TikTok has been fined £12.7m for data privacy failures – one of the largest fines issued by the UK regulator.
The Information Commissioner's Office (ICO) said the company breached the UK GDPR and the Data Protection Act by “misusing children’s data”. Companies in breach can be fined up to 4% of their annual revenue.
An investigation found the social media app may have breached the following between 2018 and 2020:
- Processing the data of children under the age of 13
TikTok was found to have used children’s data without parental consent – as under 13-year-olds cannot give consent to having their data processed. Although TikTok in theory bans anyone under 13 from the app, it was found that around 1.4m children in the UK still have accounts and regularly use the app.
- Failing to provide proper information to its users
Under GDPR rules, users have a right to be properly informed about the use of their data. TikTok is accused of failing to provide proper information in a “concise, transparent and easily understood way”. This was especially relevant given that a huge number of users are children who cannot make informed decisions about how to engage with the app.
- Failure to process data transparently and fairly
Following the initial investigation into TikTok, the ICO published the Children’s Code in September 2020. The code is aimed at online services likely to be accessed by children.
News of the fine comes on the same day that Australia announced they will ban TikTok on all government devices over security concerns. The app is already banned on government devices in the UK, US and Canada.
Earlier in March, TikTok’s CEO was also questioned by Congress about security concerns relating to its Chinese-based parent company ByteDance and worries that the app allows children to view harmful content.