TikTok the Massive Infringer Thumbs Nose at FTC Ruling on Kids: Can CFIUS be far behind?

TikTok Complaint FTC

MTP readers may recall that in between getting banned by the Department of Defense, the State Department, the Department of Homeland Security and the TSA as well as being investigated by CFIUS, TikTok got caught and fined by the FTCfor exploiting children in violation of U.S. law:

The operators of the video social networking app Musical.ly, now known as TikTok, have agreed to pay $5.7 million to settle Federal Trade Commission allegations that the company illegally collected personal information from children. This is the largest civil penalty ever obtained by the Commission in a children’s privacy case.

The FTC’s complaint, filed by the Department of Justice on behalf of the Commission, alleges that Musical.ly violated the Children’s Online Privacy Protection Act (COPPA), which requires that websites and online services directed to children obtain parental consent before collecting personal information from children under the age of 13.

“The operators of Musical.ly—now known as TikTok—knew many children were using the app but they still failed to seek parental consent before collecting names, email addresses, and other personal information from users under the age of 13,” said FTC Chairman Joe Simons. “This record penalty should be a reminder to all online services and websites that target children: We take enforcement of COPPA very seriously, and we will not tolerate companies that flagrantly ignore the law.”

The Musical.ly app allowed users to create short videos lip-syncing to music and share those videos with other users. To register for the app, it required users to provide an email address, phone number, username, first and last name, a short biography, and a profile picture. Since 2014, more than 200 million users have downloaded the Musical.ly app worldwide, while 65 million accounts have been registered in the United States.

In addition to creating and sharing videos, the app allowed users to interact with other users by commenting on their videos and sending direct messages. User accounts were public by default, which meant that a child’s profile bio, username, picture, and videos could be seen by other users. While the site allowed users to change their default setting from public to private so that only approved users could follow them, users’ profile pictures and bios remained public, and users could still send them direct messages, according to the complaint. In fact, as the complaint notes, there have been public reports of adults trying to contact children via the Musical.ly app. In addition, until October 2016, the app included a feature that allowed users to view other users within a 50-mile radius of their location.

The operators of the Musical.ly app were aware that a significant percentage of users were younger than 13 and received thousands of complaints from parents that their children under 13 had created Musical.ly accounts, according to the FTC’s complaint.

The complaint alleges that the operators of the Musical.ly app violated the COPPA Rule by failing to notify parents about the app’s collection and use of personal information from users under 13, obtain parental consent before such collection and use, and delete personal information at the request of parents.

In addition to the monetary payment, the settlement also requires the app’s operators to comply with COPPA going forward and to take offline all videos made by children under the age of 13.

Any company that would conduct itself like TikTok–looking at you, YouTube–is going to be watched for a very simple reason.  Only a truly bad person would engaged in the exploitative conduct for which TikTok were fined.  Truly bad people are so greedy and so dismissive of authority, they just don’t care and these agencies are just not prepared to take the fines to the level they need to be in order to get the attention of bad actors like TikTok (and YouTube, that has its own sordid history of exploiting children in the freakiest of ways and for which YouTube also were fined by FTC).

What will it take to get TikTok’s attention in their board room back at the mothership in Beijing?

Now we find that an alliance of child advocates have complained to the FTC about TikTok ignoring the FTC’s fine.  Which puts them in good company at least–Facebook is also out of compliance.

The child advocates complaint to FTC accuses TikTok of ignoring the prior FTC settlement, which should come as no surprise because it’s just too tempting and they get to scrape all that data:

We present evidence showing that TikTok is violating the terms of the consent decree2 and the Children’s Online Privacy Protection Act (COPPA).3 TikTok continues to be one of the most popular apps in the world, and it is widely used by children and teens in the United States, so it is especially important that the FTC promptly and thoroughly investigate TikTok’s practices and take effective enforcement action.

Under the terms of the consent decree, TikTok agreed to either destroy all personal information in its control at the time of the entry of the consent decree, or alternatively, to destroy all personal information collected from users under 13 years of age. In fact, however, TikTok has not destroyed all personal information collected from users under age 13. We found that TikTok currently has many regular account holders who are under age 13, and many of them still have videos of themselves that were uploaded as far back as 2016, years prior to the consent decree.

TikTok has not obtained parental consent for these accounts. Contrary to the terms of the consent decree, TikTok fails to make reasonable efforts to ensure that a parent of a child receives direct notice of its practices regarding the collection, use, or disclosure of personal information. Indeed, TikTok does not at any point contact the child’s parents to give them notice and does not even ask for contact information for the child’s parents. Thus, TikTok has no means of obtaining verifiable parental consent before any collection, use, or disclosure of children’s personal information as required by the consent decree and COPPA Rule.

TikTok has set up “younger users accounts” for use by children under 13 in the United States. The younger users account has limited functionality and does not allow children to share videos with others. We do not believe that this option satisfies the COPPA Rule. The limited nature of this account incentivizes children to lie about their age. Moreover, children can easily defeat the age gate simply by registering again using a different age. Even with a younger users account, TikTok still collects some personal identifiers and usage information that go beyond support for internal operations, for which TikTok does not obtain verifiable parental consent. For children using regular TikTok accounts, TikTok collects vast amounts of personal information including videos, usage history, the content of messages sent on the platform, and geolocation. It shares this information with third parties and uses it for targeted advertising.

So I support the complaints of the child advocates, but it must be said that there are other levers that will get TikTok’s attention.

First, the FTC shouldn’t feel alone, they’re not the only government agency that TikTok ignores.  According to the Center for Strategic and International Studies the Committee on Foreign Investment in the United States (CFIUS) is still reviewing the Bytedance acquisition of Musical.ly and may unwind that acquisition:

ByteDance, TikTok’s parent company, is a Chinese technology firm headquartered in Beijing. The company spent nearly $1 billion to acquire the U.S.-based social video app Musical.ly, the Western version of Asia’s TikTok at the time, in November 2017. TikTok merged with Musical.ly in August 2018. The merger united the world’s largest short-video apps, but TikTok did not seek clearance from CFIUS, likely because it did not perceive an obvious link to American national security, which is the basis for triggering CFIUS reviews. When TikTok became the U.S.’s most downloaded app in Q4 of 2019, American concerns over data security and the spread of Chinese propaganda on TikTok sparked CFIUS’s investigation into ByteDance, which was launched on November 1, 2019. CFIUS’s original estimate of a 90-day investigation has long since passed. Although it is common for CFIUS to extend its deadlines, it is unclear when CFIUS will release its decision on ByteDance.

I do find it hard to believe that the lawyers involved with this Musical.ly acquisition didn’t at least cover themselves and place the transaction for a CFIUS clearance.  Did they think they could hide something as obvious as Bytedance?

Getting fined by the FTC for exploiting children and then ignoring the settlement is not likely to impress CFIUS favorably.

Then, there’s the distinct likelihood that the Department of Justice may open a criminal investigation into Bytedance complete with Civil Investigative Demands, followed by a grand jury.

The other attention-getter that could easily happen as part of these investigations is a charge of conspiracy under 18 USC 371:

If two or more persons conspire either to commit any offense against the United States, or to defraud the United States, or any agency thereof in any manner or for any purpose, and one or more of such persons do any act to effect the object of the conspiracy, each shall be fined under this title or imprisoned not more than five years, or both.

How far does a conspiracy go to “effect the object of the conspiracy”?  Providing material assistance to TikTok in its operations of one kind or another?


Want to find out?