TikTok fined €345m for violating children’s privacy under GDPR

The Irish Data Protection Commission has fined TikTok for breaching the GDPR by setting teenage users’ accounts publicly available by default.

Number, Symbol, Text, TikTok Shop

TikTok has been fined €345 million by The Irish Data Protection Commission (DPC), which regulates TikTok in the EU, for violating the General Data Protection Regulation (GDPR) in its handling of children’s accounts. The DPC stated that TikTok failed to properly consider the risk posed to underage users who gained access to the platform, with a minimum user age of 13.

Following the European Data Protection Board’s (EDPB) consultation, the DPC found that TikTok was in breach of the GDPR by default setting the accounts of users between the ages of 13 and 17 to a public setting. Namely, teenage users were guided through the registration process in a manner that led to their accounts being set as public, making their content visible and open to comments from anyone. The DPC also found no check that the adult ‘paired’ with the child user was a parent or guardian in the ‘family pairing’ system, which allows an adult to control a child’s account settings.

Under-17s also had the Duet and Stitch features enabled by default, which allow users to combine their content with other TikTok users, but the DPC found no violation in terms of the methods used to verify the age of users.

TikTok responded that even before the DPC’s investigation began, the company had addressed the privacy settings on accounts in place between July and December 2020. It said that all existing and new TikTok accounts of users under 16 have been set to private, meaning that only people authorized by the user will be able to view their content by default since 2021.

Why does it matter?

According to Politico, Ireland’s DPC’s decision is the largest privacy fine for TikTok and the fifth-largest fine imposed on tech companies under the GDPR. Essentially, the fine further compounds TikTok’s challenges in Europe, as it faced a series of new usage restrictions this year over worries about its ties to China. While the company recently announced plans to relocate its European data to a center within the EU, it remains under investigation by the Irish DPC for potentially unlawful data transfers of European users to China.

This is not the first time TikTok’s policies over children’s data processing have been questioned. Essentially, the DPC’s decision comes after the UK’s data watchdog fined TikTok £12.7 million in April for illegally processing the data of 1.4 million children under the age of 13 who used its platform without parental consent. The Dutch Data Protection Authority (DPA) has also imposed a fine of €750,000 against TikTok for not having a privacy policy in the children’s native language.