The U.S. Federal Trade Commission announced a $5.7 million agreement with video social networking app Musical.ly (now TikTok) to settle alleged violations of the Children’s Online Privacy Protection Act. The settlement surpasses a December 2018 agreement between the New York Attorney General’s office and Oath as the largest fine for COPPA violations by any enforcement agency. Noteworthy is a joint statement from Commissioners Rohit Chopra and Rebecca Kelly Slaughter — published with the stipulated order — that suggests the FTC may investigate individual corporate officers in future cases of egregious conduct.

Musical.ly’s alleged violations include actual knowledge

The FTC found that Musical.ly violated COPPA because it allegedly failed to provide direct notice of its information practices to parents; to obtain verifiable parental consent prior to collection, use and disclosure of children’s personal information; and to delete personal information at the request of parents. It also allegedly retained children’s personal information for longer than reasonably necessary.

The COPPA Rule prohibits the unauthorized or unnecessary collection of children’s personal information online by operators of websites and online services. It applies to operators of a website or online service “directed to children” or with actual knowledge that the service collects, uses or discloses personal information from children. The FTC alleged that Musical.ly failed to take necessary steps to ensure compliance for an online service directed to children and, in many instances, had actual knowledge that it collected the personal information of children under the age of 13.

Musical.ly’s business practices

Musical.ly launched in 2014 as a video social networking application. It provides users the ability to create videos and synchronize them with music and audio clips from the service’s online music library or audio files stored on a user’s phone. Users can also “follow” and message each other. Until October 2016, a feature in the application allowed users to identify a list of other users within a 50-mile radius of their location. Initially, the application did not request or record a user’s age when a user created an account and registered for the service. In July 2017, the application began requesting age information from new users and prevented individuals who indicated they were under 13 years of age from creating an account. Users who created an account prior to July 2017 were not requested to verify their age.

The service was directed at children because it targeted them as one audience for the application and had actual knowledge that children under the age of 13 used the service. Many accounts created prior to July 2017 included age information in the optional “bio” section of a user’s profile. There, users would often explicitly state their age or reference their grade in school. In addition, the application included elements that would appeal to children, including song folders — available to use for lip-synching in the application — titled “Disney” and “school.” The service also received thousands of complaints and requests for deletion from parents whose children had created accounts on Musical.ly without their knowledge. The service closed the children’s accounts but did not delete the users’ videos or profile information. According to the FTC, “the youth of the userbase is easily apparent in perusing users’ profile pictures and in reviewing user’s profiles ... . A significant percentage of Musical.ly users are children under 13, and numerous press articles between 2016 and 2018 highlight the popularity of the App among tweens and younger children.”

The commission’s remedy

The stipulated order includes monetary civil damages, a permanent injunction for violative activities, deletion requirements, and compliance and reporting requirements. Musical.ly will pay $5.7 million in civil damages and is enjoined from failing to comply with the COPPA Rule in the future. It must also delete the personal information in its accounts or take steps to verify the age of users and delete the personal information of users under the age of 13 for which the service does not obtain parental consent or who fail to verify their age. Strict reporting, recordkeeping, and compliance-monitoring measures are also included in the order.

Joint statement from Commissioners Chopra and Slaughter signals possibility for investigation of individuals in the future

In an extraordinary declaration, Commissioners Rohit Chopra and Kelly Slaughter issued a joint statement in conjunction with the release of the complaint and proposed order. The statement hails the action as a “major milestone” for the FTC's COPPA enforcement program and indicates that some of the commissioners have an appetite for more aggressive enforcement against individual corporate officers.

The commissioners state that the agency “uncovered disturbing practices” that “reflected the company’s willingness to pursue growth even at the expense of endangering children.” The collection and exposure of location data of young children were particularly disturbing to the commissioners. Ultimately, the “record-setting civil penalty” and other remedies put a stop to this “egregious conduct.”

The joint statement is remarkable for its clear expression of a willingness on the part of Chopra and Slaughter to see the FTC expand its pursuit of individual accountability in investigations. They bemoan the fact that individual accountability of corporate decision makers is sought in only “certain circumstances,” which has the effect of “individuals at large companies [often avoiding] scrutiny... . Executives of big companies who call the shots as companies break the law should be held accountable.”

The commissioners clearly expressed willingness to more aggressively pursue individual decision-makers:

[quote]When any company appears to have made a business decision to violate or disregard the law, the Commission should identify and investigate those individuals who made or ratified that decision and evaluate whether to charge them. As we continue to pursue violations of law, we should prioritize uncovering the role of corporate officers and directors and hold accountable everyone who broke the law.[/quote]

It is not clear what conduct, in particular, prompted the commissioners to issue such a statement, but the complaint and joint statement provide some context for the desire to investigate individuals. The complaint mentioned that “in December 2016, a third party publicly alleged in an interview with the co-founder of Musical.ly, Inc. that seven users whose accounts were among the most popular in terms of followers appeared to be children under 13,” and the joint statement makes reference to companies that make “a business decision to violate or disregard the law.” The interview mentioned in the complaint is likely a discussion between Musical.ly Co-Founder Alex Zhu and Journalist Josh Costine at TechCrunch Disrupt in 2016. During the interview, Constine repeatedly questioned Zhu about his service’s compliance with COPPA and implored him to further consider the application of the statute to Musical.ly. Zhu addressed the questions but also denied that the service ran afoul of COPPA. The company’s leadership was aware that its service faced questions about COPPA compliance, but it appears Chopra and Slaughter were not impressed with leadership’s response to those questions.

But, privacy issues have been an area of bipartisan support in an otherwise divided government, so it is not impossible to imagine a scenario where the Republican commissioners are persuaded by Chopra and Slaughter to begin seeking actions against corporate officers and boards of directors in cases of egregious violations ...

The implication of the joint statement is unclear. It was issued by the two Democratic commissioners, whose party currently reside in the minority on the FTC, so an immediate change in investigative practices is unlikely. But, privacy issues have been an area of bipartisan support in an otherwise divided government, so it is not impossible to imagine a scenario where the Republican commissioners are persuaded by Chopra and Slaughter to begin seeking actions against corporate officers and boards of directors in cases of egregious violations (especially in cases involving children’s personal information). Also unclear is whether or not these expanded investigations would be pursued in all circumstances or if they would be reserved for violations of COPPA.

The Musical.ly enforcement action continues a trend of higher fines for knowing violations of COPPA

Recent FTC enforcement actions against Vtech, Prime Sites, InMobi, Retro Dreamer, and LAI Systems display a tendency for the FTC to increase fines for violations of COPPA and the FTC Act. Add to the list the New York Attorney General’s nearly $5 million COPPA fine imposed on Oath in December 2018, and a hierarchy for the severity of penalty for COPPA violations can be seen: “Purposeful violations result in larger fines than violations of notice, disclosure, and consent requirements” alone.

The implication of the joint statement issued by Chopra and Slaughter is that a new element may be added to the penalty hierarchy: investigation into and accountability for individual corporate officers and directors who make the decisions that produced violations.

photo credit: eli.pousson via photopin cc