Irish regulators have imposed a hefty €345 million (£296 million) fine on TikTok for breaching children’s privacy. The complaint centered on TikTok’s handling of children’s data in 2020, particularly related to age verification and privacy settings. This fine marks the largest penalty TikTok has faced from regulators.
TikTok’s response to the fine included expressing disagreement with the decision, especially regarding the substantial fine imposed. They noted that the criticisms focused on features and settings that were in place three years ago, some of which were changed before the investigation began, such as setting all accounts of users under 16 to private by default.
The fine was issued by Ireland’s Data Protection Commission (DPC) under the EU’s General Data Protection Regulation (GDPR) privacy law, which outlines rules for data handling by companies. The DPC found that TikTok lacked transparency in communicating privacy settings to children and raised concerns about how their data was processed.
Data Protection Commissioner Helen Dixon explained that the inquiry discovered that accounts created by users aged between 13 and 17 were set to public by default upon registration, making their content visible to anyone. TikTok’s platform design was identified as the reason for this, and it was deemed a violation of GDPR’s data protection requirements.
TikTok has been given a three-month deadline to bring its data processing practices fully in line with GDPR.
Professor Sonia Livingstone, an expert in children’s digital rights and experiences at the London School of Economics and Political Science, praised the DPC’s decision, emphasizing the importance of platforms treating children’s data fairly and respecting their privacy rights.
An ongoing investigation is also examining whether TikTok unlawfully transferred data from the EU to China, as TikTok is owned by the Beijing-based company ByteDance.
While the fine is substantial, it is smaller than recent penalties, such as the €1.2 billion fine imposed on Meta in May for mishandling data transfers between Europe and the United States. However, it is significantly larger than the £12.7 million fine issued by the UK data watchdog to TikTok in April for allowing children under 13 to use the platform in 2020.
It’s important to note that the DPC’s fine specifically relates to TikTok’s actions in 2020, and the company took various measures in subsequent years to improve compliance. These measures included setting accounts for users aged 13 to 15 to private by default in January 2021 and introducing a change in the current month, making all accounts of 16 and 17-year-olds private by default upon registration.