The Irish Data Protection Commission (DPC) slapped TikTok with a €345 million (about $368 million) fine for violating the European Union's General Data Protection Regulation (GDPR) in relation to its handling of children's data.
The investigation, initiated in September 2021, examined how the popular short-form video platform processed personal data relating to child users (those between the ages of 13 and 17) between July 31 and December 31, 2020.
Some of the major findings include -
- The content posted by child users was set to public by default, thereby allowing any individual (with or without TikTok) to view the material and exposing them to additional risks
- A failure to provide transparency information to child users
- The implementation of dark patterns to steer users towards opting for privacy-intrusive options during the registration process, and when posting videos
- A weakness in the Family Sharing setting that allowed any non-child user (someone who could not be verified as a parent or their guardian) to pair their account to that of a minor's, which made it possible for the adult user to enable direct messages for child users above the age of 16
In addition to the financial penalty, the DPC has ordered TikTok to bring its processing mechanisms into compliance within three months.
"Social media companies have a responsibility to avoid presenting choices to users, especially children, in an unfair manner – particularly if that presentation can nudge people into making decisions that violate their privacy interests," Anu Talus, EDPB Chair, said.
Ready to tackle new AI-driven cybersecurity challenges? Join our insightful webinar with Zscaler to address the growing threat of generative AI in cybersecurity.Supercharge Your Skills
"Options related to privacy should be provided in an objective and neutral way, avoiding any kind of deceptive or manipulative language or design."
In a statement shared on its website, the company disagreed with the decision and said that the criticisms are focused on features and settings that were in place three years ago, which have since been changed by setting all under 16 accounts to private by default. It's immediately clear if the company intends to appeal the ruling.
The company also said it will roll out a redesigned account registration flow for new 16 and 17-year-old users late this month that will be pre-selected to a private account. TikTok has about 134 million monthly users in the E.U.
TikTok was previously handed out a €5 million (about $5.4 million) fine by the French data protection watchdog in January 2023 for breaking cookie consent rules and for making the opt-out mechanism more complex than opting-in.
Then in April 2023, it was fined £12.7 million by the U.K. Information Commissioner’s Office (ICO) for illegally processing the data of 1.4 million children under 13 who were using its platform without parental consent.
Outside of Europe, the ByteDance-owned company also paid in 2019 a $5.7 million penalty to settle U.S. Federal Trade Commission (FTC) allegations that it breached the Children's Online Privacy Protection Act (COPPA) by failing to seek parental consent from users under the age of 13 before collecting information.
The development arrives days after California's Attorney General announced that Google would fork out $93 million to settle a privacy lawsuit alleging it violated the U.S. state's consumer protection laws by collecting users' location data for consumer profiling and advertising purposes without informed consent.