Mar 142019

FTC Announces Record-Setting $5.7M COPPA Penalty

Gabrielle Whitehall, Colleen Theresa Brown and Dean C. Forbes
, , , ,

On February 27, 2019, the Federal Trade Commission (“FTC”) announced a record-setting $5.7 million civil penalty against makers of the popular free video creation and sharing app, Musical.ly (now known as TikTok), for violations of U.S. children’s privacy rules. This is the largest civil penalty the FTC has issued concerning violations of the Children’s Online Privacy Protection Act (“COPPA”).

The Musical.ly video social networking app allowed users to make 15-second videos of themselves (e.g., lip-synching and dancing to songs), and then share them with other Musical.ly users. According to the FTC, the app had been downloaded over 200 million times globally, and  65 million accounts were registered in the U.S. Registered users were asked to provide: first and last name, phone number, email address, short bio, and profile picture.

The FTC alleged that Musical.ly met COPPA’s definition of a site “directed to children,” stating that the app is designed to appeal to young children, and that the company was aware that a significant percentage of users were children under the age of 13. The FTC also alleged that Musical.ly gained “actual knowledge” of such underage use, due to company practices such as collecting users’ dates of birth and grades via their profiles, and complaints received from parents who unsuccessfully sought to have their children’s information deleted. According to the FTC’s complaint, Musical.ly violated COPPA by failing to: provide notice on their site of personal information collection, use, and disclosure practices, or to directly notify parents about these practices; obtain parental consent before collecting information directly from children; and, delete personal information at the request of parents. The FTC Complaint also alleged that Musical.ly violated COPPA by retaining children’s personal information for longer than was reasonably necessary.

As a result of the FTC action, in addition to paying the $5.7M civil penalty, Musical.ly has agreed to destroy personal information linked to users’ accounts, or obtain parental consent for collection, use, and disclosure of previously improperly collected children’s information.

This FTC matter was particularly notable due to the joint statement issued by the two current Democratic Commissioners, Rebecca Slaughter and Rohit Chopra. While the FTC did not name individual defendants with the two named corporate entities, in their joint statement  Commissioners Slaughter and Chopra urged the agency to “prioritize uncovering the role of corporate officers and directors” in holding responsible those individuals accountable for alleged violations of consumer protection law, stating:

When any company appears to have a made a business decision to violate or disregard the law, the Commission should identify and investigate those individuals who made or ratified that decision and evaluate whether to charge them. As we continue to pursue violations of law, we should prioritize uncovering the role of corporate officers and directors and hold accountable everyone who broke the law. (Emphasis added)

While the concept of holding individuals liable for alleged egregious acts is not new to the FTC, the statement by these two the Commissioners signals that the agency may consider naming corporate officers and directors in future COPPA and general FTC Section 5 cases, and issuing significant monetary penalties, as methods for curbing future alleged violations.  The is an approach that mirrors warnings provided in recent years by the SEC to corporate directors for their role in addressing cyber risks, and underscores a trend emphasizing personal accountability for corporate leadership with regard to privacy, data protection and cybersecurity issues.

The FTC action in Musical.ly may be found here.

Gabrielle Whitehall

gwhitehall@sidley.com

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Dean C. Forbes

dforbes@sidley.com

You might also like
Washington State Enacts My Health My Data Act, Broadly Regulating Health-Related Data With a Private Right of Action

On April 27, 2023, Washington Gov. Jay Inslee, a Democrat, signed into law the state’s My Health My Data Act (the Act), which will become effective on March 31, 2024 (June 30, 2024, for small businesses). Despite its name, this is a comprehensive privacy bill that will affect many entities, including those outside of the traditional “health” context. The rights and obligations may apply to individuals other than Washington residents, as the law defines consumers as including persons whose data is merely collected or otherwise processed in the state.

FemTech Has Been Warned: UK’s ICO Indicates Closer Scrutinization of FemTech Apps

On 4 April 2023, John Edwards, the UK’s Information Commissioner, stated that the UK’s Information Commissioner’s Office (ICO) would be “going after providers of women’s health apps and auditing them, and getting them to change any practices that are non-compliant.” Speaking at the IAPP Global Privacy Summit in Washington DC, the Information Commissioner indicated that this proposed strategy forms part of the ICO’s new “agile” initiative, which will focus on “areas of vulnerability, targeting…intervention [where] that has the greatest impact”.

U.S. Securities and Exchange Commission Proposes Three Rules Related to Cybersecurity, Reopens Comment for One Rule

On March 15, 2023, the U.S. Securities and Exchange Commission (SEC) proposed three rules related to cybersecurity and the protection of consumer information and reopened the comment period for a proposed cybersecurity rule for investment advisers and funds. This significant action would impose new cybersecurity requirements for several SEC-registered entities, including with respect to these entities’ policies, incident response and notification procedures, and cybersecurity risk management. This Sidley commentary and analysis discusses the key features of each proposal, including new requirements and differences among each of the proposals.