TikTok and COPPA

Collecting personal information from your customers without obtaining their prior consent can be risky. The repercussions can be even more severe if you're dealing with children.

The law requires companies to obtain parents' permission when collecting personal information about children. However, not all companies comply with these regulations. As a result, these organizations end up falling foul of the authorities.

Recently, the Federal Trade Commission (FTC) announced a $5.7 million settlement with Musical.ly over accusations that the company's app collected personal information about children illegally.

For the uninitiated, Musical.ly, now known as TikTok, has been a popular video social network among teens and younger kids. The app enables users to create short video clips set to music. Thereafter, users can share these clips with other users.

According to the FTC, the app did not seek parents' consent before collecting data from its users, primarily children below 13 years of age. Even worse, the site refused to delete videos and other data even after some parents asked it to.

Not surprisingly, the FTC imposed a record fine for a child privacy violation on Musical.ly (TikTok).

What Issues Led to the FTC Investigation of TikTok?

After purchasing Musical.ly in 2017, ByteDance, a Chinese internet conglomerate, merged it with TikTok - an app that the company already operated. In its Terms of Service, Musical.ly claims to prohibit users below 13 years of age. But the app didn't collect age-related information from its users.

Moreover, the authorities found that TikTok:

• Kept user accounts public by default
• Enabled adults to contact other users - regardless of their age and,
• Retained videos and personal account information about users on its servers even after deleting a child's account on the request of the parents

A casual review of the app by the FTC had revealed a large portion of users to be below 13 years of age. In many cases, the online service operators had not obtained the consent of the parents for collecting data about their children.

Moreover, the operators had not even bothered to notify the parents about their children using the app. The app even allowed users to view other users within a 50-mile radius until 2016.

Eventually, the FTC took cognizance of various news reports and a complaint by the Better Business Bureau to launch an investigation.

How Did TikTok End Up Violating the Provisions of Children's Online Privacy Protection Act (COPPA)?

The provisions specified in COPPA require companies providing online services to obtain the permission of the parents before they collect any personal data from children under the age of 13 years.

In its investigation, the FTC found that a large number of app users had not attained 13 years of age. More worryingly, several of these users had revealed sensitive information such as their names, schools and email addresses. Unscrupulous elements could easily misuse this information to the detriment of the users.

The fact that the app and its operators did nothing to verify the ages of these users, notify their parents and obtain the parents' consent for storing data about their children makes it violate the provisions listed in COPPA.

Websites and online service operators targeting users below 13 years of age need to meet certain federal requirements by law. These requirements apply to the collection and sharing of personal information such as:

• Names
• Photos
• Videos and,
• Other personal identifiers such as user names etc.

These requirements find mention in COPPA - the law enacted by the FTC. However, many websites and apps, such as Musical.ly, prefer to cite ignorance and avoid triggering the provisions of COPPA. But, when the law catches up with those who do so, such excuses offer little, if any, recourse.

An Overview of COPPA and its Objectives

A large number of children have access to the internet nowadays.

In many cases, parents monitor the use of the internet for their children. However, with the increased use of mobile phones and smartphones by children, constant vigilance by the parents will not always be possible.

Similarly, not all websites and online service operators adhere to the law - especially laws governing the use and storage of user-related data.

Many websites and online service operators collect, store and process user-related data. Adults might display some prudence and care when it comes to providing this data and their assent. But, children, especially those under 13 years of age, will not be as vigilant. Thus, it comes as no surprise that they could be susceptible to the wiles of unscrupulous elements.

Enacted in 1998 by Congress, COPPA authorizes the FTC to issue and enforce regulation pertaining to the online privacy of children. The authorities enacted COPPA to give parents control over the information collected by websites and online service operators. In particular, COPPA aims to protect children below 13 years of age.

What Information Does COPPA Classify as Personal Information?

According to the provisions specified in COPPA, personal information includes details such as:

• The first and last name
• A physical address (including the name of a street, city or town)
• Online contact information
• A screen or user name (as it serves as online contact information)
• A telephone number
• A social security number
• An identifier that can make it easier to recognize a user over time and across different websites or online services
• A photograph, video or audio file that contains a child's image or voice
• Geolocation information that can be sufficient for identifying the street name and the name of a city or town, and
• Any other information pertaining to the child or to the child's parents that the operator collects online from the child and combines with an identifier

It can be worth highlighting that the provisions specified in COPPA only apply to personal information collected online from children. As such, it does not apply in case the website or online service operators collect information online about children from parents or other adults.

Who COPPA Applies to and What it Requires

The provisions specified in COPPA apply to operators of commercial websites and online services (including mobile apps) if these operators collect, use or disclose personal information from children below 13 years of age.

It applies to operators of general audience websites or online services catering to children under 13 years of age, too.

