TikTok fined for data protection breaches
The ICO has fined TikTok £12.7 million for multiple breaches of UK data protection law regarding children’s personal data.
ICO investigations
The ICO began investigating after concerns were raised internally with senior employees about how children under the age of 13 were joining the platform and not being removed.
The ICO’s investigations found that TikTok failed to enforce age limits on using its app, leading to up to 1.4 million UK children under the age of 13 using the platform.
For children under 13, TikTok needed consent from their parents or carers to use their data. As TikTok did not obtain or establish consent, it had no lawful basis for processing. TikTok also failed to carry out adequate checks to identify and remove underage children from the platform.
Children’s data requires additional protection, as they are less aware of the risks involved. TikTok’s systems should have been designed with this in mind. The ICO found that TikTok did not provide easy to understand information about how personal data was to be processed. Children, therefore, could not make informed decisions about providing their data and engaging with the app.
Finally, the ICO found TikTok had failed to inform data subjects of how their data was being processed.
What breaches occurred?
Under the UK GDPR, controllers must have a lawful basis for processing personal data.
The ICO found that TikTok breached the UK GDPR between May 2018 and July 2020 by:
- Providing its services to UK children under the age of 13 and processing their personal data without consent or authorisation from their parents or carers
- Failing to provide proper information to people using the platform about how their data is collected, used, and shared in a way that is easy to understand, and
- Failing to ensure that the personal data belonging to its UK users was processed lawfully, fairly and in a transparent manner.
The level of fine reflects the serious impacts these failures may have had.
TikTok fine
The ICO initially issued TikTok with a notice of fine of £27million. After receiving TikTok’s representations, the fine was reduced to £12.7million. This was after the ICO decided not to pursue its initial finding that TikTok had processed special category data, without legal grounds for doing so.
Next steps
TikTok states that it disagrees with the ICO’s decision, is reviewing the decision and considering next steps.
Since the conclusion of its investigation, the ICO has published the Children’s Code to help protect children in the digital world. This statutory code of practice is aimed at online services, such as apps and gaming platforms, that are likely to be accessed by children and provides 15 standards to ensure children have the best possible experience of online services.
This article was first published by our UK member firm Doyle Clayton. If you have any questions on lawfully using data on an online platform, please contact Doyle Clayton‘s Data Privacy specialists Piers Leigh-Pollitt, Partner & Compliance Officer for Legal Practice and Mike Hibberd, Legal Director. Read more information on our UK member firm’s data protection services.