The Irish Data Protection Commission (DPC) has fined TikTok €345 million ($368 million) for violating the privacy of children between the ages of 13 and 17 while processing their data.
Initiated in September 202, the investigation into the company’s data processing practices looked into how TikTok handled children’s data from July 31 to December 31, 2020.
The Irish Data Protection Authority found that TikTok violated the 5(1)(c), 5(1)(f), 24(1), 25(1), 25(2), 12(1), 13(1)(e), and 5(1)(a) articles of the European Union’s General Data Protection Regulation (GDPR).
One of the most concerning revelations was that TikTok’s profile settings for child user accounts defaulted to public visibility, making all posted content visible to anyone, within and outside the platform.
TikTok’s ‘Family Pairing’ feature, which was also under scrutiny, was also found to be faulty as it allowed non-child users who could not verify their status as parents or guardians to link their accounts with those of minors aged 16 and above.
This raised serious concerns about potential risks to child users, as the non-child user gained the ability to enable Direct Messages.
TikTok also failed to provide adequate transparency information to its young users, thus hindering their ability to fully comprehend the platform’s data processing practices.
Additionally, the DPC found that TikTok employed “dark patterns” during the registration process and while posting videos, subtly nudging the users toward selecting options that compromised their privacy.
Fined €345 million and required to address privacy issues
In response to these troubling findings, the Irish data privacy regulator imposed an administrative fine of €345 million on TikTok, citing the privacy breaches identified during the investigation.
It also issued an official reprimand and instructed to align its data processing practices with regulatory standards over a strict three-month timeframe.
“Social media companies have a responsibility to avoid presenting choices to users, especially children, in an unfair manner – particularly if that presentation can nudge people into making decisions that violate their privacy interests,” said Anu Talus, the European Data Protection Board Chair.
“Options related to privacy should be provided in an objective and neutral way, avoiding any kind of deceptive or manipulative language or design. With this decision, the EDPB once again makes it clear that digital players have to be extra careful and take all necessary measures to safeguard children’s data protection rights.”
In January, TikTok was fined €5 million ($5.4 million) by France’s data protection authority (CNIL) for not sufficiently informing users on how it uses cookies and making it difficult to opt-out.