COPPA and Child Creators: TikTok Data Compliance

Disclaimer: This article is for educational and product-planning purposes only. It is not legal advice. Privacy law involving minors is fact-specific and changes frequently. Always consult qualified counsel in your jurisdiction before shipping features or policies that may touch users under 18, and especially under 13.

If you are building a TikTok analytics, creator-discovery, or influencer-marketing product on top of a public data API, you are sitting on a hidden compliance surface: minors. TikTok itself is a general-audience platform that has spent years trying to keep under-13 users in a sandboxed experience, yet third-party platforms that ingest public TikTok data still routinely receive records that look, feel, or in fact are about children. This post walks through what the U.S. Children's Online Privacy Protection Act (COPPA) actually requires, why TikTok has been a repeated COPPA enforcement target, and what that means for the SaaS you are about to launch.

What COPPA actually says, in product-builder terms

COPPA, enforced primarily by the U.S. Federal Trade Commission (FTC), applies to operators of commercial online services that are either directed to children under 13 or that have actual knowledge they are collecting personal information from children under 13. The headline obligations include: posting a clear privacy notice, obtaining verifiable parental consent before collection, giving parents the right to review and delete their child's information, limiting collection to what is reasonably necessary, and maintaining reasonable data security.

Two phrases above do most of the work for a B2B analytics product. The first is "actual knowledge." If your discovery dashboard surfaces a creator profile where the bio says "12 y/o dancer," or where a manual review flagged the user as a minor, you have probably crossed into actual-knowledge territory. The second is "personal information," which COPPA defines broadly. It includes username, photo or video of the child, geolocation, persistent identifiers (cookies, device IDs), and audio of the child's voice. A TikTok user object plus a video URL is, in practice, a bundle of COPPA-covered identifiers when the subject is under 13.

Penalties are real. The FTC's civil penalty cap under COPPA has been adjusted upward over time and historically has driven multi-million-dollar settlements, with the most prominent cases against TikTok's corporate predecessors and TikTok itself climbing into the hundreds of millions.

Why TikTok already restricts under-13, and why that does not save you

TikTok publicly states that the main app is for users 13 and older. In the United States, accounts identified as under 13 are routed into "TikTok for Younger Users," a separate experience that disables posting, direct messaging, and most public discovery. On paper, that means the public TikTok graph your API queries should not contain under-13 creators.

In practice, age screens are self-reported. A determined ten-year-old who picks a 2002 birthday will land in the main experience. Parents sometimes set up accounts for children. Some accounts are operated by adults on behalf of minors. None of this is hypothetical: FTC complaints against Musical.ly (the predecessor to TikTok) and later against ByteDance have repeatedly alleged that the companies were aware of, and failed to act on, large populations of underage users on the main service.

The implication for a third-party platform is uncomfortable. Even if TikTok believes its main graph is 13-plus, you are still likely to ingest a non-trivial number of records about children whenever you pull follower lists, hashtag results, or trending feeds. Saying "the source platform said they were 13" is unlikely to be a complete defense if the totality of the profile gave you a reason to know otherwise.

Age inference from public data is unreliable

Builders often reach for a heuristic: "We will just filter out anyone who looks under 13." Be careful. Public TikTok fields do not include a verified date of birth. The signals you do have, such as bio text, follower count, video content, and audio classifiers, are noisy and biased.

A 22-year-old cosplayer can read as 14 on visual classifiers. A 12-year-old with an adult-managed profile can read as 30. Hashtag heuristics ("school," "homework") are weak proxies. Voice-based age estimation is an active research area with meaningful error bars, and using biometric inference itself can trigger separate privacy regimes (Illinois BIPA, the EU AI Act's risk categories, and emerging state laws). Treat age inference as one input to a conservative gating decision, not as a determination you can stand behind in a regulator's office.

Parental consent does not transfer between services

This is the single most misunderstood point in third-party COPPA conversations. If TikTok obtains verifiable parental consent for a particular child to use TikTok, that consent does not extend to your platform. Your service is a separate operator with its own purposes, your own data flows, and your own retention. If you knowingly collect personal information from a child under 13, you need your own verifiable parental consent for your collection, even if the data originated from a platform that already had consent.

Practically, almost no B2B analytics SaaS is set up to collect parental consent from the parents of creators they have never met. The honest answer is that your product is not the right place for under-13 data at all. Build accordingly.

The FTC's TikTok COPPA cases

Two enforcement actions form the backdrop every product builder in this space should know about.

In 2019, the FTC announced a settlement with Musical.ly (which had been acquired by ByteDance and rebranded as TikTok) for what was then a record COPPA penalty of 5.7 million USD. The complaint alleged that the app collected names, email addresses, and other personal information from users under 13 without obtaining parental consent. It also alleged that the company knew significant numbers of younger users were on the platform.

In 2024, the U.S. Department of Justice, on referral from the FTC, sued TikTok and ByteDance, alleging continued COPPA violations including failures to honor parental deletion requests and the collection of data from children in the main experience. Parallel and earlier actions in Europe, including a 2023 Irish Data Protection Commission decision under GDPR (which has its own minors-specific protections under Article 8), resulted in additional very large fines. None of these cases were closed by saying "we have a kids mode."

