TikTok will pay a fine of £12.7M, or roughly $16 million, to the UK Information Commissioner’s Office (ICO) over multiple data protection violations, including the unlawful use of children’s personal data and using the data tied to children under the age of 13 without parental consent.
Under UK data protection laws, organizations that offer information society services to children under 13 and use personal data must first gain parental and guardian consent. But ICO found that TikTok allowed an estimated 1.4 million children under 13 to use the app in 2020, in contradiction to its own policies that would prevent young children from creating an account.
ICO determined TikTok failed to gain parental consent “even though it ought to have been aware” that underage children were using the platform. The violation stemmed from TikTok’s failure to “carry out adequate checks to identify and remove underage children from its platform.”
What’s more, the investigation into TikTok revealed senior employees were aware of the violation and raised concerns. It’s ICO’s belief that TikTok did not adequately respond.
UK Information Commissioner John Edwards asserted the fine “reflects the serious impact their failures may have had” on underage children, after the app’s leaders failed to check who was using the platform or “take sufficient action to remove the underage children” from the app.
“There are laws in place to make sure our children are as safe in the digital world as they are in the physical world. TikTok did not abide by those laws,” Edwards said in a statement. “As a consequence, an estimated one million under 13s were inappropriately granted access to the platform, with TikTok collecting and using their data.”
“That means that their data may have been used to track them and profile them, potentially delivering harmful, inappropriate content at their very next scroll,” he added. “TikTok should have known better. TikTok should have done better.”
The ICO found that TikTok breached the UK General Data Protection Regulation (UK GDPR) between May 2018 and July 2020 by:
Specifically, ICO found TikTok failed to provide proper and clearly understandable information to users about how their data is collected, used, and shared. As a result, users, especially children, “were unlikely to be able to make informed choices” about whether they should engage with the app.
TikTok is also accused of failing to ensure personal data was lawfully, transparently, and fairly processed.
Following the investigation, ICO published a children’s code to better protect the digital identities of children. The “statutory code of practice” is meant for apps, gaming platforms, and social media sites designed to be accessed by children.
The regulatory action follows a contentious House Energy and Commerce hearing on March 23 that saw TikTok CEO Shou Zi Chew lambasted by lawmakers for the alleged threat TikTok poses to national security.
Chew defended claims the app was “spying” on Americans and enabled China to use TikTok to monitor user locations, referencing the ongoing Project Texas effort that will relocate all U.S. data to a domestic location and give a U.S. tech firm the authority to examine the app’s code.
But the testimony did not go far enough for some lawmakers. Rep. Diana DeGette, D-Colo., said Chew’s testimony gave “only generalized statements that you're investing, that you're concerned, that you're doing work. That's not enough.”
U.S. lawmakers are proposing a national ban on TikTok, following a ban of the app from federal government devices. Australia recently became the latest country to propose a temporary ban on the app, mirroring similar actions by India and other government bodies.