The Irish Data Protection Commission (DPC) slapped TikTok with a €345 million (about $368 million) fine for violating the European Union's General Data Protection Regulation (GDPR) in relation to its handling of children's data.
The investigation, initiated in September 2021, examined how the popular short-form video platform processed personal data relating to child users (those between the ages of 13 and 17) between July 31 and December 31, 2020.
Some of the major findings include -
- The content posted by child users was set to public by default, thereby allowing any individual (with or without TikTok) to view the material and exposing them to additional risks
- A failure to provide transparency information to child users
- The implementation of dark patterns to steer users towards opting for privacy-intrusive options during the registration process, and when posting videos
- A weakness in the Family Sharing setting that allowed any non-child user (someone who could not be verified as a parent or their guardian) to pair their account to that of a minor's, which made it possible for the adult user to enable direct messages for child users above the age of 16
In addition to the financial penalty, the DPC has ordered TikTok to bring its processing mechanisms into compliance within three months.
"Social media companies have a responsibility to avoid presenting choices to users, especially children, in an unfair manner – particularly if that presentation can nudge people into making decisions that violate their privacy interests," Anu Talus, EDPB Chair, said.
Identity is the New Endpoint: Mastering SaaS Security in the Modern Age
Dive deep into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Discover why identity is the new endpoint. Secure your spot now.
"Options related to privacy should be provided in an objective and neutral way, avoiding any kind of deceptive or manipulative language or design."
In a statement shared on its website, the company disagreed with the decision and said that the criticisms are focused on features and settings that were in place three years ago, which have since been changed by setting all under 16 accounts to private by default. It's immediately clear if the company intends to appeal the ruling.
The company also said it will roll out a redesigned account registration flow for new 16 and 17-year-old users late this month that will be pre-selected to a private account. TikTok has about 134 million monthly users in the E.U.
TikTok was previously handed out a €5 million (about $5.4 million) fine by the French data protection watchdog in January 2023 for breaking cookie consent rules and for making the opt-out mechanism more complex than opting-in.
The development arrives days after California's Attorney General announced that Google would fork out $93 million to settle a privacy lawsuit alleging it violated the U.S. state's consumer protection laws by collecting users' location data for consumer profiling and advertising purposes without informed consent.