TikTok has been fined £12.7m by the UK Information Commissioner’s Office (ICO) for misusing children’s data. The ICO argues the platform “did not do enough” to check who was using the service nor take sufficient action to remove the accounts of those under 13.
An investigation by the ICO found that since 2020 more than a million UK children under the age of 13 have signed up and actively used TikTok contrary to its terms of service. This has led to extensive use of children’s personal data being used without parental consent. The fine covers multiple breaches of UK data legislation.
Under UK data protection legislation organisations using personal data when offering a service to children under 13 have to have explicit consent from parents or carers and the ICO says TikTok failed to do that despite knowing under 13s were on the platform.
It also alleges TikTok failed to carry out adequate checks to confirm the identity and age of its users, and remove underage children as they are discovered. The ICO said the concern had been raised internally by some senior employees but that despite the warning, TikTok did not respond adequately.
John Edwards, UK Information Commissioner said there are laws in place to protect children and keep them safe in a digital world but TikTok failed to protect them or their data. “As a consequence, an estimated one million under 13s were inappropriately granted access to the platform, with TikTok collecting and using their personal data”
“That means that their data may have been used to track them and profile them, potentially delivering harmful, inappropriate content at their very next scroll,” he explained. Adding that: “TikTok should have known better. TikTok should have done better. Our £12.7m fine reflects the serious impact their failures may have had. They did not do enough to check who was using their platform or take sufficient action to remove the underage children that were using their platform.”
The incidents covered by the fine happened between May 2018 and July 2020 and include multiple breaches of UK GDPR legislation. Among the concerns was a lack of proper information provided to users on how their data is being collected in a way that is easy to understand. “Without that information,” the ICO explained, “users of the platform were unlikely to be able to make informed choices about whether and how to engage with it.”
TikTok fine reduced from possible £27m
The announcement of a £12.7m fine is less than TikTok may have been expecting. Last year the ICO issued a “notice of intent” to fine TikTok £27m for these breaches of GDPR, but “taking into consideration the representations from TikTok”, the ICO decided not to pursue the provisional findings around special category data.
Special category data includes ethnic and racial origin, political opinions, religious beliefs, sexual orientation, trade union membership, genetic and biometric data or health data but TikTok successfully argued it had not gathered that data from child accounts. Instead it will now face a broader fine, focused on general data collection and misuse.
The ICO has since set out a “children’s code” to help online services likely accessed by children ensure they are collecting data in an appropriate way and making clear what data is being collected. It includes a code of practice and assessment tools to ensure compliance.
Owned by Chinese company ByteDance, TikTok has come under fire around the world over data protection concerns, including being banned from government devices in Europe, the US and the UK, as well as calls for an outright ban in the US. The company has opened new data centres in Europe and the US in a bid to counter concerns data is being shared with Chinese authorities, something it strongly denies.
Nigel Jones, co-founder of the Privacy Compliance Hub said the most interesting aspect of the fine is the fact it relates to general transparency failures in addition to the misuse of children’s personal data. This, he said, is particularly interesting “with the current spate of government bans on the app on work devices”.
“TikTok has also been fined for failing to provide information to its users about how their data is collected, used and shared in a way that is clear and easily understandable and for failing to ensure that UK users’ personal data is processed lawfully and fairly,” said Jones. “We all need to understand exactly what TikTok is doing with our personal data so we can decide for ourselves whether we should delete the app too.”