Directors and Officers Beware: Your Company’s Violations of Privacy Laws May Cost You Personally
Both federal and state lawmakers and regulators have demonstrated an increasing interest in enforcement data privacy and cybersecurity laws. Companies that violate these laws and regulations may suffer significant fines, intrusive oversight by governmental authorities, reputational harm, and litigation by third parties.
However, directors and officers should not assume that companies themselves will be the only ones that may ultimately held responsible. An extraordinary statement issued on February 27, 2019 by two Federal Trade Commission (FTC) commissioners, in connection with a multi-million dollar fine it recently imposed, suggests that the FTC may soon begin holding individual directors and officers accountable for their companies’ violations of privacy laws.
On February 27, the FTC announced a settlement with Musical.ly (now known as TikTok), a company that operates a popular video social networking application. Under the settlement, TikTok agreed to pay a $5.7 million fine to settle the FTC’s allegations that it violated the Children's Online Privacy Protection Act (COPPA). COPPA requires operators of websites or online services that are directed to children to obtain verifiable parental consent before collecting personal information from children under age 13.
The company’s app allows users to create short videos in which they lip-sync to music, and to share those videos with other users. According to the FTC, the company was aware that a significant percentage of its users were children under age 13. However, the company failed to seek parental consent before collecting the names, email addresses and other personal information from those children. In addition, user accounts were public by default, which meant that a child’s username, picture and videos could be seen by other users. The FTC alleged that although TikTok allowed users to change their default setting from “public” to “private,” users’ profile pictures and biographical information continued to remain public, and users could still send direct messages to children. The FTC also alleged that the company failed to comply with parents’ requests to delete information about underage children and held onto it longer than necessary.
The $5.7 million fine against TikTok is the largest that has ever been imposed for violations of COPPA, and comes on the heels of a nearly $5 million COPPA fine that the New York State Attorney General’s Office imposed on Oath, Inc. (f/k/a AOL) in December 2018. The settlements with TikTok and Oath (as well as several other recent fines for COPPA violations) highlight that federal and state regulators continue to take enforcement of data privacy laws very seriously.
The TikTok settlement is noteworthy not only for the fine’s record-breaking amount, but also for a written statement that two FTC commissioners issued contemporaneously with that settlement. In that statement, FTC Commissioners Rohit Chopra and Rebecca Kelly Slaughter expressed an interest for aggressive enforcement against individual directors and officers of companies that violate the law. In their statement, the commissioners wrote:
“FTC investigations typically focus on individual accountability only in certain circumstances — and the effect has been that individuals at large companies have often avoided scrutiny. We should move away from this approach. Executives of big companies who call the shots as companies break the law should be held accountable.
When any company appears to have a made a business decision to violate or disregard the law, the Commission should identify and investigate those individuals who made or ratified that decision and evaluate whether to charge them. As we continue to pursue violations of law, we should prioritize uncovering the role of corporate officers and directors and hold accountable everyone who broke the law.”
Directors and officers of companies that collect, use, sell or otherwise process personal data of individuals should ensure that their companies’ privacy policies and practices comply with the law. The new appetite for holding individual executives personally accountable for their company’s privacy law violations makes it ever more important to ensure compliance.
If you have any questions on the issues addressed in this article, contact the attorney listed, any member of our Cybersecurity and Data Privacy practice or your regular contact at Tannenbaum Helpern.
Cyber & Privacy Alert is a newsletter by Tannenbaum Helpern’s Cybersecurity & Data Privacy practice that covers emerging legal and business developments affecting cyber and privacy risks and regulation, and their impact on businesses.