Even TikTok’s Kids Mode violates COPPA, DOJ alleged.
The US Department of Justice sued TikTok today, accusing the short-video platform of illegally collecting data on millions of kids and demanding a permanent injunction “to put an end to TikTok’s unlawful massive-scale invasions of children’s privacy.”
The DOJ said that TikTok had violated the Children’s Online Privacy Protection Act of 1998 (COPPA) and the Children’s Online Privacy Protection Rule (COPPA Rule), claiming that TikTok allowed kids “to create and access accounts without their parents’ knowledge or consent,” collected “data from those children,” and failed to “comply with parents’ requests to delete their children’s accounts and information.”
The COPPA Rule requires TikTok to prove that it does not target kids as its primary audience, the DOJ said, and TikTok claims to satisfy that “by requiring users creating accounts to report their birthdates.”
However, even if a child inputs their real birthdate, the DOJ said, TikTok does nothing to stop them from restarting the process and using a fake birthdate. Dodging TikTok’s age gate has been easy for millions of kids, the DOJ alleged, and TikTok knows that, collecting their information anyway and neglecting to delete information even when child users “identify themselves as children.”
“The precise magnitude” of TikTok’s violations “is difficult to determine,” the DOJ’s complaint said. But TikTok’s “internal analyses show that millions of TikTok’s US users are children under the age of 13.”
“For example, the number of US TikTok users that Defendants classified as age 14 or younger in 2020 was millions higher than the US Census Bureau’s estimate of the total number of 13- and 14-year-olds in the United States, suggesting that many of those users were children younger than 13,” the DOJ said.
Ars Video
What Happens to the Developers When AI Can Code? | Ars Frontiers
TikTok seemingly risks huge fines if the DOJ proves its case. The DOJ has asked a jury to agree that damages are owed for each “collection, use, or disclosure of a child’s personal information” that violates the COPPA Rule, with likely multiple violations spanning millions of children’s accounts. And any recent violations could cost more, as the DOJ noted that the FTC Act authorizes civil penalties up to $51,744 “for each violation of the Rule assessed after January 10, 2024.”
A TikTok spokesperson told Ars that TikTok plans to fight the lawsuit, which is part of the US’s ongoing battle with the app. Currently, TikTok is fighting a nationwide ban that was passed this year, due to growing political tensions with its China-based owner and lawmakers’ concerns over TikTok’s data collection and alleged repeated spying on Americans.
“We disagree with these allegations, many of which relate to past events and practices that are factually inaccurate or have been addressed,” TikTok’s spokesperson told Ars. “We are proud of our efforts to protect children, and we will continue to update and improve the platform. To that end, we offer age-appropriate experiences with stringent safeguards, proactively remove suspected underage users, and have voluntarily launched features such as default screentime limits, Family Pairing, and additional privacy protections for minors.”
The DOJ seems to think damages are owed for past as well as possibly current violations. It claimed that TikTok already has more sophisticated ways to identify the ages of child users for ad-targeting but doesn’t use the same technology to block underage sign-ups because TikTok is allegedly unwilling to dedicate resources to widely police kids on its platform.
“By adhering to these deficient policies, Defendants actively avoid deleting the accounts of users they know to be children,” the DOJ alleged, claiming that “internal communications reveal that Defendants’ employees were aware of this issue.”
Even Kids Mode violates COPPA, DOJ says
TikTok provides a Kids Mode that its website said “allows children to engage with TikTok’s fun video features while limiting the information collected from them.” In this mode, kids can view and save videos but “cannot exchange messages with other users, and other users cannot view their profiles.”
However, according to the DOJ, TikTok’s “insufficient policies and practices” allow kids to create non-Kids Mode accounts, “gaining access to adult content and features of the general TikTok platform without providing age information.”
That’s concerning because after the kids create the general account, TikTok then gathers even more information—”including usage information, device information, location data, image and audio information, metadata, and data from cookies and similar technologies that track users across different websites and platforms”—while allegedly turning a blind eye to kids dodging age-gates. In some cases prior to 2022, the DOJ alleged, TikTok allowed kids to create non-Kids Mode accounts by using login credentials from Google and Instagram that TikTok neglectfully marked as “age unknown.”
Making things even worse, the DOJ alleged that TikTok chose to ignore the obvious problem of asking kids to self-report their ages, while earning ad revenue and sometimes sharing kids’ data with third parties. And perhaps most concerning for parents who approved kids creating Kids Mode accounts to avoid such invasive targeting and data collection, the DOJ claimed that TikTok collects “several types of persistent identifiers from Kids Mode users without notifying parents or obtaining their consent, including IP address and unique device identifiers.”
“Defendants did not need to collect all of the persistent identifiers they have collected from users in Kids Mode to operate the TikTok platform,” the DOJ alleged. And “until at least mid-2020, Defendants shared information they collected from children in Kids Mode with third parties for reasons other than support for internal operations. Defendants did not notify parents of that practice.”
Additionally, TikTok requires kids to provide an email address if they report an issue with the platform. The DOJ found that TikTok “collected over 300,000 problem reports from users in Kids Mode that included children’s email addresses” and allegedly “did not delete these children’s email addresses after processing the reports.”
TikTok ignores parents’ removal requests
For parents struggling to track their children’s data online, the privacy invasions alleged in the DOJ’s complaint are likely hugely concerning. But the DOJ accused TikTok of ignoring parents’ concerns, first setting up “a convoluted process to figure out how to request deletion of their child’s account and information,” then allegedly failing to delete the data even when a request is submitted.
“Even if a parent succeeded in submitting a request to delete their child’s account and information, Defendants often did not honor that request,” the DOJ alleged.
Those requests would be denied if a human review could not find evidence meeting TikTok’s “rigid criteria” for identifying child users, the DOJ alleged. For example, the DOJ said that TikTok would delete accounts with a bio that “contained an explicit admission that the user was under 13, like saying ‘I am in first grade’ or ‘I am 9 years old,'” but reviewers were not to delete accounts based on viewing videos that obviously depicted a child.
“Defendants’ policies and practices subverted parents’ efforts to delete their children’s accounts and resulted in Defendants retaining children’s accounts—and personal information—even though their parents identified them as children and asked TikTok to delete their accounts,” the DOJ alleged. “Defendants were well aware this was occurring” and continued using “flawed” processes through 2023.
Rather than promptly responding to parents’ requests to stop invading children’s privacy, TikTok employees allegedly let a giant backlog of requests pile up. They also didn’t bother to thoroughly document the issue, using a ByteDance communications app, Feishu, to “delete messages permanently, including, potentially, messages relevant to compliance with” COPPA and the COPPA Rule, as well as with a permanent injunction requiring TikTok to maintain records on COPPA compliance. According to the DOJ, a ByteDance risk assessment in 2021 showed that TikTok knew that using Feishu would make it very hard to ensure “compliance with government investigations and litigation subpoenas,” but employees continued using it anyway.
The DOJ said that without an injunction, TikTok would likely continue to invade children’s privacy on a massive scale.
“Consumers are suffering, have suffered, and will continue to suffer substantial injury as a result of Defendants’ violations of the COPPA Rule,” the DOJ alleged. “Absent injunctive relief by this Court, Defendants are likely to continue to injure consumers and harm the public interest.”
