FTC’s Largest Penalty to Date under COPPA Imposed on Music Video Social Networking App
Cybersecurity and Privacy Alert
The owner of a video social networking app, Musical.ly, has agreed to pay a $5.7 million civil penalty to settle a complaint brought by the Federal Trade Commission (FTC) alleging violations of the Children’s Online Privacy Protection Act (COPPA), the FTC announced on February 27. The FTC’s complaint, filed in federal court in California, alleged that Musical.ly collected personal information from children without the consent of a parent or legal guardian. This penalty is the largest ever secured under COPPA, which prohibits unfair or deceptive acts or practices in collecting, using, and disclosing personal information obtained from or about children on the internet. The rules implementing COPPA define “children” as those younger than 13.
Since its launch in 2014, the Musical.ly app has been downloaded by more than 200 million people. At least 65 million of those Musical.ly accounts are registered in the United States. The app gives users a platform to create and share videos, which they lip-sync to music in the app’s online library. Users can communicate directly with each other, commenting on others’ videos and “following” them to see additional videos. The FTC alleged that adults used the Musical.ly app to contact children. News stories reported that in some cases, children were solicited to send nude images through the app.
To register to use the Musical.ly app, users were required to provide their full name, email address, telephone number, profile picture, a short bio, and a user name. In its first three years of operation, Musical.ly did not require registrants to provide their age. Although Musical.ly began asking about age in July 2017 and preventing those who said they were younger than 13 from creating accounts, the company did not retroactively request the age of those who already had registered accounts. And even when Musical.ly complied with requests to delete children’s accounts, it did not delete their videos and profiles from its servers.
Users’ accounts defaulted to a “public” setting, so that others could see their bios, their profile pictures, and their user names. This information remained public and searchable even if users restricted access to their videos to “approved” followers. Until October 2016, the app also offered a “my city” feature tab that showed other users within a 50-mile radius.
In December 2017, ByteDance Ltd., a Chinese company, acquired Musical.ly, and in August 2018, the Musical.ly app was merged with the TikTok app under the TikTok name. Musical.ly operates the merged app.
Does COPPA apply to Musical.ly?
COPPA applies to operators of websites and online services that are directed to children and collect personal information from them. COPPA also applies to operators of websites and online services directed to general audiences if the operators know they are collecting personal information from children. According to the FTC, Musical.ly met both of these tests.
To show that the app is directed to children, the FTC relied on evidence such as press coverage about the app’s popularity with children, song folders in the app’s online library with titles such as “Disney” and “school,” and offerings of child-themed emojis that users could send to each other. Even the purpose of the app, creating and sharing short videos of users lip-syncing to music, is “a child-oriented activity,” the FTC alleged.
To show that even if the app was directed to general audiences Musical.ly knew it was collecting personal information from children, the FTC relied on a wealth of evidence, from user profiles that self-identify the users as being under 13, to “thousands of complaints” from parents that their children under 13 had created accounts without their knowledge. Until April 2017, the app’s web page stated “If you have a young child on Musical.ly, please be sure to monitor their activity on the App.” In addition, in February 2017, after learning that 46 of the app’s most popular users appeared to be younger than 13, Musical.ly sent emails to the users telling them to edit their profiles “to indicate that their accounts were being run by a parent or adult talent manager.”
Thus, the FTC asserted, Musical.ly met both criteria for coverage by COPPA.
Did Musical.ly violate COPPA?
COPPA imposes seven basic requirements on operators of websites and other online services. They must:
- Give parents or legal guardians direct notice before collecting personal information from children online, and get the parents’ or guardians’ verifiable consent to do so;
- Offer parents or guardians the option of consenting to collection and use of children’s information internally but prohibiting disclosure of the information to third parties (with limited exceptions);
- Allow parents or guardians an opportunity to review the personal information their children provide and have it deleted;
- Allow parents or guardians the opportunity to prevent any further use or collection of children’s personal information;
- Safeguard the confidentiality, security, and integrity of information collected online from children; and
- Keep the information collected online from children only as long as needed to fulfill the purpose for which it was collected, and use reasonable measures when deleting the information to guard against unauthorized access to it or use of it.
Since its enactment in 1998, COPPA has been amended several times to accommodate changes in technology. For example, the COPPA Rule’s definition of “personal information” was expanded to include photos, videos, and audio recordings of children, geolocation data, and persistent identifiers that can recognize users over time and across different sites and services, such as user names, cookies, and mobile device IDs.
