The Irish Data Protection Commission (DPC) has imposed a hefty fine of €345 million (approximately $368 million) on TikTok for its breach of the European Union’s General Data Protection Regulation (GDPR) in relation to the handling of children’s data.
This investigation, initiated in September 2021, scrutinized how TikTok processed personal data concerning users aged between 13 and 17 during the period spanning from July 31 to December 31, 2020.
Key findings from the investigation include:
- Default public visibility of content posted by child users, thereby exposing them to potential risks from any individuals, whether TikTok users or not.
- Failure to provide transparent information to child users.
- Utilization of dark patterns to guide users towards privacy-intrusive choices during registration and video posting.
- A vulnerability in the Family Sharing setting allowed non-child users to link their accounts with those of minors, enabling adult users to activate direct messaging for child users aged 16 and above.
In addition to the substantial financial penalty, the DPC has directed TikTok to align its data processing practices with GDPR requirements within a three-month timeframe.
Anu Talus, EDPB Chair, emphasized the responsibility of social media companies to present choices, especially to children, in a fair manner, without nudging users towards decisions that compromise their privacy. She stressed the importance of offering privacy-related options objectively and neutrally, devoid of deceptive or manipulative language or design.
Disclosed plans to introduce a revamped account registration process
TikTok responded to the decision with a statement on its website, expressing disagreement with the ruling. The company noted that the criticisms pertained to features and settings that were in place three years ago, which have since been updated by configuring all accounts for users under 16 as private by default. It remains unclear whether TikTok intends to challenge the decision through an appeal.
Furthermore, TikTok disclosed plans to introduce a revamped account registration process for new users aged 16 and 17, which will automatically set their accounts to private. This update is slated for implementation later this month. TikTok boasts approximately 134 million monthly users within the European Union.
It’s worth noting that TikTok had previously incurred a €5 million (around $5.4 million) fine from the French data protection authority in January 2023 for breaches related to cookie consent rules and the complexity of its opt-out mechanism compared to opt-in.
This development closely follows California’s Attorney General’s announcement of Google’s agreement to pay $93 million to settle a privacy lawsuit. The lawsuit alleged Google’s violation of California’s consumer protection laws by collecting user location data for profiling and advertising purposes without obtaining informed consent.