The Data Protection Commission (DPC) in Ireland has fined TikTok €345 million ($368 million) for multiple violations of the General Data Protection Regulation (GDPR) related to the processing of children’s personal information and other child privacy issues.
The DPC initiated an investigation of TikTok to determine if the company was fulfilling its obligations under the GDPR to protect the privacy of child users of the platform. The DPC looked at GDPR compliance between 31 July 2020 and 31 December 2020, specifically the privacy settings of the platform such as public-by-default settings, the settings associated with its family pairing feature, age verification processes during registration, and its transparency obligations related to default settings for child accounts.
The DPC shared the findings of its investigation with all other relevant supervisory authorities in Europe and two objections were raised by the supervisory authorities in Berlin and Italy, which believed two additional infringements of the GDPR should be included in the decision. No consensus could be reached regarding the two objections, so they were referred to the European Data Protection Board (EDPB), which agreed with Berlin’s objection regarding the use of ‘dark patterns’ to nudge users into choosing more permissive settings during registration but found insufficient evidence to support Italy’s objection regarding insufficient age verification checks.
The DPC found that TikTok had configured the accounts of child users (13-17) to be public by default, which meant anyone could access the content of child users, on or off the platform. Children under the age of 13 who gained access to the platform would also have had their content set to public by default. The family pairing feature allows parents and legal guardians of child users to pair their accounts with a child user’s account; however, the feature did not work correctly which meant individuals who could not be verified as a parent or guardian were able to pair their account with a child user, allowing direct messages to be enabled for child users over 16 years of age, exposing those individuals to potentially severe risks.
TikTok did not provide sufficient transparency information to child users, which made it difficult for them to understand the privacy settings and dark patterns were used to push child users into choosing more privacy-intrusive options when setting up their accounts. The final decision alleges TikTok violated Articles 5(1)(a), 5(1)(c), 5(1)(f), 24(1), 25(1), 25(2), 12(1), and 13(1)(e) of the GDPR, warranting a fine of €345 million. TikTok has been reprimanded and ordered to address all of the privacy issues identified by the DPC within 3 months.
TikTok disagreed with the ruling, especially the size of the fine, and said that many of the issues identified by the DPC had been internally found and corrected, in some cases before the DPC had initiated its investigation. TikTok also said it is rolling out a new registration process for 16- and 17-year-olds that will ensure that the accounts are set to private by default, and private by default settings were implemented for child users under 16 years of age in January 2021.
This is not the first GDPR fine for TikTok. In January this year, the French data protection authority (CNIL) imposed a €5 million fine for infringements of the GDPR related to manipulative cookie-consent flow. TikTok is also currently being investigated over potential data transfers to China. Concerns about data transfers have resulted in dozens of U.S. states banning the app on the devices of federal and state employees.
TikTok was also fined $5.7 million by the Federal Trade Commission (FTC) in 2019 for violations of the Children’s Online Privacy Protection Act (COPPA) due to the failure to obtain consent from parents of users under 13 years of age before collecting data. The UK Data Protection Commission has also announced its intention to fine TikTok £27 million for failing to obtain consent from parents of children under 13 years of age between 2018 and 2020 and for failing to provide information to users in a concise, transparent, and easy-to-understand way.