Global social media company TikTok have been hit with a huge fine. The message is clear: ensure you have appropriate procedures in place to protect children’s data. On 4 April 2023, the Information Commissioners Office (“ICO”) issued TikTok Inc and TikTok Information Technologies UK Limited (“TikTok”) with the third largest fine in its history, totalling £12.7 million. The fines were for breaches of the Data Protection 2018 (“DPA”) and the UK General Data Protection Regulation (“UK GDPR”) between May 2018 and July 2020.
Despite the eye-watering figure, TikTok may be comforted knowing this was 50% below the initial planned fine of £27million, after the ICO accepted some of TikTok’s submissions and chose not to pursue alleged breaches relating to special category data.
The long awaited final decision was published on 15 May 2023.
TIKTOK'S BREACHES
The ICO found that TikTok did not make reasonable efforts to obtain consent from parents or carers for underage child users.
Under Article 8 UK GDPR data controllers are required to obtain consent from a parent or carer of a child under 13 and to make reasonable efforts to verify such consent has been provided or authorised. TikTok’s terms of service went one step further and explicitly prohibited children under 13 from creating an account. However, the ICO found TikTok’s own systems in place from 2018-2020 were not sufficient to enforce this. This led to approximately 1.4 million UK children under 13 accessing TikTok, without the necessary consent or authorisation from their parents or carers.
FURTHER FINDINGS
The ICO further found that TikTok did not make reasonable efforts to prevent children under 13 from accessing the platform (despite their own rules prohibiting children of this age accessing the platform) and failed to identify any lawful basis for processing the children's data other than consent. The Information Commissioner, John Edwards, was specifically concerned that children's data could have been used to track and profile them to deliver inappropriate content.
The ICO also found that TikTok failed to ensure that information about TikTok’s processing was communicated effectively to and in an easily accessible way to enable children to be able to make informed choices about how they engage with TikTok. Article 13 UK GDPR information sets out the basic information requirements within privacy notices, and includes an obligation on the data controller (in this instance TikTok) to take appropriate measures to provide the information to data subjects in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular in relation to information addressed specifically to children.
As a result of these two failures, the ICO found that TikTok breached Article 5(1)(a) UK GDPR, as TikTok failed to ensure that the personal data of its UK users was processed lawfully, fairly and in a transparent manner.
CONCLUSION
The action taken by the ICO and the size of the final fine shows clear intent to ensure that children’s data is adequately protected. There is significant concern amongst both privacy and children’s safety campaigners that children are unaware how to protect or restrict use of their data for marketing and other targeted advertising – which can expose children to harmful or inappropriate content. One of the clear targets is lack of transparency in privacy notices – particularly those for services aimed at, or heavily used by, children. This investigation period pre-dates the introduction of the ICO’s Children’s “age appropriate design” Code (“The Code”) introduced in August 2020 to help protect children using digital services.
The Code isn’t legally binding but serves as useful guidance on how the UK GDPR applies to services engaging children. Where services are targeted at children, or where it is highly likely they will engage with them, Controllers must be aware of the additional protections afforded to children under 13 in the UK GDPR. Organisations must have stringent procedures in place to obtain consent from the parent or carer of children under 13 and should have regard to the Code to ensure compliance with the UK GDPR. Whilst each controller is required to take a proportional approach, the size of the fine shows that the measures taken by TikTok were not deemed sufficient in the circumstances, given the resources that it claim to have invested in online safety.
Our specialist data protection team at Blake Morgan can provide advice on any data protection queries you may have, please contact us here: https://www.blakemorgan.co.uk/service/data-protection-lawyers/
