Privacy

TikTok fined $379M in EU for failing to keep kids’ data safe

Comment

A TikTok logo is seen displayed on a smartphone
Image Credits: Mateusz Slodkowski/SOPA Images / Getty Images

It’s been a long time coming but TikTok has finally been found in breach of the European Union’s General Data Protection Regulation (GDPR) in relation to its handling of children’s data. Under the decision issued today by the Irish Data Protection Commission (DPC), the video sharing platform has been reprimanded and fined €345 million (~$379 million). It has also been ordered to bring its offending data processing into compliance within three months.

In all TikTok has been found to have violated the following eight articles of the GDPR: 5(1)(a); 5(1)(c); 5(1)(f); 24(1); 25(1); 25(2); 12(1); and 13(1)(e) — aka breaches of lawfulness, fairness and transparency of data processing; data minimization; data security; responsibility of the controller; data protection by design and default; and the rights of the data subject (including minors) to receive clear communications about data processing; and to receive information on recipients of their personal data. So it’s quite the laundry list of failings.

The decision did not find a breach in relation to methods used by TikTok for age verification, which has been a flash point for it with a number of regional regulators, but the Irish watchdog notes the decision does record a violation of Article 24(1) of the GDPR — as it found TikTok did not implement appropriate technical and organisational measures since it did not properly consider certain risks posed to under 13s who gained access to the platform as the default account setting allowed anyone (on or off TikTok) to view social media content posted by those users.

Settings TikTok had implemented at this time were found to have enabled child users to progress through the sign-up process in such a manner that their accounts were set to public by default. “This also meant that, for example, videos that were posted to child users’ account were public-by-default, comments were enabled publicly by default, the ‘Duet’ and ‘Stitch’ features were enabled by default,” the DPC notes. 

 A child’s account could also be “paired” with an unverified non-child user — via a so-called “Family Pairing” feature — but TikTok did not verify whether the user was actually the child user’s parent or guardian. The non-child user could use the feature to enable direct messages for child users above the age of 16 — “thereby making this feature less strict for the child user”, per the DPC’s findings.

Responding to the decision, a TikTok spokesperson sent us this statement:

We respectfully disagree with the decision, particularly the level of the fine imposed. The DPC’s criticisms are focused on features and settings that were in place three years ago, and that we made changes to well before the investigation even began, such as setting all under 16 accounts to private by default.

TikTok also told us it is considering its next steps in light of the sanction. So the platform could seek to file a legal appeal in Ireland.

In a longer response posted to its website, Elaine Fox, TikTok’s head of privacy in Europe, elaborated on measures she said the company took to address safety concerns prior to the DPC’s investigation beginning, such as setting accounts of users aged 13-15 private by default.

She also claimed that in 2021 TikTok became the first (“and remain[s] the only”) major platform to publicly disclose the number of suspected underage accounts it removes. “We publish this in our quarterly Community Guideline Enforcement Reports and during the first three months of 2023, we removed nearly 17 million such accounts globally,” she wrote, adding: “Age assurance is an industry-wide challenge. We will continue to engage with regulators and other experts to identify new solutions that further enhance our efforts to keep underage users off the platform.”

Per the blog post, TikTok has more than 134 million monthly active users across the European Union.

Unsafe by default

The DPC’s child data TikTok enquiry focused on a five month period (July 31, 2020 to December 31, 2020) — looking at whether TikTok complied with its obligations under the GDPR in relation to its processing of personal data relating to child users of the platform in the context of certain platform settings (including public-by-default settings; and settings associated with the aforementioned “Family Pairing” feature); as well as examining age verification as part of the registration process.

The DPC also looked at “certain” transparency obligations, including how information was provided to child users in relation to default settings.

Its preliminary findings (draft decision) found slightly fewer breaches of the GDPR than have been confirmed in the today’s final decision. But objections were raised to its draft decision by two other authorities (Italy’s DPA and the Berlin authority) and the disagreement was passed the European Data Protection Board (EDPB) to take a binding decision — which agreed there should also be a finding of a breach of the GDPR’s fairness principle. The Board also ordered Ireland to extend the scope of the order to bring processing into compliance to refer to the remedial work required to address the fairness breach.

The EDPB said its binding decision included analysis it undertook of design practices implemented by TikTok in the context of two pop-up notifications that were shown to children aged 13-17 (namely the Registration Pop-Up and Video Posting Pop-Up) — both of which it found had failed to present options to the user in an objective and neutral way. Hence its finding that TikTok infringed the GDPR’s fairness principle.

“In the Registration Pop-Up, children were nudged to opt for a public account by choosing the right-side button labelled ‘Skip’, which would then have a cascading effect on the child’s privacy on the platform, for example by making comments on video content created by children accessible,” the EDPB wrote in a press release.