Website owners and online services operators falling under the purview of COPPA need to:

• Post clear and comprehensive online Privacy Policies detailing their information practices pertaining to the collection of personal information from children online
• Notify parents directly and obtain verifiable consent prior to collecting personal information online from children
• Provide parents with the choice of consenting to the operator's collection and internal use of the child's information, while prohibiting the disclosure of this information to third parties
• Enable parents to access and review their child's personal information and delete it
• Give parents the opportunity to prevent the further collection or use of a child's personal information
• Maintain the security, integrity and confidentiality of the information collected from children and,
• Retain the information collected online from children for only as long as needed to fulfill the purpose for which the collection took place

The provisions specified in COPPA apply to website owners and online service operators who collect personal information from children online. So, if your website or online service does not do this, you will not fall under the purview of COPPA.

However, it might be useful to carry out random checks regularly to keep yourself compliant with COPPA.

In some instances, it might be likely that some children could enter personal information online. This would be sufficient for triggering the laws that mandate compliance with COPPA.

Similarly, if your website or online service collects personal information from children online, you will need to adhere to the COPPA requirements specified above. Among other things, you will need to:

• Notify the parents of the child about the collection and internal use of the child's personal data
• Obtain verifiable consent from the parents about the collection and internal use of the child's personal data (see one possible method below)



• Store all such data on your servers securely to prevent leakage and misuse
• Delete the data once the purpose for which the data collection took place has concluded or in case the parents so request and,
• Avoid disclosing the information collected to third parties - especially without obtaining verifiable consent from the parents

The Importance of Having a Good Privacy Policy in Place to Stay Compliant with COPPA

The FTC urges all website owners and online services to post detailed Privacy Policies online. Doing so would make it easier for visitors to learn about the website or app operator's information-related practices.

For instance, in Section 312.4 (d) of COPPA, the FTC has highlighted the three categories of information that online Privacy Policies need to feature.

They include:

• The names, addresses, telephone numbers and email addresses of all operators collecting or maintaining personal information through the website or online service
• A description of:
• The details the operator collects from children
• Whether the operator enables the children to make their personal information available publicly
• The manner in which the operator uses or processes the information collected from children, and
• The disclosure practices that the operator follows for the information collected
• Indicating the right of the child's parents in:
• Reviewing the child's personal information
• Requesting for the deletion of the child's personal information
• Refusing to permit the operator to further collect or use the child's personal information, and
• Stating the procedures for reviewing and requesting the deletion of the child's personal information, in addition to refusing to the operator to collect or use the child's personal information any further

Following these guidelines could enable you to stay on the right side of the law. It could also enable you to avoid the fate of TikTok.

Sample COPPA-Compliant Privacy Policies

If you collect personal information from children below 13 years of age, you will fall under the purview of COPPA. To comply with its provisions, update your Privacy Policy in line with the FTC recommendations cited above.

For instance, consider the following clause that indicates how National Geographic Kids collects information from children. This Privacy Policy does not only state that the website collects information from children. It also indicates the type of information that it collects:

In case you do not collect any information from children knowingly, you might want to check out Nestle's Privacy Policy.

The text in the policy clearly indicates that the website does not collect any personal data from children knowingly. It also highlights the company's practices on finding such data in its records:

Similarly, check out the following clause from Gooseberry Planet - an educational software platform. The snapshot below highlights the type of information collected from children using the app.

In addition, it highlights that the service operator has obtained the consent from the child's parent or legal guardian for the use of the child's data by virtue of the child's parents or legal guardians letting the child use the platform or registering a Children's Account Data:

This next clause, from the same organization, highlights the guidelines pertaining to the retention and deletion of personal data:

The following clause indicates the measures that the website owners or operators of Gooseberry Planet take for keeping the personal data secure and safe:

Lastly, the clause below, from BabyTV, a website that offers dedicated content for babies, toddlers and parents, clearly defines the rights the parents have with regard to the data collected by the website about the child.

The Final Word on COPPA Compliance

The collection, use and storage of any personal information has assumed great importance in recent times. When done lawfully, it can serve to protect the privacy of the individual. If this information happened to fall into the wrong hands, it could be quite distressing and detrimental to the individual concerned.

Children, especially those below 13 years of age, do not understand the ramifications of securing their personal information. Therefore, the responsibility of ensuring that this information remains secure from misuse falls on the parents and legal guardians of the child.

However, this does not excuse the owners or operators of websites, apps and online services.

The FTC has expressly specified the aspects that website owners and online service operators need to heed when they collect personal information from children online.

Among other things, these operators need to:

• Obtain the consent of the child's parents for collecting personal information from the child
• Keep the data secure in a manner that eliminates the misuse of this information, and
• Give parents the right to review, request the deletion of and forbid the collection of any more information about their child

Responding to the FTC action, TikTok indicated setting up a new app for children below 13 years of age. This app would prevent the sharing of personal information. It would also limit the type of content that its users can post or share.

Unfortunately, this decision came after the FTC had penalized Musical.ly with a settlement to the tune of $5.7 million.

Therefore, if you collect personal information from children, ensure that you handle the information correctly and update your Privacy Policy. This will make your websites, apps and online services compliant with the provisions specified in COPPA. It could also help you avoid incurring the wrath of the authorities.