TikTok’s COPPA Violations: A Common Pattern for All Companies

On August 2, 2024, the Department of Justice sued TikTok for violating the Children’s Online Privacy Protection Act (COPPA) for the second time. In the complaint, the Department of Justice alleges TikTok, without parental consent, collected, stored, and processed vast amounts of data from millions of users under the age of 13.

While this may be a tantalizing headline because of our special interest in protecting children and their data, the pattern of data being used improperly based on regulatory guidance is increasing common. See HIPAA, EU Data Act, re-consent, Affirmative Express Consent examples, to name a few. These type violations cannot all be attributed to ineptitude or willful disregard for regulations. Rather, regulations like COPPA that limit how data can be used or shared are incredibly hard to meet for companies that collect and use an immense amount of data for different purposes.

The bulk of the DOJ allegations can be broken down into four common risks all companies face: wrongful data collection, wrongful use and sharing of that data, wrongful remediation, and poor documentation of compliance efforts.

Wrongful Collection

In an attempt to comply with COPPA, TikTok created two versions of the product, one for users under 13 and one for users over 13. When this is done well, the product for young users collects little to no data, but allows young users to become familiar with the technology.

In contrast to the best practices outlined above, TikTok collected basic personal information like usernames, passwords, and persistent identifiers. They then combined this data with app activity, device information, and mobile carrier details to amass rich profiles on young users.

There are two likely scenarios that explain collecting this data from minors. The first, despite TikTok’s history of COPPA violations and FTC interventions, TikTok made an intentional and strategic decision that this data was valuable enough to chalk up any future violations as a cost of doing business. The second, is that a team with the appropriate level of access control either wasn’t trained on COPPA at all, or didn’t fully understand the COPPA requirements, and wrongfully wrote code to capture data the application should not have.

The second scenario exemplifies a very common breakdown of processes and communication. It relies on lawyers to document requirements and train employees in a way they can understand, and then to rely on them to interpret and apply the rules correctly. This process is full of potential missteps (e.g. not training the right employees, not ensuring engineers understand complex rules, and not ensure complex rules are implemented correctly). A better solution, which we Tranquil Data offer, is the ability for lawyers write policies in plain language that become machine readable policies. These policies then flag and stop application behavior that would violate policies like COPPA.

Wrongful Use and Sharing

Although TikTok had already violated COPPA by impermissibly collecting data from minors under the age of 13, they continued to rack up violations by using the data for the wrong reasons and impermissibly sharing the data. In one example, they used this data to retarget less active young users. Specifically, TikTok shared this information with Facebook and AppsFlyer to encourage existing “Kids Mode” re-targeting.

Similar to the breakdown in wrongful collection, TikTok should have had machine readable policies in place to flag and stop young users’ data from being used and shared impermissibly.

Wrongful Remediation

TikTok retained children’s information in numerous databases long after purportedly deleting their accounts. The complaint alleged TikTok had “not documented what information collected from users is saved in what locations or why, and they have been unable to explain how or why the information was in those locations, or why it was not deleted.”

The lack of this information can be explained by not having a product Like Tranquil Data that acts as system of record for where data came from, why you have it, and what you are allowed to do with it. Without such a system of record, data becomes sprawled, and loses important context that is required to ensure it is handled correctly.

Failure to Keep Records

TikTok failed to keep records required by a previous 2019 FTC COPPA Injunction. The complaint alleged that they failed to maintain records that would be needed to show how many accounts were affected by COPPA, which accounts were affected, and what, if anything was done to remedy the issues. When asked by the United States for documentation of certain specific accounts of children, Defendants initially produced no records and claimed their account records were “not intended to be reviewed in the ordinary course of business.”

Just as was the case with wrongful collection, use and sharing, and remediation, the failure to maintain records was caused by choosing manual interventions over an automated solution. Manual intervention is prone to mistakes, delays, and inconsistencies, which can lead to compliance risks and inefficiencies, especially when managing large volumes of data and complex processes.

Conclusion

TikTok’s COPPA violations underscore the challenge of balancing value with regulatory compliance. This balance comes in the form of a dilemma: either collect data subject to complex regulations like COPPA and risk non-compliance (e.g. TikTok), or choose not to unlock these types of opportunities to steer clear of risks (like many choose to do). The logic follows that companies would unlock these high value opportunities if they knew they could lower risk by managing compliance effectively. That’s where Tranquil Data comes in — we provide solutions that automate ensuring that complex rules are met so that our customers can unlock more value from their data, without taking on needless risk.