“In the Video Posting Pop-Up, children were nudged to click on ‘Post Now’, presented in a bold, darker text located on the right side, rather than on the lighter button to ‘cancel’. Users who wished to make their post private first needed to select ‘cancel’ and then look for the privacy settings in order to switch to a ‘private account’. Therefore, users were encouraged to opt for public-by-default settings, with TikTok making it harder for them to make choices that favoured the protection of their personal data. Furthermore, the consequences of the different options were unclear, particularly to child users.

“The EDPB confirmed that controllers should not make it difficult for data subjects to adjust their privacy settings and limit the processing.”

Commenting in a statement, EDPB chair, Anu Talus, added:

Social media companies have a responsibility to avoid presenting choices to users, especially children, in an unfair manner — particularly if that presentation can nudge people into making decisions that violate their privacy interests. Options related to privacy should be provided in an objective and neutral way, avoiding any kind of deceptive or manipulative language or design. With this decision, the EDPB once again makes it clear that digital players have to be extra careful and take all necessary measures to safeguard children’s data protection rights.

On age verification, the Board also had concerns over whether TikTok’s approach complied with the GDPR’s requirement for data protection by design — and expressed “serious doubts regarding the effectiveness of the age verification measures put in place by TikTok during this period, particularly taking into account the severity of the risks for the high number of children affected”; finding, for example, that the age gate deployed by TikTok could be “easily circumvented and that the measures applied after users gained access to TikTok were not applied in a sufficiently systematic manner”.

However it concluded it did not have sufficient information, especially in relation to state of the art technology for age verification, to conclusively assess this component of TikTok’s compliance during this period. Hence the decision does not find a breach in relation to age verification.

The DPC’s final decision, which implements the EDPB’s binding decision, was adopted on September 1, 2023 — suggesting TikTok has until the start of December to rectify its GDPR compliance or risk further sanction.

Although the company’s contention is it has already fixed the bulk of the issues it’s being sanctioned for today — hence its “particular” objection to the level of fine.

The U.K.’s privacy regulator, the ICO, issued its own penalty on TikTok earlier this year — also in relation to its handling of children’s data — handing down a fine of ~$15.7 million for breaching the U.K.’s data protection regime between May 2018 and July 2020, including for failing to prevent an estimated 1.4 million underage users from accessing its platform.

A more sizeable GDPR fine was handed down in the EU on Meta-owned Instagram last year also in relation to data protection violations affecting children. In that case the tech giant was sanctioned €405 million at the end of a DPC enquiry that started back in October 2020.

Sanctions relating to child protection concerns continue to account for some of the biggest penalties handed down by European privacy regulators in recent years. Although the sums involved still remain a ways off the largest GDPR sanction to date: A €1.2 billion penalty for Meta’s illegal data transfers.

That may not be much comfort to TikTok, however, given its own data exports remain under investigation in the EU. The DPC’s deputy commissioner, Graham Doyle, told TechCrunch it hopes to be able to submit a draft decision on this second TikTok probe, focused on data transfers, to other regional data protection authorities for review by the end of the year. (A final decision, therefore, should come in 2024 — with the exact timing depending on whether other authorities disagree with Ireland’s preliminary findings.)

The EDPB has been called to take binding decisions on a number of Ireland-led GDPR investigations on Big Tech since the regulation came into force. In all cases the resulting sanctions have been stepped up via the Board’s intervention — sometimes substantially and often both in terms of the size of the financial penalties issued and the scope of the breach findings.

Pressure to act

The Irish regulator opened the two aforementioned TikTok probes, into data transfers and the one related to today’s decision on the processing of minors’ data, two years ago. The move followed pressure from other EU data protection authorities and consumers protection groups which had raised concerns about how the platform handles’ user data generally and children’s information specifically.

Earlier the same year Italy’s data protection authority took emergency action against TikTok over child safety concerns. Its interventions led to the platform rechecking the age of every user in the country and purging over half a million accounts which it could not verify did not belong to minors under the age of 13.

Around this time EU consumer protection authorities also raised a series of red flags over privacy and child safety concerns. But it still took several more months before the Irish regulator announced its enquiry.

The sluggish response to child safety concerns arising from kids’ use of TikTok contributed to the DPC’s commissioner, Helen Dixon, being on the receiving end of some hostile questioning by MEPs during a hearing in the European Parliament earlier this year. EU lawmakers also raised wider concerns about the regulator’s approach — wondering whether the Irish regulator up to the job of enforcing the GDPR on major tech platforms.

Dixon responded with a robust defence of what she claimed is “busy GDPR enforcement” by the Irish authority. On TikTok specifically she claimed the DPC is working as fast as it can given the large volumes of material being examined.

