Protecting the privacy of children’s online personal data is complicated and challenging. The problems are made more difficult by the fact that, seemingly, children are happy to skirt and evade the various efforts made by online platforms to protect their privacy and by the fact that data collection businesses are happy if those efforts succeed. A case in point is the recent action filed by the federal Department of Justice (on behalf of the Federal Trade Commission (“FTC”)) alleging that TikTok violated the Children’s Online Privacy Protection Act (“COPPA”). TikTok is owned by a Chinese company called ByteDance Ltd.. ByteDance is now being sued in federal court in California. See the media report here.

COPPA was enacted with the intent of protecting children’s online privacy. Generally, COPPA bans websites from knowingly collecting data about children — under the age of 13 — without parental consent. More specifically (and in simplified form), COPPA requires websites to:

• Post privacy policies — that are clear, understandable, and complete — about data collected about children, including what data is collected, how data is used, to whom and under what circumstances the data is disclosed, shared, sold, and more
• Send such privacy policies directly to parents
• Obtain verifiable parental consent prior to collecting and using their children’s personal data
• Allow parents to see what personal data has been collected about their children
• Allow parents the ability to request the deletion of personal data about their children

Companies that violate COPPA can be punished with civil penalties of up to more than $51,000 per violation per day. Enforcement is handled most directly by the FTC. TikTok settled a 2019 allegation of COPPA violations for $5.7 million.

The specific allegations in this case are that TikTok used account-creation procedures that enabled millions of children under the age of 13 to establish accounts where either the user’s age was not verified or was assumed to be older than 13. Allegedly, these accounts were created without parental knowledge or consent.

At this point, the allegations are unverified. But, we can comment that account-creation procedures that avoid age verification are the most effective method of avoiding the COPPA requirements. After all, COPPA prohibits the knowing collection and use of data about kids. But, if you do not know the age of the user, there can be no violation (or so the idea goes).

The TikTok case presents another issue with respect to online platforms and data collection. As noted, TikTok is owned by a Chinese company. As such, TikTok has come under scrutiny by U.S. lawmakers. There are allegations that since TikTok collects significant quantities of data about users — of all ages — that data is being turned over to the Chinese government. This, according to lawmakers and other U.S. officials, creates a national security risk.

This raises another issue why it can be so difficult to enforce privacy laws: some online platforms may not care about violating the privacy law. In other words, if the allegations of Chinese spying are true, then civil fines of up to more than $51,000 per violation per day will not serve as a deterrence.

Contact Internet Law and Data Privacy Attorneys At Revision Legal

For more information, contact the experienced internet lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

The Specific DOJ/FTC Allegations Against TikTok

The Department of Justice complaint filed on behalf of the FTC alleges systemic, long-running COPPA violations. According to the DOJ, TikTok’s registration flow allowed millions of users under 13 to create accounts because the platform either did not require meaningful age verification or accepted implausible ages without question. The complaint further alleges that once underage users had accounts, TikTok collected geolocation data, device identifiers, browsing patterns, and other personal data from those accounts without obtaining verifiable parental consent — the central affirmative obligation under COPPA.

The allegations also target TikTok Kids Mode — a restricted version of the app that parents were told would be safe for children. According to the government, TikTok continued collecting data from Kids Mode users beyond what COPPA permits, and in some cases exposed those users to communications from adults. If proven, those facts represent not merely technical COPPA violations but a deliberate circumvention of the statute’s core purpose.

COPPA’s Verifiable Parental Consent Requirement in Practice

COPPA’s “verifiable parental consent” requirement is one of the most operationally difficult compliance obligations in internet law. The FTC has approved several consent mechanisms: credit card charges (a small charge to the parent’s card that only an adult with the card could complete), government-issued ID verification, video conferences with trained personnel, and signed consent forms returned by mail. Most operators rely on the credit card method or third-party age verification services.

The difficulty is that no verification method is foolproof. Children can access a parent’s credit card. Parents can complete verification on behalf of their children — and often do, because they want to grant access to a platform the child is asking for. Courts and the FTC have acknowledged this tension, and COPPA’s “knowingly” standard reflects it: operators are not strictly liable for every underage user, but they cannot deliberately design systems that make it easy to circumvent age checks.

The TikTok case illustrates the outer boundary of that principle. When the government alleges that the platform’s registration design systematically enabled millions of underage accounts to be created, the argument that TikTok did not “knowingly” collect children’s data becomes difficult to sustain. The volume of underage accounts alleged — and the internal communications that plaintiffs’ counsel and government investigators typically uncover in discovery — are likely to be TikTok’s biggest evidentiary challenge.

Civil Penalty Exposure and the Stakes for Operators

COPPA civil penalties currently run up to $51,744 per violation per day, an amount that is periodically adjusted for inflation under the FTC Act. That figure can compound rapidly when a platform has millions of underage users. TikTok’s 2019 COPPA settlement with the FTC was $5.7 million — at the time the largest COPPA settlement in history. The current action, with the benefit of pattern-and-practice evidence from the years since that settlement, is structured to support a significantly larger penalty demand.

Other major platforms have faced similarly large civil penalty demands. In 2022, the FTC sought to bar Meta from monetizing children’s data as part of enforcement action related to its subsidiary WhatsApp. Google’s YouTube paid $170 million in 2019 to resolve COPPA violations related to collecting data from children who watched videos on the platform. Each of these cases signals that the FTC views COPPA enforcement as a priority, not an afterthought.

What the National Security Dimension Adds

The data privacy case against TikTok operates on a separate track from the national security concerns raised by lawmakers. Both, however, point to the same underlying problem: large-scale collection of data about U.S. residents — including children — by a platform whose ultimate ownership chain leads to a company subject to Chinese law. Under Chinese national intelligence laws, companies operating in China can be compelled to provide data to the government. That legal obligation applies to ByteDance regardless of where TikTok’s servers are located or what commitments TikTok makes to U.S. regulators.

This dynamic illustrates why enforcement actions focused solely on civil fines may be insufficient deterrence when the entity being fined has motivations that extend beyond commercial profit. Lawmakers have proposed structural remedies — divestiture, data localization requirements, and outright bans — precisely because the fine-and-continue model has not changed platform behavior in the past.

Practical Lessons for Any Online Platform That Attracts Younger Users

• Design age-gate flows that create genuine friction — a birth date field that accepts any year is not a COPPA-compliant mechanism
• Implement neutral age verification, not just a checkbox asking whether the user is 13 or older
• Train moderation and customer service staff to flag accounts that display signs of underage use and to take the appropriate remediation steps
• Document your COPPA compliance program, including your age-verification methodology, the parental consent mechanism you use, and the data retention and deletion protocols for children’s data
• Conduct a COPPA compliance audit at least annually, and more frequently if the platform makes changes to its registration or data collection flows

COPPA compliance is not optional, and the FTC has demonstrated that it will pursue enforcement actions regardless of a company’s size, profile, or prior settlement history. If your platform collects data from users and there is any possibility that some of those users are under 13, you need a COPPA compliance program that goes beyond a terms-of-service age restriction. Contact the experienced internet law and data privacy attorneys at Revision Legal through the form on this page or call (855) 473-8474.