Lessons From TikTok’s Latest Privacy Trouble with Tweens

Notwithstanding its negative effects on the world at large, COVID-19 quarantine has been a boon to a growing group of entertainment-based apps and services. Netflix, Amazon, Zoom, and Instagram are a few of the best-known apps that many have used to break the monotony of pandemic-induced isolation. TikTok is also on the list of apps experiencing a growth surge, though chances are that your kids are more likely to have participated in a viral TikTok dance challenge than you. Unfortunately for the Chinese-owned company, this popularity among the tween-and-under set is the source of its ongoing struggles with privacy advocates and regulators. Most recently, prominent consumer and privacy advocacy groups filed an FTC complaint accusing TikTok of particularly egregious privacy lapses relating to children. Democrats on Capitol Hill have piled on with a May 28^th letter supporting the advocates’ complaint, expressing concern that user data is being funneled to the Chinese government and stating that TikTok’s “blatant disregard” for privacy regulations affects all Americans’ online privacy.

TikTok’s Background

The company touts itself as the destination for short-form videos, with a mission to capture the world’s creativity, knowledge, and precious life moments. Its social media app, which launched in its current iteration in August 2018, reached the milestone of 2 billion downloads during the pandemic and its growing popularity is astonishing. Forbes reports that TikTok has 800 million average daily users, and its parent company ByteDance collected $17 billion in revenue in 2019.  TikTok, which began as the simple lip synching app musical.ly, was acquired by ByteDance for $800 million in 2017. According to Bloomberg, the app is now valued at more than $100 billion.  TikTok’s 18-month growth trajectory is almost unprecedented, but its repeated privacy lapses and foreign ownership have left critics with a lot to complain about.

TikTok’s Previous Privacy Troubles

In February 2019, the FTC filed a complaint in United States District Court alleging various privacy lapses at Musical.ly, which by then was operating under the control of ByteDance with the name TikTok. The FTC’s complaint details numerous issues with the app’s privacy controls and focuses on its treatment of users under the age of 13. Specifically, the FTC alleged that the app received thousands of emails from parents requesting the closure of their child’s account, a function not available from within the app. TikTok closed those accounts upon request, but did not delete the data associated with the child users. Additionally, the complaint highlighted that TikTok had discovered 46 of its most popular users were under the age of 13. Upon this discovery, TikTok instructed those users to edit their bios to indicate that an adult manager or parent was operating their account. TikTok, however, never verified that an adult was actually managing or monitoring those accounts. Most disturbingly, the app’s settings defaulted to public profiles and offered a functionality providing a list of other users within a 50-mile radius, which resulted in children being messaged and solicited by adult users. It is not difficult to see why these privacy lapses were alarming to parents—the allegations in the complaint amounted to serious violations of the Children’s Online Privacy Protection Act (COPPA). Without admitting guilt, TikTok agreed to settle these privacy charges for $5.7 million and entered into a consent order with the FTC. This amount is dwarfed by both TikTok’s current revenue and the FTC’s $5 billion settlement with Facebook, but it was a record settlement for COPPA enforcement.

Public advocates and government are not the only ones taking aim at the app—private litigants have also filed suits alleging TikTok’s privacy problems. TikTok settled for $1.1 million, subject to court approval, in a class action in Illinois which alleged violations of COPPA similar to the FTC’s. A putative California class action filed in December 2019, Misty Hong v. TikTok, Inc. et al., alleges that TikTok was secretly harvesting user data, even unpublished draft videos.  TikTok also faces lawsuits brought by parents on behalf of unnamed minors in both California and Illinois for violations of Illinois’ Biometric Information Privacy Act (“BIPA”). Each of these complaints reiterates variations of the same allegations that TikTok is not asking for user permission, or parental permission in the case of child users, before using their data in various ways. These allegations are not consistent with what would be required by its consent order with the FTC.

TikTok’s Latest Privacy Troubles

It is not surprising then, that little more than a year after its FTC settlement, TikTok is back in the headlines with advocates and regulators alleging its blatant disregard of the consent order.  On May 14, 2020, 20 consumer and privacy advocacy groups led by the Campaign for a Commercial Free Childhood joined together to file a 56-page complaint with the FTC detailing TikTok’s continuing privacy abuses. Among other alleged abuses, TikTok’s has allegedly continued to fail to both obtain parental consent before collecting childrens’ data and delete children’s data upon request. TikTok shouldn’t be surprised by the complaint, as these allegations are virtually the same as those leveled in the FTC’s 2019 complaint. Central to both complaints is the ease with which users under 13 are able to circumvent the app’s age controls.  The 2020 complaint also includes fairly extreme examples of child users, whose data arguably should have been deleted pursuant to the 2019 consent order, still appearing in the app. For example, the complaint highlights a 7-year-old with over 44,000 TikTok followers and a 10-year-old with 1.2 million followers. Showing their support of the group’s complaint, U.S. Representatives Annie Kuster and Jan Schakowsky, along with 12 other Democratic members of the Energy and Commerce Committee, sent a letter to the FTC encouraging it to investigate TikTok and stating, “. . . as long TikTok is out of compliance with COPPA and the consent decree, young children are at heightened risk.”

TikTok’s use of data has also come under particular scrutiny because of its ties to the Chinese government. Under Chinese law, companies can be compelled to share their data with the Chinese government. There are many nefarious ways an international actor might use data on a large and growing portion of Americans, particularly children. Experts have alleged that TikTok may be currently censoring content and could use its vast data stores as an aid to future propaganda campaigns.

Practical Takeaways

Issues of Chinese propaganda and national security may seem far afield for U.S. companies building privacy programs. However, the privacy abuses leveled against TikTok serve as a guide for how those abuses arise and how they may be mitigated by any company building and growing a privacy compliance program.

• Know your audience. Privacy protocols are necessary for any app that is collecting user data, but where childrens’ privacy is concerned you can expect an understandably heightened standard of care. An interesting tidbit from the advocates’ complaint to the FTC is Appendix No.1, which details particularly egregious user accounts. The youngest user identified in the exhibit was just 4 years old.  Despite this evidence of infant-adjacent users, one of TikTok’s most-touted defenses is that it is targeted at an older audience. The takeaway: Don’t bury your head in the sand when it comes to knowing your audience. If a large portion of your users are children, even if your app is not targeted at kids, your privacy compliance program should be developed with them in mind.
• Assess your age controls. Both FTC complaints are instructive on exactly how to avoid the ire of advocacy groups and regulators with regard to implementing functional age controls on an app or website. For example, the advocates’ complaint points out that once an underage user realizes that age restrictions have been imposed on their account, they can simply create a new account from the same device, using a fake birthdate. TikTok could have avoided this problem by using device IDs to require additional parental consent verification—by providing a credit card, for example—on those devices where an underage account was previously created.
• Know and follow the law. It is fundamental to a privacy compliance program that you must understand and follow applicable federal and state law. Complying with applicable law may seem to be an obvious point, but in TikTok’s case, where it allegedly failed to comply with data deletion requests under COPPA, it bears repeating. If you serve children, your privacy program must comply with COPPA. Further, complying with applicable privacy laws means the often-burdensome effort of keeping up with a rapidly evolving body of law. You may also be subject to various state laws, such as the recently enacted California Consumer Privacy Act (CCPA), state data breach notification laws, and recently proposed privacy legislation in various states, including Washington.  Federal legislators have also proposed privacy bills, which may come into effect in coming years.
• Monitor compliance. Finally, privacy compliance programs are not “set it and forget it” endeavors.  A compliance program should have a built-in monitoring and QA protocol so you can be sure that your privacy controls are functioning properly.