FTC Investigation Leads to Lawsuit Against TikTok and ByteDance for Alleged Violations of the Children’s Online Privacy Protection Act

Hinch Newman LLP
Contact

On August 2, 2024, on behalf of the Federal Trade Commission, the Department of Justice sued video-sharing platform TikTok, its parent company ByteDance, as well as its affiliated companies, with allegedly violating the Children’s Online Privacy Protection Act. Allegations also include infringement of an existing FTC 2019 consent order against TikTok for violating COPPA.

The complaint alleges defendants failed to comply with the COPPA requirement to notify and obtain parental consent before collecting and using personal information from children under the age of thirteen (13).

ByteDance and its related companies allegedly were aware of the need to comply with the COPPA Rule and the 2019 consent order and knew about TikTok’s compliance failures that put children’s data and privacy at risk, the FTC states. “Instead of complying, ByteDance and TikTok spent years knowingly allowing millions of children under 13 on their platform designated for users 13 years and older in violation of COPPA, according to the complaint.”

According to the complaint, as of 2020, TikTok had a policy of maintaining accounts of children that it knew were under thirteen unless the child made an explicit admission of age and other rigid conditions were met. TikTok human reviewers allegedly spent an average of only five to seven seconds reviewing each account to make their determination of whether the account belonged to a child.

The company allegedly continued to collect personal data from these underage users, including data that enabled TikTok to target advertising to them—without notifying their parents and obtaining their consent as required by the COPPA Rule. Even after it reportedly changed its policy not to require an explicit admission of age, TikTok continued to unlawfully maintain and use personal information of children, according to the complaint.

TikTok’s practices purportedly prompted its own employees to raise concerns. As alleged, after failing to delete numerous underage child accounts, one compliance employee allegedly noted, “We can get in trouble … because of COPPA.”

In addition, the complaint alleges that TikTok built back doors into its platform that allowed children to bypass the age gate aimed at screening children under 13. TikTok allegedly allowed children to create accounts without having to provide their age or obtain parental consent to use TikTok by using credentials from third-party services like Google and Instagram. According to the complaint, TikTok classified such accounts as “age unknown” accounts, which grew to millions of accounts.

Even when it directed children to use the TikTok Kids Mode service, a more protected version for kids, allegations include that TikTok collected and used their personal information in violation of COPPA. Allegations also include that TikTok collected numerous categories of information and far more data than it needed, such as information about children’s activities on the app and multiple types of persistent identifiers, which it used to build profiles on children, while failing to notify parents about the full extent of its data collection and use practices.

For example, TikTok allegedly shared this personal data with third parties such as Facebook and AppsFlyer to persuade existing Kids Mode users to use the service more after their use had declined or ceased, through a practice TikTok called “retargeting less active users,” according to the complaint.

TikTok also allegedly made it difficult for parents to request that their child’s accounts be deleted. When parents managed to navigate the multiple steps required to submit a deletion request, TikTok often failed to comply with those requests. TikTok also purportedly imposed unnecessary and duplicative hurdles for parents seeking to have their children’s data deleted. That practice allegedly continued even after the executive responsible for child safety issues purportedly told TikTok’s then-CEO, “we already have all the info that’s needed” to delete a child’s data when a parent requests it, yet TikTok would allegedly not delete it unless the parent fills out a second, duplicative form. If the parent did not do that, the executive allegedly added, “then we have actual knowledge of underage user[s] and took no action!”

“TikTok knowingly and repeatedly violated kids’ privacy, threatening the safety of millions of children across the country,” said FTC lawyer and Chair Lina M. Khan. “The FTC will continue to use the full scope of its authorities to protect children online—especially as firms deploy increasingly sophisticated digital tools to surveil kids and profit from their data.”

“The Justice Department is committed to upholding parents’ ability to protect their children’s privacy,” said Principal Deputy Assistant Attorney General Brian Boynton. “This action is necessary to prevent the defendants, who are repeat offenders and operate on a massive scale, from collecting and using young children’s private information without any parental consent or control.”

The complaint also claims that TikTok began violating the terms of the 2019 FTC order shortly after it went into effect. Two TikTok entities (previously Musical.ly and Musical.ly Inc., which ByteDance acquired in 2017 and renamed) agreed to the terms of the order to settle allegations that they allegedly violated the COPPA Rule by unlawfully collecting personal information from children under the age of thirteen.

Additionally, the complaint alleges that TikTok failed to:

  • notify parents about all of the personal data they were collecting from children;
  • obtain parental consent for the collection and use of that data;
  • limit the collection, use, and disclosure of children’s personal information; and
  • delete children’s personal information when requested by parents or when it was no longer needed.

The complaint asks the court to impose civil penalties against ByteDance and TikTok and to enter a permanent injunction against them to prevent future violations of COPPA. The FTC Act allows civil penalties up to $51,744 per violation, per day. Consult with a seasoned FTC CID lawyer with questions about COPPA compliance, or if your company is the subject of a civil investigative demand or regulatory enforcement action related to advertising or marketing practices.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Hinch Newman LLP

Written by:

Hinch Newman LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Hinch Newman LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide