The largest civil penalty ever obtained by the FTC in a children’s privacy case was assessed to the operators of the video social networking app Musical.ly, known as TikTok. TikTok has agreed to pay $5.7 million to settle FTC allegations that the company illegally collected personal information from children.
COPPA requires that websites and online services directed to children must obtain parental consent before collecting personal information from children under the age of 13. Sadly, the social networking app knew many children were using the app but they still failed to seek parental consent before collecting names, email addresses, and other personal information from users under the age of 13.
The FTC Chairman states, “This record penalty should be a reminder to all online services and websites that target children: We take enforcement of COPPA very seriously, and we will not tolerate companies that flagrantly ignore the law.”
In addition, while that reminder is certainly one that all companies that target children must heed, the bigger and most alarming message in this allegation should send shivers down the spines of all corporate officers and directors. That is the separate statement of the commissioners.
The joint statement of the two commissioners, while short, is very serious. In the commissioners view, the social networking app’s practices reflected the company’s willingness to pursue growth even at the expense of endangering children. First off, the FTC was able to show that the app willfully neglected to obtain parental consent before collecting PII from users under the age of 13. Secondly, this is illegal behavior which creates significant harm to the privacy of all users under the age of 13.
While I’m not aware whether or not the social networking app has cyber insurance, if they do there is a very good chance that the $5.7 million penalty would not be covered. While at the start of the claim, their insurer would certainly have the “duty to defend” them.
However, since the FTC was able to show the company “illegally” collected personal information and “neglected” to obtain parental consent before collecting the personal information of “children”, there’s no chance that this penalty would be covered. The alleged, illegally neglected children’s personal information, failed to obtain consent and disregarded their privacy.
While all cyber insurance policies vary greatly in their coverages, conditions and exclusions, many cyber insurance policies have exclusions for willful, intentional, deliberate, fraudulent, dishonest or criminal acts, any intentional violation of law, any intentional violation of a privacy policy, and collection of data without knowledge. Indeed, all of these exclusions are acts that the alleged committed which in turn would void their cyber insurance coverage.
The bigger message here though, besides the cyber insurance policy exclusions, is that in the commissioners joint statement they state “executives of big companies who call the shots as companies break the law should be held accountable.”
The commissioner’s closing statement:
When any company appears to have made a business decision to violate or disregard the law, the Commission should identify and investigate those individuals who made or ratified that decision and evaluate whether to charge them. As we continue to pursue violations of law, we should prioritize uncovering the role of corporate officers and directors and hold accountable everyone who broke the law.
My question in turn is, “It’s 2019, do you know where your Directors & Officers insurance policy is?”
If not, and you’re one of the executives calling the shots at your company, you better make sure you have a D&O insurance policy in place in the event the FTC comes knocking because they just gave all corporate officers and directors a shout-out. And, tick tock…. they won’t stop.