Video-sharing app TikTok has been fined £12.7 million by the Information Commissioner’s Office (ICO) for using the personal data of children without parental consent.
What happened in this case?
UK data protection law requires organisations that use the personal data of minors to get consent from their parents or carers before doing so. However, in 2020, an estimated 1.4 million UK children under the age of 13 used TikTok without such consent.
TikTok’s own rules banned under-13s from accessing its site, and 13 was the minimum age to create an account. But, according to the ICO, its investigation showed that between May 2018 and July 2020, many children under 13 were able to access the site, and their data was subsequently collected and potentially used.
The ICO does not believe that TikTok did enough to check who was using its app, or to remove underage children. As a result, TikTok has been fined £12.7 million for child data protection breaches.
What are the data security concerns?
The data of the children involved in this breach may have been used to track them and profile them. And there are fears that they could have been exposed to potentially “harmful, inappropriate content at their very next scroll.”
The ICO found that TikTok breached the UK General Data Protection Regulation (UK GDPR) between May 2018 and July 2020 by:
- Providing its services to UK children under the age of 13 and processing their personal data without consent or authorisation from their parents or carers
- Failing to provide proper information to people using the platform about how their data is collected, used, and shared in a way that is easy to understand. Without that information, users of the platform, in particular children, were unlikely to be able to make informed choices about whether and how to engage with it
- Failing to ensure that the personal data belonging to its UK users was processed lawfully, fairly and in a transparent manner.
TikTok is owned by Chinese tech company Bytedance, and there are concerns that it is sharing user data with the Chinese government. Although this was not the focus of the ICO’s investigation. Security concerns about the app are so widespread that it has already banned on government devices in Canada, Belgium, Denmark, New Zealand, Taiwan, the UK, the US. It is also banned on the devices of anyone working at the European Commission, and the BBC has advised staff to delete TikTok from their corporate phones.
Victims of the TikTok data breach are not automatically entitled to compensation
According to the UK’s data protection watchdog and regulator:
“There are laws in place to make sure our children are as safe in the digital world as they are in the physical world. TikTok did not abide by those laws.
“As a consequence, an estimated one million under-13s were inappropriately granted access to the platform, with TikTok collecting and using their personal data.
“TikTok should have known better. TikTok should have done better. Our £12.7m fine reflects the serious impact their failures may have had.”
But, while the ICO does have the power to impose hefty fines on organisations in violation of their data protection duties, it cannot award compensation to victims of the TikTok breach. Instead, any money paid by TikTok will go straight to HM Treasury.
Did TikTok get away lightly?
This is one of the largest fines ever issued by the ICO, but TikTok might have gotten away lightly. An earlier “notice of intent” by the ICO, which was issued before the final fine is handed down, indicated that TikTok was facing a £27 million penalty.
In addition, the £12.7 million fine pales in comparison to the $80 billion reported to have been made by TikTok’s parent company ByteDance in 2022. Nevertheless, a TikTok spokesperson said that the company disagrees with the ICO’s decision and is considering its next steps. The business has 28 days to appeal the fine and the final amount could be reduced even further.
Commenting on the breach, Simon Ridding, Senior Associate at Keller Postman UK said:
“TikTok abjectly failed to protect British children and their data. TikTok knew that kids aged under 13 were accessing its app, but it simply didn’t take adequate steps to prevent this. This meant children could access content which may not have been appropriate for them. The ICO is right to have fined the company for failing to protect young children.
“Over a million young British kids were failed by TikTok in two ways. Firstly, the data collected may have been used to show them harmful, age-inappropriate content. Secondly, data about their preferences, browsing habits and personal profiles was collected and processed without parental consent.
“The British government recently banned TikTok app from government phones, citing cybersecurity concerns. Worryingly for parents, despite the ICO’s intervention, it may prove to be extremely difficult to have their children’s personal data removed from the app.”
Big companies collect and use personal data to make vast sums of money. But the misuse of this data can be devastating. Data privacy and protection has never been more important or more vulnerable. Defending the rights of individuals, if your child was affected by the TikTok data breach, we can help you get compensation.
