From VTech to Musical.ly: U.S. Regulators Remain the Most Active Enforcers of Children’s Privacy Rights
From a privacy standpoint, the thirteen-month period from January 2018 to February 2019 was historic: news of Cambridge Analytica broke, the long run up to the European Union’s General Data Protection Regulation finally arrived, other countries introduced and some passed similar legislation (e.g., Brazil), and a private citizen forced the California legislature to pass the most comprehensive online privacy law in the United States.
Easily lost in the commotion is the work done by the Federal Trade Commission (FTC) pursuant to its mandate under the Children’s Online Privacy Protection Act (COPPA). Notwithstanding popular belief, in my opinion, COPPA remains the most child-protective privacy law in the world. And, the FTC has again established itself as the most active and effective regulator of children’s privacy rights.
From January 2018 to February 2019, the FTC settled three major COPPA cases. First, on January 8, it announced a $650,000 COPPA settlement with VTech Electronics entities (“VTech”), the FTC’s first enforcement action involving an Internet-connected toy. Less than a month later, the FTC announced a $500,000 COPPA settlement with online talent site, Explore Talent. Then, in February 2019, the FTC entered into a COPPA settlement with the operators of mobile app, Musical.ly (now known as TikTok), for $5.7 million—the largest ever monetary penalty in a COPPA case.
In addition, state Attorneys General—also empowered to protect children’s privacy rights under COPPA—were quite active. The Attorneys General for New Jersey and New York, each of which has a long-established track record in children’s privacy, announced COPPA settlements: the New Jersey Attorney General entered into a $100,000 COPPA settlement with Meitu, Inc., a Chinese operator of child-directed websites, and the New York Attorney General entered into a $4.95 million COPPA settlement (the largest ever at the time) with Oath (formerly AOL). In addition, the New Mexico Attorney General filed a COPPA complaint against Tiny Lab Products, the maker of mobile applications allegedly directed to young children; its advertising partners; and the mobile storefront on which its apps appeared.
There are numerous lessons to be learned from recent enforcement activity.
- FTC Commissioners Chopra and Slaughter have put individuals on notice that if they make or ratify the decisions that violate COPPA, they could find themselves held personally liable.
- Third parties (especially companies in the advertising ecosystem) are in regulators’ crosshairs. Operators of websites and mobile apps must do their diligence upfront and on a continuing basis.
- Regulators are scrutinizing the designation of online services as “mixed audience” and “general audience,” examining an online service’s content, including advertising; marketing of the online service; public and internal statements about the intended audience; and empirical evidence.
- Inclusion of a mobile app in Google Play’s Designated for Families section will be viewed as evidence the mobile app is either child-directed or mixed audience.
- COPPA requires reasonable measures to protect data security. Many COPPA investigations begin as a result of a data breach.
- COPPA applies equally to operators located outside the United States so long as those operators are directing their services to children in the United States or have actual knowledge they are collecting personal information from children in the United States.
- Internet-connect products directed to children under 13 years old are subject to COPPA.