TikTok fined £12.7m for children's data and privacy breaches

TikTok has received a £12.7m fine for several privacy breaches involving more than one million UK children.

The Information Commissioner’s Office (ICO) has investigated the data and privacy of children using the platform between May 2018 and July 2020. It found TikTok “did not do enough” to prevent underage children from using the platform and or take sufficient action to remove their accounts.

TikTok said it disagrees with the ICO’s verdict.

The ICO estimates 1.4 million children under 13 were using TikTok in 2020, which contravenes TikTok’s own rules that forbid children that young from creating an account.

UK data protection law requires organisations that use personal data when offering information services to children under 13 to obtain consent from their parents or carers. Ofcom has previously estimated that 44% of eight to 12-year-olds in the UK use TikTok.

ICO also found that TikTok failed to act when concerns were raised internally about underage account use. It also failed to provide proper information to users how their data is collected, used and shared, and to ensure personal data was processed lawfully, fairly and in a transparent manner. These findings breach the UK General Data Protection Regulations.

“There are laws in place to make sure our children are as safe in the digital world as they are in the physical world. TikTok did not abide by those laws,” UK information commissioner John Edwards said.

“As a consequence, an estimated one million under 13s were inappropriately granted access to the platform, with TikTok collecting and using their personal data. That means that their data may have been used to track them and profile them, potentially delivering harmful, inappropriate content at their very next scroll.

“TikTok should have known better. TikTok should have done better. Our £12.7m fine reflects the serious impact their failures may have had. They did not do enough to check who was using their platform or take sufficient action to remove the underage children that were using their platform.”

The fines come at a time when greater scutiny is being placed on how TikTok uses data and on its links to the Chinese government.

The UK recently joined dozens of countries – including the US, Canada and some EU states – in banning the app on government-issued devices over fears that sensitive data could be accessed through the platform and manipulated by Chinese officials.

However, WARC recently found that 75% of marketers plan to increase their activity on the platform and it pushed its estimate for the ad revenue TikTok will earn this year up by $2bn to $15.2bn.

TikTok 'considering next steps'

TikTok disputes the ICO’s findings and said it had been issued with a much smaller fine than the regulator had initially planned (£27 million) due to a charge of the unlawful use of special category data being dropped.

A spokesperson said: "TikTok is a platform for users aged 13 and over. We invest heavily to help keep under 13s off the platform and our 40,000 strong safety team works around the clock to help keep the platform safe for our community. 

“While we disagree with the ICO's decision, which relates to May 2018 to July 2020, we are pleased that the fine announced today has been reduced to under half the amount proposed last year. We will continue to review the decision and are considering next steps." 

TikTok has rolled out several measures in the past few years to tighten controls around user data and privacy.

This includes a family pairing mode that allows parents and caregivers to link their TikTok accounts to their children’s, a revised privacy policy for the UK and Europe that explains how TikTok uses data, and tools that can restrict the daily screen time for teens. 

TikTok has also grown its privacy and data teams at a ‘Trust and Safety’ hub in Dublin.

In March, TikTok launched Project Clover, which it said enhances new measures to enhance existing data protections in the UK and Europe. This includes hiring a third-party European data security partner that will oversee and audit its data controls and protections, monitor data flows, provide independent verification and report any incidents.