The popular video sharing app TikTok has landed in hot water again over privacy issues. On Thursday, a group of privacy advocates filed a complaint with the Federal Trade Commission (FTC) alleging the platform failed to adequately protect children’s privacy.
The complaint alleged that TikTok violated a previous agreement with the FTC, where it had vowed to remove all videos previously uploaded by children under the age of 13 and make stronger efforts to request parental consent when collecting children’s personal data.
“In fact, however, TikTok has not destroyed all personal information collected from users under age 13,” according to the complaint, filed on Thursday. “We found that TikTok currently has many regular account holders who are under age 13, and many of them still have videos of themselves that were uploaded as far back as 2016, years prior to the consent decree.”
The group of coalitions behind the complaint was spearheaded by the Campaign for a Commercial-Free Childhood, which is a national coalition devoted to limiting the impact of commercial culture on children, and the Center for Digital Democracy, a consumer and privacy protection non-profit organization.
TikTok’s previous agreement came after it was slapped with a $5.7 million FTC fine for violating the Children’s Online Privacy Protection Act (COPPA), which sets privacy rules for operators of websites or online services directed to children under 13 years of age. That’s because TikTok’s earlier iteration (known as Musical.ly) had allowed children under 13 to sign up freely, and collected their names, email addresses, videos and other personal information – all sans parental consent.
As part of the ensuing agreement, TikTok agreed to obtain parent permission before collecting children’s personal data, and to delete personal information of children under 13. However, the complaint said that TikTok neither removed all underage accounts from its platform, nor made “reasonable efforts” to give direct notice to parents if children were signing up for the platform or if it was collecting their data.
“When a child signs up for a younger user account, TikTok does not at any point contact the child’s parents to give them notice,” according to the complaint. “TikTok never even asks for contact information for the child’s parents to provide the direct notice.”
In an effort to better protect children’s privacy, TikTok had also set up a service for children under 13, TikTok for Younger Users, which prevents them from posting videos. However, the complaint claims that this effort is fruitless. After children download TikTok for Younger Users and find that they cannot post videos, they can then simply delete it and sign up for an over 13 account on the mobile device, using a fake birth date.
“We take privacy seriously and are committed to helping ensure that TikTok continues to be a safe and entertaining community for our users,” a TikTok spokesperson told Threatpost.
According to TikTok’s privacy policy, when an underage user registers the platform collects “limited information,” including username, password, and birthday. It said, TikTok may also collect data related to the user’s device, including internet or other network activity information such as device ID, IP address, web browser type and version, country-level location, as well as certain app activity data, such as video watches, time in the app, and general usage data.
The complaint called for the FTC to impose detailed injunctive relief to ensure all personal data of children is destroyed. It also urged the FTC to seek the maximum civil penalties allowed by law of $41,484 per violation against TikTok.
“The FTC should act promptly to stop TikTok from continuing to flout the consent decree,” according to the complaint. “TikTok’s conduct shows that it is continuing to pursue growth at the expense of endangering children. Strong FTC action is needed to protect children from substantial risks to their privacy and wellbeing that come from sharing some of the most personal forms of personal information—their images, their words, and their thoughts… without their parents’ knowledge and informed consent.”
TikTok has surged in popularity this year. It was the top App Store download in 2019 and has grown its user base to more than 800 million users. However, the platform has also faced a flurry of privacy issues. Earlier this year, amidst scrutiny around the Chinese-owned TikTok’s relationship with China, the United States Army and the Transportation Safety Authority (TSA) both banned the social media app.
Researchers in January said they discovered several major vulnerabilities in TikTok, including one that could allow attackers to remotely take control over parts of victims’ TikTok account. At the same time, security experts warned of scammers looking to cash in on the troves of younger users of the popular platform.
Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.