ICO fines TikTok £12.7 million for failing to protect children’s data
TikTok fined for data protection breaches
The ICO has fined TikTok £12.7 million for multiple breaches of UK data protection law regarding children’s personal data.
ICO investigations
The ICO began investigating after concerns were raised internally with senior employees about how children under the age of 13 were joining the platform and not being removed.
The ICO’s investigations found that TikTok failed to enforce age limits on using its app, leading to up to 1.4 million UK children under the age of 13 using the platform.
For children under 13, TikTok needed consent from their parents or carers to use their data. As TikTok did not obtain or establish consent, it had no lawful basis for processing. TikTok also failed to carry out adequate checks to identify and remove underage children from the platform.
Children’s data requires additional protection, as they are less aware of the risks involved. TikTok’s systems should have been designed with this in mind. The ICO found that TikTok did not provide easy to understand information about how personal data was to be processed. Children, therefore, could not make informed decisions about providing their data and engaging with the app.
Finally, the ICO found TikTok had failed to inform data subjects of how their data was being processed.
What breaches occurred?
Under the UK GDPR, controllers must have a lawful basis for processing personal data.
The ICO found that TikTok breached the UK GDPR between May 2018 and July 2020 by:
- Providing its services to UK children under the age of 13 and processing their personal data without consent or authorisation from their parents or carers
- Failing to provide proper information to people using the platform about how their data is collected, used, and shared in a way that is easy to understand, and
- Failing to ensure that the personal data belonging to its UK users was processed lawfully, fairly and in a transparent manner.
The level of fine reflects the serious impacts these failures may have had.
TikTok fine
The ICO initially issued TikTok with a notice of fine of £27million. After receiving TikTok’s representations, the fine was reduced to £12.7million. This was after the ICO decided not to pursue its initial finding that TikTok had processed special category data, without legal grounds for doing so.
Next steps
TikTok states that it disagrees with the ICO’s decision, is reviewing the decision and considering next steps.
Since the conclusion of its investigation, the ICO has published the Children’s Code to help protect children in the digital world. This statutory code of practice is aimed at online services, such as apps and gaming platforms, that are likely to be accessed by children and provides 15 standards to ensure children have the best possible experience of online services.
If you have any questions on lawfully using data on an online platform, please contact our Data Privacy specialist below. Read more information on our data protection services.
Piers Leigh-Pollitt
Piers advises a mixture of corporates and individuals on a wide range of HR/employment law matters and data protection issues (mainly from an HR perspective). Piers is also the firm’s internal compliance officer and handles all regulatory and internal compliance matters. He also heads up the firm's Data Privacy team and holds the Practitioner Certificate in Data Protection (GDPR).
- Partner & Compliance Officer for Legal Practice
- T: +44 (0)118 951 6761
- Email me
Mike Hibberd
Mike is an employment and data privacy law expert advising both organisations and senior individuals on a wide range of human resources and related issues.
- Legal Director
- T: +44 (0)118 951 6765
- Email me
The articles published on this website, current at the date of publication, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your own circumstances should always be sought separately before taking any action.