On behalf of the Federal Trade Commission (FTC), the Department of Justice sued video-sharing platform TikTok, its parent company ByteDance, as well as its affiliated companies, with violating the Children’s Online Privacy Protection Act (COPPA) and also alleged they infringed an existing FTC 2019 consent order against TikTok for violating COPPA.

The complaint alleges defendants failed to comply with the COPPA requirement to notify and obtain parental consent before collecting and using personal information from children under the age of 13.

ByteDance and its related companies allegedly were aware of the need to comply with the COPPA Rule and the 2019 consent order and knew about TikTok’s compliance failures that put children’s data and privacy at risk. Instead of complying, ByteDance and TikTok spent years knowingly allowing millions of children under 13 on their platform designated for users 13 years and older in violation of COPPA, according to the complaint.

As of 2020, TikTok had a policy of maintaining accounts of children that it knew were under 13 unless the child made an explicit admission of age and other rigid conditions were met, according to the complaint. TikTok human reviewers allegedly spent an average of only five to seven seconds reviewing each account to make their determination of whether the account belonged to a child. 

The company allegedly continued to collect personal data from these underage users, including data that enabled TikTok to target advertising to them — without notifying their parents and obtaining their consent as required by the COPPA Rule. Even after it reportedly changed its policy not to require an explicit admission of age, TikTok still continued to unlawfully maintain and use personal information of children, according to the complaint.

In addition, the complaint alleges that TikTok built back doors into its platform that allowed children to bypass the age gate aimed at screening children under 13. TikTok allegedly allowed children to create accounts without having to provide their age or obtain parental consent to use TikTok by using credentials from third-party services like Google and Instagram. TikTok classified such accounts as “age unknown” accounts, which grew to millions of accounts, according to the complaint.

Even when it directed children to use the TikTok Kids Mode service, a more protected version for kids, the complaint charges that TikTok collected and used their personal information in violation of COPPA. It also alleges that TikTok collected numerous categories of information and far more data than it needed, such as information about children’s activities on the app and multiple types of persistent identifiers, which it used to build profiles on children, while failing to notify parents about the full extent of its data collection and use practices. For example, TikTok shared this personal data with third parties such as Facebook and AppsFlyer to persuade existing Kids Mode users to use the service more after their use had declined or ceased, through a practice TikTok called “retargeting less active users,” according to the complaint.

TikTok also allegedly made it difficult for parents to request that their child’s accounts be deleted. When parents managed to navigate the multiple steps required to submit a deletion request, TikTok often failed to comply with those requests. TikTok also imposed unnecessary and duplicative hurdles for parents seeking to have their children’s data deleted. That practice allegedly continued even after the executive responsible for child safety issues told TikTok’s then-CEO, “we already have all the info that’s needed” to delete a child’s data when a parent requests it, yet TikTok would not delete it unless the parent fills out a second, duplicative form. If the parent did not do that, the executive allegedly added, “then we have actual knowledge of underage user[s] and took no action!”

The complaint also claimed that TikTok began violating the terms of the 2019 FTC order shortly after it went into effect. Two TikTok entities (previously Musical.ly and Musical.ly Inc., which ByteDance acquired in 2017 and renamed) agreed to the terms of the order to settle allegations that they violated the COPPA Rule by unlawfully collecting personal information from children under the age of 13.

Additionally, the complaint alleges that TikTok failed to:

• notify parents about all of the personal data they were collecting from children
• obtain parental consent for the collection and use of that data
• limit the collection, use, and disclosure of children’s personal information
• delete children’s personal information when requested by parents or when it was no longer needed

The complaint asks the court to impose civil penalties against ByteDance and TikTok and to enter a permanent injunction against them to prevent future violations of COPPA. The FTC Act allows civil penalties up to $51,744 per violation, per day.