TikTok fined by the ICO for Unlawful Processing of Children’s Data

In brief:

TikTok Information Technologies UK Limited and TikTok Inc (“TikTok”) have been issued a £12.7 million fine by the Information Commissioner’s Office (“ICO”) for personal data breaches involving:

• Providing information society services to children under the age of 13 without the consent of their parents or guardians.
• Failing to provide information to users on how their personal data is being collected, used, and shared.
• Failing to ensure the lawful, fair, and transparent processing of personal data belonging to UK users.

ICO’s findings:

The ICO estimates that in 2020, TikTok had up to 1.4 million UK users under the age of 13. This goes against TikTok’s own terms of service which prohibit children aged under 13 from creating an account.

Articles 6(1) and 8(1) of the GDPR dictate that when offering information society services (“ISS”), the lawful processing of a child’s personal data who is under the age of 13 requires consent or authorisation from the holder of the parental responsibility over the child.

TikTok has failed in securing such consent as well as failing in adequately monitoring their platform to identify and remove any underage users from the platform.

Moreover, according to the ICO investigation, it was found that there were concerns raised by senior TikTok employees regarding underage children using the platform and not being removed, without any adequate action taken by TikTok.

The fine:

ICO’s original notice of intent to fine TikTok (issued in September 2022) set the proposed value of the fine at £27 million. However, after considering representations from TikTok, the ICO have decided not to pursue their finding of TikTok’s unlawful use of special category data, reducing the final amount to £12.7 million.

The £12.7 million fine follows ICO’s finding that TikTok breached the GDPR between May 2018 and July 2020 through:

• Offering an ISS to children under the age of 13 and processing their data without consent or authorisation from the holder of the parental responsibility over the child ( 6(1) & 8(1) GDPR).
• Failing to provide appropriate and easily understandable information to users of the platform regarding how their data is collected, used, and shared ( 12, 13 & 14 GDPR).
• Failing to ensure the lawful, fair, and transparent processing of personal data belonging to TikTok’s UK users ( 5(1)(a) GDPR).

Key Takeaways:

• This decision serves as a reminder of the importance that obtaining the correct type of consent has when offering an ISS to children, as well as the importance of having adequate systems in place that would help identify and remove data subjects whose data cannot be processed in a lawful, fair, and transparent way.
• It also outlines the importance of conforming with the Children’s Code, which is the ICO’s statutory code of practice for online services aimed at helping protect children in the digital world.

This article is for general awareness only and does not constitute legal or professional advice. The law may have changed since this page was first published. If you would like further advice and assistance in relation to any issue raised in this article, please contact us by telephone or email enquiries@sharpepritchard.co.uk.