The pattern across these cases matters more than the dollar amounts. Regulators have repeatedly focused on actual or constructive knowledge of underage use, friction in honoring deletion requests from parents, and downstream sharing or advertising use of children's data. Each of those is a category your third-party platform can absolutely fall into.

Concrete policy guidance for your product

Here is a defensible default posture, written for a product manager who is about to write a PRD. None of this replaces an attorney's review.

Exclude apparent-minor records at ingest

Run a conservative classifier on the way in, not just at query time. If a profile's stated age, bio text, or platform metadata indicates the subject may be under 13, drop the record before it lands in your warehouse. Logs of dropped records should themselves not contain the underlying personal information.

Default to age-gating in outputs

For any creator surfaced in discovery, search, or export, default to suppressing creators who appear to be under 18 unless your customer has explicitly attested to a use case and you have explicit fields signaling adult status. "Default to safe" is the only posture that scales when your customers number in the thousands.

Restrict influencer-discovery filters

Do not ship filters like "age 13 to 17" or "high school audience" without a contractual layer above them. Brand-safety teams will ask for these. Politely decline, or wrap them in heavy controls. The same goes for follower-size sliders calibrated for nano-creators, which disproportionately surface younger profiles.

Disable persistent identifiers tied to minor records

If a record is suspected to involve a minor, do not assign a stable internal ID, do not generate embedding vectors for ML personalization, and do not retain raw media. Persistent identifiers tied to a child are themselves "personal information" under COPPA.

Document everything

Your data map should answer, on demand: where minor-related signals enter, where they get dropped, how long anything survives, and who has access. Regulators and enterprise customers will both ask.

The brand-safety angle

Even if your platform never stores a minor's profile, your customers may use your outputs to sponsor content. Paying a creator to feature a video in which children appear, even incidentally, opens a different bucket of risk: image rights of minors, school-district consents, FTC endorsement guidelines, and platform-specific rules about commercial content featuring children. Your product should make it easy for your customers to flag and exclude videos that prominently feature minors, and your sales materials should not encourage targeting youth audiences. See our pricing page for how we structure access tiers, and our about page for the boundaries we hold ourselves to as an infrastructure provider.

How to handle a report from a parent

Build the workflow before you need it. At minimum:

• Publish a clearly labeled intake channel, separate from generic support, for parental requests. A simple email alias linked from your privacy page and contact page is the bare minimum.
• Define an SLA, in writing, for acknowledging receipt (commonly 24 to 72 hours) and a working SLA for completion (often 30 days, mirroring CCPA and GDPR norms).
• Verify identity proportionally. Do not require a parent to send a driver's license to a generic inbox; offer a structured form.
• Delete or suppress the underlying records across primary storage, backups (subject to backup-cycle realities), search indexes, and any downstream caches your customers may have pulled.
• Log the request, the action taken, and the date. You will be asked about this in audits.
• Notify counsel for any request that mentions a regulator, a lawsuit, or media inquiry.

Frequently asked questions

Is public data exempt from COPPA?

No. COPPA does not have a general "public data" carve-out for personal information collected from children under 13. The fact that a TikTok profile was technically visible to anyone on the internet does not give a downstream operator a free pass once they have actual knowledge that the subject is a child.

Our customers are B2B agencies, not consumers. Does COPPA still apply?

Quite possibly. COPPA applies to operators based on the nature of the data and the knowledge of underage collection, not on whether the operator's direct customer is a business. If your B2B service knowingly processes data about children under 13, the obligations attach to you regardless of who pays the invoice.

Does GDPR matter here too?

Yes, if you process data of EU or UK residents. The GDPR sets a "digital consent" age that ranges from 13 to 16 depending on member state, with additional protections under Article 8 and the UK's Age Appropriate Design Code (the "Children's Code"). The EU's 2023 enforcement against TikTok is a useful read on regulator expectations.

Can we just promise our customers we strip minors?

Only if you actually do, can prove it, and have indemnity language that survives reality. "Best efforts" stripping is a marketing claim that ages badly when a regulator subpoenas the data.

What about creators aged 13 to 17?

COPPA itself ends at 13, but state laws (California, Connecticut, Utah, and others) and the FTC's general unfairness authority increasingly treat teen data as sensitive. Several states require parental consent for certain teen processing, and many enterprise customers will contractually demand teen-safe defaults. Treat 13 to 17 as a second tier of caution, not a free zone.

Where do we draw the actual line in code?

That decision belongs to your counsel, your data-protection officer, and your risk committee, informed by the markets you serve. The right answer is rarely "the legal minimum." It is usually "the strictest default that does not break the product." If you want to talk through architecture options that keep minor data out of your pipeline entirely, you can reach our team via the contact page, and registered customers can manage their access posture from the profile page.

Closing reminder

This article walked through COPPA, the TikTok-specific enforcement history, and a set of conservative product defaults that have held up well across audits we have seen. It is still not legal advice. Privacy law in this area is moving fast: new state laws, new FTC rulemaking on the COPPA Rule itself, new platform policies, and new enforcement settlements all reshape the field. Before you launch any product feature that could touch under-13 or even under-18 creators, work with qualified privacy counsel. The cost of an hour with a specialist is rounding error compared to the cost of a consent decree.