The popular social networking app TikTok, which allows users to record and share short videos, was fined £12.7 million on 4 April 2023 by the Information Commissioner’s Office (ICO) for breaching data protection laws.
What laws did TikTok breach?
Parental consent
Under article 8 of the UK General Data Protection Regulation (UK GDPR), an organisation must have parental consent if it wishes to use personal data when providing information society services to children under 13. TikTok was accused of exploiting these regulations by using children's personal information without their parents' consent during the period between May 2018 to July 2020. The networking app allowed up to 1.4 million UK children under the age of 13 to use its platform, notwithstanding that its terms and conditions specify 13 as the minimum age to register an account. It was later discovered that, at the time, TikTok’s systems were insufficient to enforce this age restriction.
Transparent information
Article 12 of the UK GDPR states that individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under UK law. For example, an organisation must disclose to the individual: the reasons why their personal information is being processed; how long that information will be kept; and who it will be shared with. Consequently, TikTok breached article 12 of the UK GDPR because it did not adequately inform its users of how their data was being gathered, used, and shared. As a result, users were not able to make informed decisions, particularly those under the age of 13, which was a fundamental breach.
Unlawful processing
Taking into the account the above, TikTok breached a key principle of the UK GDPR under article 5(1)(a) for the unlawful processing of children’s personal data in an unfair and untransparent way.
These findings were concluded by the ICO as a result of its extensive investigation into TikTok.
The ICO investigation
The ICO alleged that the app's efforts to identify and ban users who were underage fell short. Workers of TikTok reportedly expressed worries to senior staff about the lack of underage profiles that were being removed. Thus, TikTok may have used children’s data to track and profile them, potentially exposing children to dangerous or inappropriate content. Mr John Edwards from the UK Information Commissioners Office said “all that was required was a self-certification that the applicant was over 13, by clicking a box with no verification, with no extra checks. We understand that there are now significantly more checks and balances in place to detect that kind of thing.” He also added “there are laws in place to make sure our children are as safe in the digital world as they are in the physical world. TikTok did not abide by those laws”.
Although a representative for TikTok said the company disagrees with the ICO's decision, TikTok is grateful that the fine has been reduced by over half. This is because the original ICO notice of intent for TikTok in September 2022 suggested the fine should be up near £27 million. However, after considering TikTok's arguments, the ICO decided against pursuing the initial finding of “improper use of special category data”, which subsequently decreased the fine to £12.7 million.
Codes of Conduct
As the investigation of TikTok came to a close, the ICO released the ‘Children’s code’ in order to better safeguard children in the digital world. The Children’s code is a legal framework that sets out fifteen standards of conduct for online services that are likely to be utilised by minors. These include: websites, smart device apps, video sites, streaming platforms, games sites and social networking platforms. It is envisaged that, through effective compliance and governance, these standards will work as an aid in decreasing violations of the data protection laws surrounding children.
For more information on the data protection legislation or if you require advice or an audit as to whether your business currently meets UK GDPR standards, please feel free to contact a member of the Data Protection team.