The UK Information Commissioner’s Office (ICO) has imposed a £12.7m ($15.9m) fine on TikTok Information Technologies UK Limited and TikTok Inc (TikTok) for breaches of the data protection law, and failing to use personal data lawfully.
The regulator estimates that 1.4 million UK children under 13 used TikTok in 2020 – even though the social media platform’s own rules prohibit youngsters of that age from setting up an account.
“There are laws in place to make sure our children are as safe in the digital world as they are in the physical world. TikTok did not abide by those laws”, said John Edwards, UK Information Commissioner. “As a consequence, an estimated one million under 13s were inappropriately granted access to the platform, with TikTok collecting and using their personal data.
“That means that their data may have been used to track them and profile them, potentially delivering harmful, inappropriate content at their very next scroll.”
Parents’ consent
According to UK data protection law, organizations that use personal data when offering information services to children under 13 must have consent from parents or carers.
TikTok failed for ‘knowing’ that minors were using the services, for not performing proper identity checks and for not removing underage children from the services.
“An estimated one million under 13s were inappropriately granted access to the platform, with TikTok collecting and using their personal data.”
John Edwards, UK Information Commissioner
It was also found that some senior employees had raised concerns internally about children under 13 using the platform and not being removed. The ICO believes TikTok failed to address the issue properly.
“TikTok should have known better. TikTok should have done better. Our £12.7m fine reflects the serious impact their failures may have had. They did not do enough to check who was using their platform or take sufficient action to remove the underage children that were using their platform”, said John Edwards.
GDPR breaches
The regulator found that TikTok breached the UK General Data Protection Regulation (UK GDPR) between May 2018 and July 2020 by:
- letting UK children under the age of 13 access TikTok and its services, and processing their personal data without consent or authorisation from parents or carers;
- failing to provide proper information on how user data is collected, used, and shared in a way that is easy to understand and make informed choices about – especially for children; and
- failing to ensure that the personal data of its UK users was processed lawfully, fairly and in a transparent way.
The original notice was set at £27m ($33.7m), however, after consideration, the ICO lowered the fine after deciding not to pursue the provisional finding related to the unlawful use of special category data.
In the aftermath of this investigation, the ICO has published a Children’s code to help protect children in the digital world.