In a significant development for the tech world, social media giant TikTok has been slapped with a hefty €345 million (£296 million) fine for breaching EU data laws concerning the handling of children's accounts. The Irish data watchdog, responsible for overseeing TikTok's operations across the European Union, has identified multiple violations of GDPR rules. These infractions range from defaulting child users' accounts to public settings, to inadequate provision of transparent information to young users, and allowing adults with access to a child's account to enable direct messaging for over-16s. In this article, we will delve into the details of this substantial fine and its implications for TikTok.
TikTok's troubles stem from several breaches of the General Data Protection Regulation (GDPR). The Irish Data Protection Commission (DPC) revealed that TikTok automatically set accounts of users aged between 13 and 17 to public by default, making their content and interactions visible to anyone. Additionally, the "family pairing" scheme, designed to give adults control over a child's account settings, failed to verify whether the adult involved was indeed a parent or guardian. The DPC also noted TikTok's failure to adequately consider the risks posed to under-13s on the platform who were placed in a public setting. Notably, TikTok's features like Duet and Stitch, allowing users to combine their content with others, were enabled by default for users under 17. However, the DPC did not find any GDPR infringements concerning TikTok's methods for age verification.
This is not TikTok's first encounter with regulatory fines related to child data privacy. In April, the UK data regulator imposed a £12.7 million fine on the platform for unlawfully processing the data of 1.4 million children under 13 without parental consent. The investigation revealed TikTok's insufficient efforts in verifying user identities.
In response to the DPC's decision, TikTok defended its actions, stating that the criticisms focused on features and settings that were in place three years ago. TikTok claims to have addressed these issues well before the investigation began. Furthermore, TikTok took the step of setting all accounts for 13- to 15-year-olds to private by default in 2021, ensuring that only approved individuals can access their content.
It's worth noting that the Irish Data Protection Commission had to incorporate a finding by the German regulator into its decision, which pertained to the use of "dark patterns." These deceptive website and app design practices were deemed to breach a GDPR provision on fair processing of personal data, as per the European Data Protection Board's decision.