TikTok hit with $15.7M UK fine for misusing children’s data

TikTok has been issued with a fine of £12.7 million (~$15.7M) for breaching U./K. data protection law, including rules intended to protect children.

The privacy watchdog, the Information Commissioner’s Office (ICO), announced today that it found the video sharing site “did not do enough” to check who was using their platform and failed to take sufficient action to remove the underage children that were using the service.

Per the ICO, TikTok had an estimated 1.4 million underage U.K. users during a two-year period, between May 2018 and July 2020 — which its investigation was focused on — contrary to terms of service stating users must be 13 or older.

The U.K.’s data protection regime sets a cap on the age children can consent to their data being processed at 13-years-old — meaning TikTok would have needed to obtain parental consent to lawfully process these minors data (which the company did not do).

“We fined TikTok for providing services to U.K. children under the age of 13 and processing their personal data without consent or authorisation from their parents or carers. We expect TikTok to continue its efforts to take adequate checks to identify and remove underage children from its platform,” an ICO spokesperson told us.

Additionally, the ICO found TikTok breached transparency and fairness requirements in the U.K.’s General Data Protection Regulation (GDPR) — by failing to provide users with proper, easy-to-understand information about their data is collected, used, and shared.

“Without that information, users of the platform, in particular children, were unlikely to be able to make informed choices about whether and how to engage with it,” the ICO noted in a press release announcing the penalty for misusing children’s data.

Commenting in a statement, John Edwards, the U.K. information commissioner, added:

There are laws in place to make sure our children are as safe in the digital world as they are in the physical world. TikTok did not abide by those laws.

As a consequence, an estimated one million under 13s were inappropriately granted access to the platform, with TikTok collecting and using their personal data. That means that their data may have been used to track them and profile them, potentially delivering harmful, inappropriate content at their very next scroll.

TikTok should have known better. TikTok should have done better. Our £12.7m fine reflects the serious impact their failures may have had. They did not do enough to check who was using their platform or take sufficient action to remove the underage children that were using their platform.

TikTok was contacted for comment on the ICO’s enforcement. The company told us it’s reviewing the decision to consider next steps.

In a statement a TikTok spokesperson said:

TikTok is a platform for users aged 13 and over. We invest heavily to help keep under 13s off the platform and our 40,000 strong safety team works around the clock to help keep the platform safe for our community. While we disagree with the ICO’s decision, which relates to May 2018 – July 2020, we are pleased that the fine announced today has been reduced to under half the amount proposed last year. We will continue to review the decision and are considering next steps.

TikTok claims it has taken a number of steps to address the issues it’s being fined for today. Although it continues to deploy an age-gate in which users are asked to input their date of birth in order to create an account (meaning that, if they’re underage, they can lie to circumvent the measure).

However it says it supplements this with beefed up systems and training for its safety moderation team to look for signs an account may be used by a child under the age of 13 so they can flag accounts and send them for review. It also claims it promptly responds to requests from parents to remove underage account — and uses other information provided by users, such as keywords and in-app reports, to help surface potential underage accounts.

TikTok further suggests it has improved transparency and accountability in this area — saying it produces regular reports about the number of underage users removed from the platform (in the last three months of 2022, it said the figure stood at over 17 million suspected underage accounts removed globally; but it does not report this data a per country basis); as well as offering family pairing to help parents keep tabs on kids’ usage.

Despite the social media platform being found to have breach the U.K. GDPR on lawfulness, transparency and fairness grounds over a two year period, it’s only facing a penalty in the double digits — far below the theoretical maximum (of up to 4% of global annual turnover) — so the settlement looks pretty generous to TikTok.

The figure is also notably less than half the amount originally proposed by the ICO, back in September, when the regulator issued a provisional finding saying it could fine the company up to £27M ($29M) for what were then a range of suspected breaches.

The reason for the substantial haircut to the size of the fine is a decision by the regulator not to pursue a provisional finding related to the unlawful use of special category data following representations from TikTok.

Under the GDPR, special category data refers to particularly sensitive classes of information, such as sexual orientation, religious beliefs, political affiliation, racial or ethnic origin, health data, biometric data used for identification — where the bar for lawful processing is higher than for personal data; and if consent is the basis being relied upon there’s a higher standard of explicit consent.

This means, last year, the ICO had suspected TikTok of processing this kind of information without a lawful basis. But the company was able to persuade it to drop that concern.

It’s not clear exactly why the ICO dropped the special category data line of investigation. But in response to questions from TechCrunch, a spokesperson for the regulator suggested it boils down to a lack of resources — telling us:

We took into consideration the representations from TikTok and decided not to pursue the provisional finding relating to the unlawful use of special category data. That does not mean that the use of special category data by social media companies is not of importance to the ICO. But we need to be strategic about our resources and, in this case, the Commissioner exercised his discretion to not pursue the provisional finding related to the unlawful use of special category data. This potential infringement was not included in the final amount of the fine set at £12.7 million, and this was the main reason why the provisional fine was reduced to £12.7M. The amount of this fine has been set in accordance with our Regulatory Action Policy.

The ICO does have a history of inaction over systematic breaches by the behavioral advertising industry — and its failure to clean up the tracking-and-targeting adtech industry may complicate its ability to pursue individual platforms that also rely on data-dependent tracking, profiling and ads-microtargeting to monetize a ‘free’ service.

Children’s data protection has certainly been a stronger focus area for the U.K. watchdog. In recent years, following pressure from campaign groups and U.K. parliamentarians, it set out an age appropriate design code that’s linked to GDPR compliance (and therefore to the risk of fines for those who ignore the recommended standards). Active enforcement of the kids’ privacy and safety Code kicked off in September 2021. Although it’s fair to say there hasn’t been a tsunami of enforcements as yet — but the ICO has been undertaking a number of investigations.

With the U.K. no longer a member of the European Union, the ICO’s enforcement of the GDPR is U.K.-only — and it’s worth noting TikTok’s business remains under investigation in the EU over how it processes children’s data.

Ireland’s Data Protection Commission (DPC) opened an investigation of TikTok’s handling of children’s data back in September 2021. That pan-EU probe is ongoing — and we understand the European Data Protection Board is expected to have to take a binding decision to settle disagreements between DPAs on Ireland’s draft decision, so there could be many more months for the process to run yet. Also ongoing in the EU: An investigation by the DPC of TikTok’s data transfers to China since the GDPR also governs data exports (which is of course a very hot topic where TikTok is concerned these days).

One point of comparison: Last year, rival social network Instagram was fined €405M for misusing children’s data under the EU’s application of the GDPR. Although, in that case, the penalty reflects cross-border data processing activity across the 27-Member State bloc — whereas the ICO’s enforcement of TikTok is conducted on behalf of only U.K. users, hence some of the difference in size between the penalties levied.