TikTok is facing a £27 million ($29 million) fine after the U.K.’s Information Commissioner’s Office (ICO) provisionally found that the company breached child data protection laws for a two-year period.
The alleged law breach happened from May 2018 through July 2020, with the ICO noting that the company “may have” processed data of children under the age of 13 without parental consent. Additionally, it said the company may have “failed to provide proper information to its users in a concise, transparent and easily understood way” and “processed special category data, without legal grounds to do so.”
Special category data refers to sensitive personal data in areas such as sexual orientation, religious beliefs, ethnic and racial origin, political opinions and genetic and biometric data.
TikTok’s global rise over the past few years has been remarkable, giving incumbents such as Facebook a run for their money. Indeed, TikTok surpassed 1 billion active users last year, and children in particular are spending nearly as much time on TikTok as they are on YouTube in some markets, leading Google to invest heavily in a rival service called YouTube Shorts.
In response to growing concerns over its data privacy practices, TikTok has tried to placate regulators somewhat. Back in 2019, it started restricting virtual gifting to those over the age of 18, before opening a “trust and safety hub” in Europe. Elsewhere, TikTok has disabled direct messaging for under 16s, and introduced features such as “family safety mode” and screentime management.
Today’s revelation stems from an investigation the U.K. ICO first initiated back in 2019, as the regulatory body revealed that it would be looking into how TikTok collects private data. More specifically, the investigation sought to discover whether its practices constitute a breach of the General Data Protection Regulation (GDPR), which requires companies to put robust measures in place to protect underage users, including addressing how the platform allows children to interact with adults.
While today’s announcement is not final, it serves as a clear indication that the U.K.’s investigations have unearthed enough to warrant a potentially hefty fine. The ICO has issued a “notice of intent” to TikTok Inc. and TikTok Information Technologies UK Limited, which is basically a legal document that outlines its findings ahead of the final decision, giving TikTok a chance to respond.
“This Notice of Intent, covering the period May 2018 to July 2020, is provisional and as the ICO itself has stated, no final conclusions can be drawn at this time,” a TikTok spokesperson said in a statement issued to TechCrunch. “While we respect the ICO’s role in safeguarding privacy in the U.K., we disagree with the preliminary views expressed and intend to formally respond to the ICO in due course.”
The ICO was also quick to stress that “no conclusion should be drawn at this stage” in terms of whether there has been a breach of data protection law, or that any fine will in fact be imposed.
“We all want children to be able to learn and experience the digital world, but with proper data privacy protections,” Information Commissioner John Edwards said in a statement. “Companies providing digital services have a legal duty to put those protections in place, but our provisional view is that TikTok fell short of meeting that requirement.”
Under current laws, the U.K. has the power to fine companies that contravene U.K. GDPR or the Data Protection Act up to £17.5 million ($19 million) or 4% of their global turnover. In TikTok’s case, it reportedly raked in around $4 billion last year, though this figure is set to triple in 2022 — so a $29 million fine could be construed as a drop in the ocean.
Today’s news follows shortly after Instagram was hit with a €405 million ($405 million) fine by EU privacy regulators over its handling of children’s data.