TikTok, the popular short video-sharing app, on Friday, was slapped with a €345 million euro fine (around $368 million) for failing to protect children’s privacy under the European Union’s (EU) General Data Protection Regulation (GDPR) rules.
Ireland’s Data Protection Commission (DPC), which started its investigation in 2021, examined how TikTok Technology Limited (TTL) processed children’s data between July 31 and December 31, 2020.
During its investigation, the Irish watchdog found that users between the ages of 13 and 17 were steered through the sign-up process to the TikTok platform in such a manner that their accounts were set to public by default in settings. This meant that anyone (on or off TikTok) could view the content posted by the child user or contact them, posing several possible risks to children under the age of 13.
It was also found that the “Family-Pairing” setting was faulty, as it allowed a child user’s account to be “paired” with a ‘non-child’ user, which the company failed to verify if it belonged to a parent or guardian. This allowed the non-child user to enable Direct Messages for child users above the age of 16, posing several possible risks to the child user.
Further, TTL failed to provide sufficient transparency information to child users, thus hampering the capability of the teen user to fully understand the platform’s data processing practices.
In addition, the DPC found that TTL implemented “dark patterns” by nudging users towards choosing more privacy-intrusive options during the registration process and while posting videos.
The DPC investigation conceded violations of Articles 5(1)(c), 5(1)(f), 24(1), 25(1), 25(2), 12(1), 13(1)(e) and 5(1)(a) GDPR. It adopted its final decision regarding its inquiry into TikTok on September 1, 2023.
TikTok faces severe consequences for privacy breaches, which include a reprimand, as well as an order requiring TTL to bring its processing into compliance by taking necessary action within three months, and an administrative fine totaling €345 million.
“We respectfully disagree with the decision, particularly the level of the fine imposed. The DPC’s criticisms are focused on features and settings that were in place three years ago, and that we made changes to well before the investigation even began, such as setting all under 16 accounts to private by default,” TikTok said in a statement.
In a blog post, Elaine Fox, TikTok’s Head of Privacy for Europe, said the company would “evaluate next steps” with regard to the fine and order imposed by the DPC.
“We believe our settings have always given users control over whether to choose a public or private account, but in January 2021 (eight months before the DPC launched its investigation), we became the first major platform to make all existing and new accounts for 13- to 15-year-olds private by default,” Fox wrote, highlighting additional changes designed to “strengthen younger users’ privacy.”
Fox also noted that TikTok will start rolling out “a redesigned account registration flow for new 16- and 17-year-old users that will be pre-selected to a ‘private account’” later this month.
Earlier this year, TikTok was fined more than £12 million by the UK’s Information Commissioner Office for illegally processing the data of 1.4 million children under 13 who were using its platform without parental consent.
