TikTok, the popular video-sharing social media platform, is set to be slapped with a hefty €345 million fine by Ireland’s Data Protection Commissioner (DPC) for alleged failures in safeguarding children’s privacy.
The Irish DPC has formally announced this substantial fine, citing breaches of the GDPR data protection law by the viral video app. The investigation that led to this substantial penalty was initiated in September 2021 and focused on TikTok Technology Limited’s handling of children’s data and age-verification procedures.
The investigation period spanned from July 2020 to December 2020, during which TikTok allegedly exposed children aged 13 to 17 to various risks. The primary concerns raised by the regulator included the default setting of children’s accounts as public, allowing unrestricted access to their videos. Additionally, user comments and features like ‘duet’ and ‘stitch’ were also found to be publicly accessible by default, heightening the risks involved.
Furthermore, TikTok was found to permit the pairing of children’s accounts with adult users without stringent verification that these adults were indeed parents or guardians of the children. This oversight enabled adults to send direct messages to children over the age of 16, potentially exposing them to serious risks.
Despite enforcing a minimum age limit of 13 years and requiring users to input their date of birth during registration, the DPC discovered that even children under 13 managed to gain access to the platform, further exacerbating privacy concerns as their accounts were defaulted to public.
It’s worth noting that the DPC did not find TikTok’s age-verification process in breach of GDPR regulations.
In response to these allegations, TikTok has expressed its disagreement with the imposed fine, asserting that many of the issues raised in the complaint had already been addressed before the Irish DPC initiated its investigation.
“We respectfully disagree with the decision, particularly the level of the fine imposed,” a TikTok spokesperson said.
“The DPC’s criticisms are focused on features and settings that were in place three years ago, and that we made changes to well before the investigation even began, such as setting all under 16 accounts to private by default,” the spokesperson added.
Elaine Fox, who serves as the Head of Privacy for Europe at TikTok, stated that most of the criticisms raised by the DPC have become irrelevant due to measures implemented by the platform in early 2021. These measures encompassed changes such as automatically setting all accounts for users aged between 13 and 15 to private by default, eliminating the option for anyone to comment on videos posted by children, and simplifying privacy settings for children’s comprehension.
The DPC initially filed a preliminary decision against TikTok in September 2022, which was subsequently referred to the European Data Protection Board (EDPB), a collective body of regulators, for adjudication. This move came after objections were raised by data protection authorities in Italy and Berlin.
The Berlin regulator specifically advocated for an additional violation under the GDPR principle of fairness, concerning TikTok’s use of “dark patterns” aimed at guiding users toward selecting more privacy-intrusive options during the registration process and video posting.
Don’t miss out on: Akintola Williams: A Legacy Engraved in Gold in the Field of Accounting
While Italy’s request to reverse the DPC’s finding regarding TikTok’s age-verification process’s compliance with GDPR was unsuccessful, the EDPB accepted the Berlin regulator’s complaint that TikTok had indeed nudged users toward options with less privacy protection.
Anu Talus, Chair of the EDPB, emphasized that today’s decision makes it imperative for digital companies to take all necessary measures to safeguard children’s data protection rights.
TikTok’s parent company, Beijing-based ByteDance, is now faced with a three-month deadline to rectify the identified breaches following the regulator’s reprimand.