The FTC’s complaint alleged a handful of COPPA violations by Musical.ly, including that it:
- Failed to give notice on its site of the kinds of information it collected online from children, how it used that information, and how and when it disclosed that information;
- Failed to give direct notice to children’s parents or legal guardians of this same information – that is, the kinds of information collected, how it was used, and how and when it was disclosed;
- Failed to get consent from parents or legal guardians before collecting their children’s personal information;
- Failed to honor requests to delete personal information; and
- Retained personal information longer than was reasonably necessary to fulfill the purpose for which it was collected.
The FTC’s complaint noted that each collection, use, or disclosure of a child’s personal information in violation of COPPA constitutes a separate violation. Under federal statutes that adjust penalties for inflation, each violation occurring after January 22, 2018, is subject to up to $41,484 in civil penalties. Injunctive relief is available as well.
In addition to agreeing to pay $5.7 million to settle the FTC’s complaint, Musical.ly agreed to change its privacy practices to comply with COPPA, to take down videos made by users under 13, and to destroy the personal information it maintained for users under 13 unless it obtains verifiable parental consent for the collection, use, and disclosure of that information.
If COPPA Is Not on Your Radar, It Should Be
The most important message this case sends to operators of online services is simply this: If COPPA is not on your radar, it should be. In determining whether COPPA’s restrictions apply, the FTC looks beyond whether an operator intends for its website to be directed to children; it also considers whether the site has a “look and feel” that attracts children and whether the operator knows the site has users who are children. The commonly used statement that “this site is not intended for children younger than 13” should not provide a false sense of security to operators. A stated intention alone will not shield an operator from liability under COPPA.
FTC Chairman Joe Simmons said the $5.7 million penalty secured against Musical.ly should send a message that the FTC takes COPPA seriously and “will not tolerate companies that flagrantly ignore the law.” Some, however, suggest that the FTC still “tolerated” more than it should have. Two of the FTC’s five commissioners issued a joint statement saying that although this case represents “a major milestone” in the FTC’s COPPA enforcement efforts, its focus should have extended beyond the company itself, to its officers and directors. “When any company appears to have made a business decision to violate or disregard the law, the Commission should identify and investigate those individuals who made or ratified that decision and evaluate whether to charge them,” the commissioners said.
Sen. Edward J. Markey (D-Mass), who authored COPPA while a member of the U.S. House of Representatives, also said the fine against Musical.ly was a “historic high,” but still “not high enough” for the harm done to children and for deterring future violations by others. “Kids’ lives are increasingly lived online, and companies like TikTok [formerly Musical.ly] have been all too eager to take advantage of child app users at every turn,” Markey said, signaling that the issues COPPA addresses are on the radar of legislators and regulators as well.
Ignore Self-Regulatory Groups at Your Peril
Another important message this case sends to operators of online services is this: Never underestimate the important role that self-regulatory groups play in the regulatory process. The Musical.ly case was referred to the FTC by the Better Business Bureau’s Children’s Advertising Review Unit (CARU) after the company declined to comply with CARU’s recommendations concerning children’s privacy. CARU monitors websites and mobile services’ compliance with its Self-Regulatory Program for Children’s Advertising (which includes privacy guidelines), as well as compliance with COPPA.
CARU noted various indicators that the Musical.ly app was used by children, and noted that Musical.ly did not ask for age or date of birth in its registration process. Although Musical.ly eventually implemented age-screening, it argued that its app was directed to a general audience, not to children. To support this position, Musical.ly argued that the app does not feature animated characters or child-oriented language; the app features professional “vloggers” from general audience online services; and social media and video-sharing apps and websites are accepted as having a general audience.
CARU was not persuaded. It found that Musical.ly was a “mixed audience” service that did indeed target children under the criteria set by COPPA. CARU noted that Musical.ly was not permitted to totally block children under 13 from engaging with its app, but it recommended that the operator screen potential users for age and then either get parental consent or direct them to content that does not involve collecting, using, or disclosing their personal information. (COPPA had been amended to permit this type of two-tiered system for “mixed audiences.”) Musical.ly declined to adopt CARU’s recommendation. CARU then referred the matter to the FTC. The rest, as they say, is history.
Interestingly, TikTok, in its own blog post on February 27, announced a new app experience that will “split users into age-appropriate environments, in line with FTC guidance for mixed audience apps.” The “limited, separate app experience” for younger users prohibits them from sharing personal information and limits their content and user interaction.