TikTok has been hit with a substantial €345 million fine by the Irish data watchdog for violating EU data laws, particularly regarding children’s accounts.
The Irish Data Protection Commission (DPC), responsible for regulating TikTok across the EU, found that the Chinese-owned video-sharing platform had committed multiple breaches of GDPR (General Data Protection Regulation) rules.
The violations identified by the DPC include:
- Default Public Settings for Children: TikTok placed child users’ accounts on a public setting by default, allowing anyone to view their content or leave comments.
- Lack of Verification for Adult Access: The “family pairing” scheme, designed to give adults control over a child’s account settings, did not adequately verify whether the adult was genuinely a parent or guardian.
- Inadequate Consideration of Risks for Under-13 Users: The platform did not sufficiently assess the risks posed to users under the age of 13 who were placed on a public setting.
- Default Enabling of Duet and Stitch Features: Features that allowed users to combine their content with others (Duet and Stitch) were enabled by default for users under 17.
While TikTok’s methods for verifying users’ ages did not violate GDPR, the company faced a significant fine due to these other infractions. Notably, this isn’t TikTok’s first GDPR-related penalty, as it was previously fined £12.7 million by the UK data regulator for illegally processing the data of over 1.4 million children under 13 without parental consent.
TikTok responded by stating that it had already made changes to address the issues raised by the investigation. “We respectfully disagree with the decision, particularly the level of the fine imposed. The DPC’s criticisms are focused on features and settings that were in place three years ago, and that we made changes to well before the investigation even began, such as setting all under-16 accounts to private by default.”
Since 2021, all TikTok accounts for users aged 13 to 15 have been set to private by default.
The DPC’s decision also acknowledged that it had been overruled by the European Data Protection Board on some aspects of its findings, including the use of “dark patterns” on the platform, which are deceptive design practices aimed at influencing user behavior and choices. These practices were found to breach GDPR provisions on fair processing of personal data.
Why does this matter?
TikTok’s significant GDPR fine underscores the importance of safeguarding children’s data and ensuring compliance with data protection regulations, even for widely used social media platforms. TikTok is hoping that its recent announcement of moving all data to an EU-based data centre will prevent any further penalties or event potential ban for the social media platform