The ICO has issued a £12,700,000 fine to TikTok Information Technologies UK Limited and TikTok Inc for a number of breaches of data protection law, including failing to use children’s personal data lawfully.
The ICO estimates that TikTok allowed up to 1.4 million UK children under 13 to use its platform in 2020, despite its own rules not allowing children that age to create an account.
UK data protection law says that organisations that use personal data when offering information society services to children under 13 must have consent from their parents or carers.
TikTok failed to follow its own rules or seek parental consent, even though it should have been aware that under 13s were using its platform. TikTok also failed to carry out adequate checks to identify and remove underage children from its platform.
The ICO investigation found that a concern was raised internally with some senior employees about children under 13 using the platform and not being removed. In the ICO’s view TikTok did not respond adequately.
The ICO found that TikTok breached the UK GDPR between May 2018 and July 2020 by:
- Providing its services to UK children under the age of 13 and processing their personal data without consent or authorisation from their parents or carers;
- Failing to provide proper information to people using the platform about how their data is collected, used, and shared in a way that it easy to understand. Without that information, users of the platform, in particular children, were unlikely to be able to make informed choices about whether and how to engage with it; and
- Failing to ensure that the personal data belonging to its UK users was processed lawfully, fairly and in a transparent manner.
The original ICO notice of intent for TikTok set the fine at £27 million. Taking into consideration the representations from TikTok, the regulator decided not to pursue the provisional finding related to the unlawful use of special category data. That means this potential infringement was not included in the final amount of the fine set at £12.7 million.
Since the conclusion of the ICO’s investigation of TikTok, the ICO has published the Children’s Code to help protect children in the digital world. It is a statutory code of practice aimed at online services, such as apps, gaming platforms and web and social media sites, that are likely to be accessed by children.
