FTC Sues TikTok and ByteDance for COPPA Violations and Breach of Settlement Agreement
HomepageBlog
FTC Sues TikTok and ByteDance for COPPA Violations and Breach of Settlement Agreement

FTC Sues TikTok and ByteDance for COPPA Violations and Breach of Settlement Agreement

Kaamel Lab
Kaamel Lab

On August 2, the U.S. Federal Trade Commission (FTC) announced that it has filed a lawsuit against TikTok and its parent company ByteDance, accusing them of violating the Children’s Online Privacy Protection Act (COPPA) and the 2019 settlement agreement between the FTC and Musical.ly (the predecessor of TikTok).

Case Background

Musical.ly was acquired by ByteDance in 2017 and rebranded as TikTok in May 2019. The FTC emphasized that the rebranding did not affect the compliance obligations established in the settlement agreement, and TikTok is still required to adhere to the terms of the agreement. In the 2019 settlement agreement, the FTC required Musical.ly to destroy the personal information of users under the age of 13 and delete accounts with unverifiable ages by May 2019, and to not violate COPPA and FTC regulations on children’s privacy. Additionally, the FTC required Musical.ly to maintain certain records in its operations to demonstrate compliance with the settlement agreement.
According to the investigation, as of 2020, TikTok had not destroyed all personal information of users under 13 as required by the settlement agreement. Instead, it defaulted to retaining accounts of known under-13 users unless the users explicitly indicated that they were under 13. The FTC stated that TikTok continued to collect personal data from these underage users, including data that allowed TikTok to target ads at them—without notifying their parents and obtaining the consent required under COPPA. Furthermore, TikTok failed to provide the FTC with the records required to demonstrate compliance with COPPA and COPPA rules as outlined in the settlement agreement.
The FTC also accused TikTok of setting up a "backdoor" on its platform that allowed children to bypass age verification mechanisms. According to the FTC’s investigation, TikTok allowed children to create accounts using third-party login credentials such as Google and Instagram without providing age information or obtaining parental consent. These accounts were categorized as "age unknown," and their number had grown to millions. The FTC found that TikTok collected various types of children’s personal information and data beyond what was necessary, such as information about children’s activities on the app and various types of persistent identifiers. TikTok used this data to build profiles on children without informing parents of the full scope of data collection and use. Even when users enabled "Kids Mode," TikTok still collected and used their personal information beyond the permitted scope.
The FTC also claimed in the lawsuit that TikTok created unnecessary obstacles for parents requesting the deletion of their children’s data. Parents were required to go through multiple steps to submit a deletion request, and in many cases, even after completing the required steps, TikTok did not comply with these deletion requests.
Based on the above facts, the FTC accused TikTok of failing to:
  • Inform parents of all personal data collected from their children;
  • Obtain parental consent for the collection and use of such data;
  • Limit the collection, use, and disclosure of children's personal information; and
  • Delete children’s personal information when requested by parents or when no longer needed.

Relevant Regulations

TikTok and ByteDance qualify as operators under COPPA and are subject to COPPA and related regulations. The FTC believes that TikTok’s actions violated several provisions of COPPA and the COPPA Rule, including:
  • Failing to provide notice on its website or online service about the information collected from children, how that information is used, its disclosure practices, and other content required by the rule, violating Sections 312.3(a) and 312.4(d) of the COPPA Rule.
  • Failing to make reasonable efforts to provide direct notice to parents about the information collected online from children, how that information is used, its disclosure practices, and other content required by the rule, violating Sections 312.4(b) and 312.4(c) of the COPPA Rule.
  • Collecting, using, or disclosing children’s personal information without parental consent, violating Sections 312.3(b) and 312.5(a)(1) of the COPPA Rule.
  • Failing to provide parents with a reasonable means to refuse further use or retention of any personal information collected from their children, violating Sections 312.3(c) and 312.6(a)(2)-(3) of the COPPA Rule.
  • Failing to provide parents with a way to request the deletion of personal information collected from their children, violating Section 312.6(a)(2) of the COPPA Rule.
  • Failing to delete personal information collected from children upon parental request, violating Section 312.6(a)(2) of the COPPA Rule.
  • Retaining children’s personal information for longer than reasonably necessary, violating Section 312.10 of the COPPA Rule.
  • Failing to promptly delete personal information collected from children in response to specific requests, violating Section 312.5 of the COPPA Rule.
  • Failing to limit the use of children’s personal information to the limited purposes allowed by the exceptions to the prior parental consent requirement, violating Section 312.5(c) of the COPPA Rule.
  • Failing to limit the use of children’s personal information, which lacks verifiable parental consent, to the purposes allowed under the rule, violating Section 312.5(c) of the COPPA Rule.
  • Requiring disclosure of personal information beyond what is reasonably necessary to participate in online services, as a condition for children's participation, violating Section 312.7 of the COPPA Rule.
  • Violating COPPA Section 1303(c) and FTC Act Section 18(d)(3), where such rule violations constitute unfair or deceptive acts or practices in commerce.

FTC's Demands

The FTC filed the lawsuit in the U.S. District Court for the Central District of California, requesting the court issue a permanent injunction to prevent TikTok and ByteDance from continuing to violate COPPA and impose civil penalties. The FTC stated that under the FTC Act, each violation could result in fines of up to $51,744 per day.
As of now, TikTok has not responded to the allegations. Kaamel will continue to monitor the latest developments in the case, committed to providing you with the latest information and updates on privacy protection. Please stay tuned for our updates as we bring you more related information on privacy protection.