For a number of years now, TikTok has been under fierce scrutiny as to how it deals with children’s online data. In 2019, the US Federal Trade Commission fined TikTok $5.7 million for collecting children’s data without obtaining parental consent.
During the summer of 2022, the Dutch Data Protection Authority fined TikTok €750,000 for failing to protect the privacy of young children. By not providing a privacy notice in Dutch (it was only available in English), TikTok was not providing information on how the app would use their data in an easily understandable manner. A fundamental principle of GDPR is that data subjects should be provided with clear information on how their data will be used.
In September 2022, the news got worse for the app provider with the UK ICO issuing a notice of intent to fine TikTok £27 million following its investigation into the platform’s inability to adequately protect children’s privacy online. If the fine is enforced, and the ICO has stated the findings in its notice are provisional and therefore subject to representations from TikTok, it will be the largest of its kind ever issued by the ICO.
The notice of intent to impose a multi-million-pound fine on TikTok comes on the back of a spate of sanctions imposed by the ICO in its effort to combat breaches to children’s privacy on online services and platforms. In 2020, the ICO introduced the Children’s Code (or Age Appropriate Design Code) to tackle data protection breaches on services that are readily accessed by children (apps, online games, social media sites and so on).
In light of clamping down on data protection breaches, and as referenced in our previous article on the Children’s Code, the ICO currently has over 50 ongoing investigations to determine whether other online services have complied with the Children’s Code.
Although children under the age of 13 are not authorised to have a TikTok account, Ofcom reported that eight to 12-year-olds in the UK use the app. In line with this, the Information Commissioner, John Edwards submitted:
“We all want children to be able to learn and experience the digital world, but with proper data privacy protections. Companies providing digital services have a legal duty to put those protections in place, but our provisional view is that TikTok fell short of meeting that requirement.”
Following its investigation, the ICO is of the view that between May 2018 and July 2020, TikTok breached data protection laws, and may have:
- processed the data of children under the age of 13 without appropriate parent consent
- failed to provide proper information to its users in a concise, transparent and easily understood way, and
- processed special category data, without legal grounds to do so.
These findings are notably provisional. The ICO issued TikTok Inc and TikTok Information Technologies UK Limited with a ‘notice of intent’ – a legal document which precedes a potential fine.
Other big players
Instagram (which is owned by Meta) was recently fined $405 million for breaching EU GDPR following an investigation by the Irish Data Protection Commission (DPC). This is the largest penalty Instagram has ever been faced with. The way Instagram processes children’s data – including obtaining phone numbers and e-mail addresses – was investigated. The DPC also found that the children’s accounts were, by default, set to public rather than private. The DPC is currently conducting six other investigations into companies owned by Meta, which could arguably lead to Meta incurring further sanctions. In light of this, it is unsurprising to see the ICO’s intention to penalise TikTok for breaching children’s privacy online.
On this basis, it is evident that large platforms such as TikTok and Instagram are facing significant fines for breaching data protection laws. As the UK regulator, it is within the ICO’s remit to ensure that organisations are complying with the Children’s Code, as well as incurring sanctions on those found to contravene data protection laws in terms of children’s data.
Generally, the ICO will provide an organisation issued with a notice of intent a minimum of 21 calendar days to make representations and the ICO will consider these prior to making any final determination. We await to hear the outcome in the weeks, if not months, to come. That said, with a key focus of the ICO of protecting children’s safety only, we can only expect to hear of more fines in the coming years.
How can we help?
If you have questions about your obligations in relation to protecting children's privacy online, or about GDPR or data protection law generally, please get in touch with our specialist Data Protection & Cyber Security team.
This article was co-written by Katie Morrison, Trainee Solicitor.