TikTok could be fined £27 million for failing to protect the privacy of youngsters who use the app.
The Information Commissioner’s Office (ICO) of the United Kingdom discovered that the video-sharing network may have processed the data of minors without their consent.
The watchdog reported that the breach spanned more than two years – until July 2020 – but has not yet concluded.
TikTok denies the results and notes that they are “provisional.”
The ICO has sent a “notice of intent” to TikTok Inc. and TikTok Information Technologies UK Limited, which is a legal document that precedes potential penalties.
The notice outlines the ICO’s preliminary conclusion that TikTok violated British data protection law between May 2018 and July 2020.
The inquiry by the ICO revealed that the social network may have:
- processed the information of children under 13 years of age without parental authorization
- It failed to present its users with simple, clear, and easily understandable information.
- handled sensitive category data without legal justification
According to Ofcom, 44% of eight- to 12-year-olds in the United Kingdom use TikTok, despite the platform’s restrictions prohibiting users under the age of 13.
Information Commissioner John Edwards stated, “We all want children to be able to learn and explore the digital world, but with adequate data privacy safeguards.
“Companies providing digital services have a legal obligation to implement these safeguards, but our preliminary assessment is that TikTok fell short of this requirement.”
TikTok has implemented several safety and privacy enhancements, including the ability for parents to link their accounts to those of their children and the blocking of direct messaging for users under the age of 16.
However, Mr. Edwards stated, “I’ve made it plain that our efforts to better protect children online will involve collaborating with organizations, but if necessary, enforcement action as well.
In addition, we are now investigating how over fifty different online services comply with the Children’s Code, and we have six continuing investigations into digital service providers who, in our opinion, have not taken their responsibilities regarding child safety seriously enough.
The Children’s Code, which went into effect in September of last year, established new data protection codes of practice for online services likely to be accessed by children, based on existing data protection rules, with potential financial penalties for major violations.
The Information Commissioner’s Office stated that its conclusions in the notification were provisional and that it was premature to conclude that there had been a violation of data protection law.
“We will carefully evaluate any TikTok comments before making a final determination,” the statement continued.
A spokesman for TikTok remarked, “This notice of intent, which covers the period from May 2018 to July 2020, is provisional, and as the ICO has noted, no definitive conclusions can be formed at this time.
“While we respect the ICO’s duty in protecting privacy in the United Kingdom, we disagree with the preliminary opinions given and will react formally in due course.”
Previous conduct
The Federal Trade Commission fined the company a record $5.7 million in 2019 for mishandling children’s data.
It has also been penalized for identical reasons in South Korea.
The US Senate Commerce Committee voted in July to adopt a bill that would raise the age at which children receive online privacy protections to 16 and prohibit targeted advertising to children without parental approval.