After its own 2019 FTC settlement, YouTube required content creators to designate each channel or individual video as "Made for Kids" (MFK) or "Not Made for Kids" (NMFK). YouTube warned creators they were responsible for accurate classification, according to the FTC. The system relied entirely on creator labeling. The Disney case shows how easily that system could fail at scale.

Disney chose to apply labels at the channel level rather than video by video, which meant child-directed content uploaded to an NMFK-labeled channel was automatically misclassified. When YouTube manually corrected more than 300 Disney videos from NMFK to MFK status in mid-2020, Disney did not change its approach, and the violations continued, according to the FTC complaint. The resulting COPPA settlement cost Disney $10 million.

The consequences were not limited to data collection. An NMFK designation allowed YouTube's autoplay feature to queue non-MFK videos after child-directed content ended, pulling young viewers into content outside the protected category without any parental awareness, the FTC found.

Disney carries significant direct liability here. It chose channel-level labeling and ignored YouTube's 2020 corrections. The point is not that YouTube violated the law in this case. It is that YouTube designed a system where predictable failures were inevitable at scale. When thousands of creators self-classify millions of videos with no verification layer beyond their own judgment, some will get it wrong. The Disney case is the most prominent example, not an anomaly.

Where YouTube's COPPA problems are concentrated in content classification, TikTok's alleged failures span every stage of a child's interaction with the platform: sign-up, data collection, product design, and what happens when a parent tries to intervene. The FTC and multistate complaints describe a company that was aware of its obligations and allegedly chose not to meet them.

On registration, the FTC alleged TikTok built registration pathways using Google and Instagram credentials that bypassed its own age-entry screen entirely. Accounts created this way were categorized as "age unknown" rather than removed or verified, and eventually grew to millions. Human reviewers assigned to assess flagged accounts allegedly spent an average of five to seven seconds per account making that determination.

The problems extended into TikTok's Kids Mode, which the company marketed as a safer environment for young children. The FTC complaint alleged TikTok shared children's personal data from Kids Mode with third parties including Facebook and AppsFlyer for the purpose of re-engaging lapsed users, a practice the company internally called "retargeting less active users." When parents completed TikTok's multi-step deletion process and submitted account removal requests, TikTok allegedly refused to comply unless they filled out a second, duplicative form. The FTC says that practice continued even after a TikTok child safety executive told the company's then-CEO that it already had everything it needed to delete the data.

Product design is where the allegations get most specific. California's lawsuit alleges TikTok combined non-disableable autoplay, infinite scroll, fake notifications, like-based social validation, and time-pressured live features specifically to maximize session duration among users who cannot effectively self-regulate, according to the California AG. Montana's investigation found that TikTok's Restricted Mode, the feature parents are told to enable for younger teens, did not meaningfully block mature content for 13-year-olds. Montana investigators said content promoting suicide, self-harm, explicit drug use, and sexualized material was readily available to registered 13-year-old accounts, despite TikTok rating itself "12+" in the Apple App Store.

TikTok can point to a real list of changes: accounts for 13-to-15-year-olds set private by default, a 60-minute daily screen-time default for under-18s with weekly usage summaries, expanded Family Pairing parental controls, and nearly 17 million suspected under-13 accounts removed in the first quarter of 2023. TikTok Newsroom announced several of these in early 2023; others were noted in its response to a European data protection ruling later that year. Those changes are real. But the FTC's 2024 complaint covers conduct allegedly continuing well after most were announced. A 60-minute screen-time prompt that teenagers can bypass with a passcode is a different thing from a platform that cannot be used addictively by design. TikTok built the first. Regulators are increasingly demanding the second.

The more consequential development in this space is not the dollar amounts attached to settlements. Fines create a cost-benefit calculation. A platform with hundreds of millions of users can absorb a $10 million settlement as a line item. A permanent injunction governing product design cannot be amortized. That distinction is why the enforcement model is shifting, and why the pending injunctive relief against TikTok matters more than the penalty.

Regulators are beginning to specify what a compliant platform architecture must look like. The Disney settlement requires Disney to implement an individual video-review program for YouTube content, unless YouTube itself deploys age assurance technology capable of determining the age category of all users, or stops allowing creator-applied MFK labels altogether. The FTC described this as making room for "the future of protecting kids online." The settlement increases pressure on YouTube to choose whether creator self-labeling remains the backbone of its COPPA compliance, according to the FTC. California's SB 976, signed in 2024, resets platform defaults for minors to disfavor algorithmically driven feeds, persistent push notifications, and other engagement-maximizing design features, inverting the burden so that addictive design is the non-compliant option rather than a permitted one, per the California AG. The FTC's TikTok lawsuit seeks not just civil penalties but a permanent injunction that would subject TikTok's product decisions to ongoing federal court oversight, a qualitatively different accountability than a one-time settlement, according to the FTC.

Age assurance technology sits at the center of these regulatory proposals, and it is worth pausing on what that means in practice. Verifying a user's age category at registration, rather than accepting a typed birthday, would close the loopholes TikTok allegedly exploited. But any system that collects or processes biometric data, government ID, or third-party verification records to confirm a child's age also creates new data the platform must secure and cannot misuse. The compliance burden would shift from parents to platforms, which is the right direction. The data risk would shift too, which regulators and lawmakers will need to define acceptable limits around. The case for age assurance is strong, but "better than a birthday field" is a low bar. What kind of age assurance, with what safeguards and data minimization requirements, is the question that still needs answering.

The enforcement record of the past six years points to one clear conclusion: voluntary compliance frameworks for child safety on high-engagement youth platforms do not work reliably when the business model depends on maximizing time on site. TikTok's announced features and YouTube's creator-labeling system are both real, and both proved insufficient. Regulators have moved from accepting policy commitments to demanding structural ones, and that shift is still unfolding, not complete. What the Disney settlement, California's SB 976, and the pending FTC injunction against TikTok share is a common premise: the compliance burden belongs on platforms, not on children and their parents.

The combination of federal COPPA enforcement and multistate consumer protection litigation represents a layered accountability model. By the time California and New York filed their actions in late 2024, 23 state attorneys general had already taken action against TikTok, according to the California AG. Other platforms operating in youth-adjacent spaces should read that as a signal about the direction of enforcement, not a TikTok-specific problem.

The clearest measure of whether anything is actually changing will be injunctive outcomes, not press releases. Watch whether courts uphold design-focused remedies, whether YouTube invests in platform-level age verification or accepts a video-review obligation that scales with its content library, and whether Congress moves to define what acceptable age assurance looks like before platforms define it for themselves. A court order governing product architecture is a different instrument than a consent order a company can quietly deprioritize. That accountability is still pending, but structurally closer than anything the previous decade produced.

Child safety on social media is becoming a product-design obligation, not a box-checking exercise. The birthday field, the terms-of-service checkbox, the Restricted Mode that doesn't restrict much: that framework is being replaced, slowly and legally, by mandates that put the burden where it belongs.