Largest FTC COPPA settlement requires Musical.ly to change its tune

February 27, 2019

We’ll confess to singing along to a Stevie Nicks song or doing an air guitar solo when no one’s looking. But some people take their lip syncing to the next level. More than 200 million people – 65 million of them in the U.S. – downloaded the Musical.ly app. It gave users a platform to create videos and synchronize them with popular songs. It also allowed users to interact directly with each other. That may sound like fun for aficionados, but it raises concerns for parents, especially given public reports that adults have used the Musical.ly app to contact children. The FTC alleges Musical.ly violated the Children’s Online Privacy Protection Rule by collecting personal information from kids without parental consent. The $5.7 million civil penalty is the FTC’s largest ever under COPPA.

To register for the Musical.ly app, users provided their email address, phone number, full name, username, a profile picture, and a short bio. For the first three years, Musical.ly didn’t ask for the user’s age. Since July 2017, the company has asked about age and prevents people who say they’re under 13 from creating accounts. But Musical.ly didn’t go back and request age information for people who already had accounts.

The online library for Musical.ly – now known as TikTok – features lots of tracks popular with tweens and younger children. Once users create videos, they can share them publicly. Other users can comment and “follow” them to see more of their videos. By default, users’ accounts were set to “public,” meaning others could see their bio (which may include their age or grade in school), their profile picture, and username. Users had the option to set their accounts so that only approved followers could see their videos, but even then their bios, pictures, and usernames remained public and searchable.

By default, the app also let users send direct messages to any other user. Until October 2016, the app included a “my city” tab that gave people a list of other users within a 50-mile radius.

That’s how Musical.ly worked, so let’s turn to the operation of COPPA. The Rule applies to operators of websites and online services that: 1) are directed to children and collect personal information from them, or 2) are directed to a general audience, but have actual knowledge they’re collecting personal information from kids. If the site or service meets either definition, COPPA requires them – among other things – to get parental consent before collecting personal information from children under 13. The FTC’s complaint alleges Musical.ly was covered under both standards.

First, the FTC says Musical.ly met COPPA’s definition of a site “directed to children.” How does the agency make that determination? According to Section 312.2 of the Rule, data about audience composition is an important factor and in this case, the evidence suggested that a significant percentage of Musical.ly users were under 13. In fact, multiple press articles between 2016 and 2018 highlighted the popularity of the app among tweens and younger kids. The Rule lists additional factors like subject matter, visual content, music, and the presence of child celebrities or celebrities who appeal to kids. You’ll want to read the complaint for the details, but the FTC also cited Musical.ly song folders with titles like “Disney” (featuring music from movies like Toy Story and The Lion King) and “school” (featuring songs about school-related subjects or school-themed TV shows and movies). In addition, the complaint mentions the colorful emojis users could send to each other – cute animals, smiley faces, and the like.

Second, the complaint alleges that Musical.ly had actual knowledge the company was collecting personal information from children. A look at users’ profiles reveals that many of them gave their date of birth or grade in school. And since at least 2014, Musical.ly has received thousands of complaints from parents of kids under 13 who were registered users. In just a two-week period in September 2016, the company received over 300 complaints from Moms or Dads asking Musical.ly to delete their child’s account. Of course, under COPPA it’s not enough just to delete existing accounts. According to the FTC, Musical.ly failed to delete those kids’ videos and profiles from the company’s servers.

The complaint charges that Musical.ly violated COPPA by:

  • Failing to provide notice on their site of the information they collect online from children, how they use it, and their disclosure practices,
  • Failing to provide direct notice to parents,
  • Failing to get consent from parents before collecting personal information from children,
  • Failing to honor parents’ requests to delete personal information collected from kids, and
  • Retaining that personal information for longer than reasonably necessary.

In addition to the $5.7 million civil penalty, the company has agreed to change their practices to ensure COPPA compliance.

The primary message for other sites and services is to think twice before concluding “We’re not covered by COPPA.” According to COPPA, whether a company intends – or doesn’t intend – to have a site directed to kids isn’t what controls the analysis. Instead, the FTC will look to the site’s look and feel, as well as evidence that the company had actual knowledge that users are under 13. Visit the Business Center’s Children’s Privacy page for resources to help streamline your responsibilities under COPPA.
 

Comments

The Children's Advertising Review Unit of the Council of Better Business Bureaus appreciates the FTC action to protect children online and promote full compliance with COPPA by mobile apps.

We also greatly appreciate the Commission' s acknowledgment of the role of CARU in initially bringing this matter to the FTC's attention and the strong ongoing support for self-regulation by the FTC that this action demonstrates.

Many thanks to CARU for the great work they do in fostering effective self-regulation.

My identity has been compromised by theft of mine n my children personal information being compromised,

You can report identity theft and get a recovery plan at IdentityTheft.gov.

You can report what happened and get a personal recovery plan. You can create an account, get help with each step in the recovery and pdate your plan after you contact the businesses that were affected by the theft. The site has letters and forms you can send to credit reporting companies, businesses, debt collectors and others. 

 

While I applaud the FTC for pursing this enforcement action and levying this largest-ever fine, I'm skeptical that this will be a strong enough punishment to dissuade TikTok and its parent company, ByteDance, from repeating this offence in the future. While $5.7M is more money than TikTok booked as revenue in all of 2017, this sum is probably just a rounding error for parent company ByteDance ($75B valuation,) who might just see TikTok as a loss leader to build its overall subscriber base.

In addition to financial penalties, I think if would be beneficial to see the FTC empowered to take criminal action directly against executives/directors in situations like this. I believe making executives personally liable for accepting risks that violate the law with personal fines/potential jail time - especially where children are involved, and requests by parents are ignored - is potentially a more powerful deterrent than corporate fines. I'm hopeful that a failure to adhere to the agreement to change their practices would result in direct action against TikTok's executive leadership.

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.