On February 27, 2019, the Federal Trade Commission (“FTC”) announced a record-setting $5.7 million civil penalty against makers of the popular free video creation and sharing app, Musical.ly (now known as TikTok), for violations of U.S. children’s privacy rules. This is the largest civil penalty the FTC has issued concerning violations of the Children’s Online Privacy Protection Act (“COPPA”).
The Musical.ly video social networking app allowed users to make 15-second videos of themselves (e.g., lip-synching and dancing to songs), and then share them with other Musical.ly users. According to the FTC, the app had been downloaded over 200 million times globally, and 65 million accounts were registered in the U.S. Registered users were asked to provide: first and last name, phone number, email address, short bio, and profile picture.
The FTC alleged that Musical.ly met COPPA’s definition of a site “directed to children,” stating that the app is designed to appeal to young children, and that the company was aware that a significant percentage of users were children under the age of 13. The FTC also alleged that Musical.ly gained “actual knowledge” of such underage use, due to company practices such as collecting users’ dates of birth and grades via their profiles, and complaints received from parents who unsuccessfully sought to have their children’s information deleted. According to the FTC’s complaint, Musical.ly violated COPPA by failing to: provide notice on their site of personal information collection, use, and disclosure practices, or to directly notify parents about these practices; obtain parental consent before collecting information directly from children; and, delete personal information at the request of parents. The FTC Complaint also alleged that Musical.ly violated COPPA by retaining children’s personal information for longer than was reasonably necessary.
As a result of the FTC action, in addition to paying the $5.7M civil penalty, Musical.ly has agreed to destroy personal information linked to users’ accounts, or obtain parental consent for collection, use, and disclosure of previously improperly collected children’s information.
This FTC matter was particularly notable due to the joint statement issued by the two current Democratic Commissioners, Rebecca Slaughter and Rohit Chopra. While the FTC did not name individual defendants with the two named corporate entities, in their joint statement Commissioners Slaughter and Chopra urged the agency to “prioritize uncovering the role of corporate officers and directors” in holding responsible those individuals accountable for alleged violations of consumer protection law, stating:
When any company appears to have a made a business decision to violate or disregard the law, the Commission should identify and investigate those individuals who made or ratified that decision and evaluate whether to charge them. As we continue to pursue violations of law, we should prioritize uncovering the role of corporate officers and directors and hold accountable everyone who broke the law. (Emphasis added)
While the concept of holding individuals liable for alleged egregious acts is not new to the FTC, the statement by these two the Commissioners signals that the agency may consider naming corporate officers and directors in future COPPA and general FTC Section 5 cases, and issuing significant monetary penalties, as methods for curbing future alleged violations. The is an approach that mirrors warnings provided in recent years by the SEC to corporate directors for their role in addressing cyber risks, and underscores a trend emphasizing personal accountability for corporate leadership with regard to privacy, data protection and cybersecurity issues.
The FTC action in Musical.ly may be found here.