FTC Cracks Down on Child Online Privacy Protection Act Violations

Michael Roche


Take a look at your website’s privacy policy.  Chances are, it includes some language stating that your website does not intend to collect personal information from children under the age of 13 and that, if you become aware that your website has collected personal information from a child under the age of 13, you will promptly delete that information.  This is designed to address the Child Online Privacy Protection Act (“COPPA”), which requires parental consent prior to collecting personal information about a child under the age of 13.

While most privacy policies include language to this effect, very few website operators take either it, or COPPA, seriously.  But in a recent, landmark settlement, the Federal Trade Commission (“FTC”) has shown that it does take COPPA seriously. 

The FTC began enforcement proceedings against the operators of Tik Tok (formerly known as for violations of COPPA.  Tik Tok required users to provide an email address, phone number, username, first and last name, a short biography, and a profile picture in order to sign up for its services.  Tik Tok was also aware that a significant percentage of their users were under 13 and had received thousands of complaints from parents that their children under 13 had created accounts.  Tik Tok never notified parents about their collection and use of personal information from these children, obtained parental consent for such collection and subsequent use, or deleted the personal information when requested by parents.

Tik Tok settled with the FTC for a fine of $5.7 million, the largest ever civil penalty obtained by the FTC in a children’s privacy case.  Additionally, Tik Tok must comply with COPPA in the future and remove all videos made by children under 13.

This settlement highlights the importance of understanding why certain language is included in your website privacy policy.  It also highlights that a company’s COPPA-related duties only begin with its privacy policy.  If it does not adhere to the letter of its policy in its actual information collection and processing practices, significant liability can attach.  The FTC takes violations of this sort very seriously and will pursue operators who fail to comply with their obligations under COPPA.

Attorney Advertising. Prior results do not guarantee a similar outcome. This publication is provided as a service to clients and friends of Harter Secrest & Emery LLP. It is intended for general information purposes only and should not be considered as legal advice. The contents are neither an exhaustive discussion nor do they purport to cover all developments in the area. The reader should consult with legal counsel to determine how applicable laws relate to specific situations. ©2019 Harter Secrest & Emery LLP