This report was updated to include additional detail from the EDPB

TikTok’s lead privacy regulator in Europe takes heat from MEPs

Ireland probes TikTok’s handling of kids’ data and transfers to China

More TechCrunch

Around 550 employees across autonomous vehicle company Motional have been laid off, according to information taken from WARN notice filings and sources at the company.  Earlier this week, TechCrunch reported…

Motional cut about 550 employees, around 40%, in recent restructuring, sources say

It ran 110 minutes, but Google managed to reference AI a whopping 121 times during its I/O 2024 (by its own count). CEO Sundar Pichai referenced the figure to wrap…

Google mentioned ‘AI’ 120+ times during its I/O keynote

Here are quick hits of the biggest news from the keynote as they are announced.

Google I/O 2024: Here’s everything Google just announced

Google Play has a new discovery feature for apps, new ways to acquire users, updates to Play Points, and other enhancements to developer-facing tools.

Google Play preps a new full-screen app discovery feature and adds more developer tools

Soon, Android users will be able to drag and drop AI-generated images directly into their Gmail, Google Messages and other apps.

Gemini on Android becomes more capable and works with Gmail, Messages, YouTube and more

Veo can capture different visual and cinematic styles, including shots of landscapes and timelapses, and make edits and adjustments to already-generated footage.

Google gets serious about AI-generated video at Google I/O 2024

In addition to the body of the emails themselves, the feature will also be able to analyze attachments, like PDFs.

Gemini comes to Gmail to summarize, draft emails, and more

The summaries are created based on Gemini’s analysis of insights from Google Maps’ community of more than 300 million contributors.

Google is bringing Gemini capabilities to Google Maps Platform

Google says that over 100,000 developers already tried the service.

Project IDX, Google’s next-gen IDE, is now in open beta

The system effectively listens for “conversation patterns commonly associated with scams” in-real time. 

Google will use Gemini to detect scams during calls

The standard Gemma models were only available in 2 billion and 7 billion parameter versions, making this quite a step up.

Google announces Gemma 2, a 27B-parameter version of its open model, launching in June

This is a great example of a company using generative AI to open its software to more users.

Google TalkBack will use Gemini to describe images for blind people

Firebase Genkit is an open source framework that enables developers to quickly build AI into new and existing applications.

Google launches Firebase Genkit, a new open source framework for building AI-powered apps

This will enable developers to use the on-device model to power their own AI features.

Google is building its Gemini Nano AI model into Chrome on the desktop

Google’s Circle to Search feature will now be able to solve more complex problems across psychics and math word problems. 

Circle to Search is now a better homework helper

People can now search using a video they upload combined with a text query to get an AI overview of the answers they need.

Google experiments with using video to search, thanks to Gemini AI

A search results page based on generative AI as its ranking mechanism will have wide-reaching consequences for online publishers.

Google will soon start using GenAI to organize some search results pages

Google has built a custom Gemini model for search to combine real-time information, Google’s ranking, long context and multimodal features.

Google is adding more AI to its search results

At its Google I/O developer conference, Google on Tuesday announced the next generation of its Tensor Processing Units (TPU) AI chips.

Google’s next-gen TPUs promise a 4.7x performance boost

Google is upgrading Gemini, its AI-powered chatbot, with features aimed at making the experience more ambient and contextually useful.

Google reveals plans for upgrading AI in the real world through Gemini Live at Google I/O 2024

Veo can generate few-seconds-long 1080p video clips given a text prompt.

Google’s image-generating AI gets an upgrade

At Google I/O, Google announced upgrades to Gemini 1.5 Pro, including a bigger context window. .

Google’s generative AI can now analyze hours of video

The AI upgrade will make finding the right content more intuitive and less of a manual search process.

Google Photos introduces an AI search feature, Ask Photos

Apple released new data about anti-fraud measures related to its operation of the iOS App Store on Tuesday morning, trumpeting a claim that it stopped over $7 billion in “potentially…

Apple touts stopping $1.8B in App Store fraud last year in latest pitch to developers

Online travel agency Expedia is testing an AI assistant that bolsters features like search, itinerary building, trip planning, and real-time travel updates.

Expedia starts testing AI-powered features for search and travel planning

Welcome to TechCrunch Fintech! This week, we look at the drama around TabaPay deciding to not buy Synapse’s assets, as well as stocks dropping for a couple of fintechs, Monzo raising…

Inside TabaPay’s drama-filled decision to abandon its plans to buy Synapse’s assets

The person who claimed to have stolen the physical addresses of 49 million Dell customers appears to have taken more data from a different Dell portal, TechCrunch has learned. The…

Threat actor scraped Dell support tickets, including customer phone numbers

If you write the words “cis” or “cisgender” on X, you might be served this full-screen message: “This post contains language that may be considered a slur by X and…

On Elon’s whim, X now treats ‘cisgender’ as a slur

The keynote kicks off at 10 a.m. PT on Tuesday and will offer glimpses into the latest versions of Android, Wear OS and Android TV.

Google I/O 2024: Watch the AI reveals live

Facebook once had big ambitions to be a major player in enterprise communication and productivity, but today the social network’s parent company Meta will be closing a very significant chapter…

Meta is shutting down Workplace, its enterprise communications business