon a parent’s request.

The restrictions may not seem too onerous to the average Joe; they may seem tad light to the average parent of a JoJo Siwa-wannabe. But apparently, according to the Federal Trade Commission (FTC), the COPPA restrictions weren’t worth the bother for the app Musical.ly (now TikTok).

Musical.ly launched in 2014 and has since built a social platform of nearly 200 million users worldwide. The app is popular among young people who use it to create and share short videos lip-syncing to music. Among the features of the app are song folders to help users select songs for their videos. There’s a song folder titled “Disney” and another titled “school.” Needless to say, the functions and features of the app cater to, and have attracted, tweens and younger.

While the app has been good about finding ways to build its youthful base, the FTC alleged that it has not been so good at obtaining parental consent for those wee ones’ accounts (see COPPA requirements above). And so, the FTC, which enforces COPPA, stepped in. Following an investigation, the FTC filed a complaint and settled with Musical.ly in late February. The FTC’s complaint alleges, among other disturbing things, that Musical.ly had actual knowledge that it was collecting personal information from children under 13: “The youth of the user base is easily apparent in perusing users’ profile pictures and in reviewing users’ profiles, many of which explicitly note the child’s age, birthdate, or school.” The FTC also alleges that Musical.ly received thousands of complaints from parents that their children under 13 had created accounts. In spite of Musical.ly’s knowledge and the parents’ requests, the app failed to delete the children’s personal information, according to the FTC.

So what kind of punishment was inflicted on this company for its disregard of the law or children’s safety? Musical.ly was fined a whopping $5.7million for its violations of COPPA, enjoined from violating the law, and ordered to take offline videos make by children under 13 years old.

The fine made some headlines because it was the largest monetary settlement the FTC has obtained in a COPPA matter. But the fine, much like the order that Musical.ly be enjoined from violating the law, seems more like a nominal penalty. The company was recently purchased by ByteDance for nearly $1billion. A $5.7 million fine is may not be significant in the context of the company as a whole. However, it should be a cautionary tale to organizations collecting children’s information.

The discrepancy between Musical.ly’s hefty valuation and nominal fine has raised concerns of a few movers and shakers in the legal world, including vocal privacy advocates and Congressional members. It also caught the attention of FTC commissioners who hinted that enforcement needs to go further. FTC Commissioners Rohit Chopra and Rebecca Kelly Slaughter issued a joint statement on the Musical.ly settlement noting executives should be held accountable when their companies violate the law. The FTC Commissioners’ stated: “As we continue to pursue violations of law, we should prioritize uncovering the role of corporate officers and directors and hold accountable everyone who broke the law.”

We expect continued FTC enforcement of COPPA and a focus on protecting children’s privacy rights. The trend is toward more protections and enforcement. There is even recent movement on the Hill to amend COPPA to expand required parental controls and to extend protections to teens aged 13-15.

We often advise clients to limit their services to users 13 years of age or over, if possible.  If younger users are allowed, organizations need careful COPPA compliance procedures. And take heed of Commissioners Chopra and Slaughter’s not-so-subtle presage: If you are calling the shots at your business, and you choose to fire first and ask questions later, you may find yourself in the overexposed, under protected, spotlight.