On 4 April 2023, the UK’s DPA (“ICO UK”) announced a fine of GBP 12.7M on TikTok for violations of the UK GDPR related to children’s privacy following the issuance of a notice of intent in September 2023.
Upon its investigation, ICO UK found that:
- Personal data belonging to children under 13 was used without parental consent, contrary to its terms of service;
- TikTok “did not do enough” to check who was using their platform and take sufficient action to remove the underage children.
According to ICO UK estimates, TikTok allowed up to 1.4 million UK children under 13 to use its social media platform in 2020, contrary to its terms of service forbidding children that age to create an account. TikTok failed to ensure adequate checks to determine whether children under that age were using the platform and to remove them.
UK GDPR provides that organizations processing personal data when offering information society services to children under 13 should obtain consent from their parents or carers.
In addition, ICO UK found that TikTok also failed to ensure that data was processed lawfully, fairly, and in a transparent manner. In this regard, it was emphasized that children were unlikely to be able to make informed choices about whether and how to engage with the platform.
ICO UK conveyed that after the conclusion of the TikTok investigation, a Children’s code was published in order to help protect children in the digital world, available here.
The press release is available here.