TikTok fined $379M in EU for failing to keep kids’ data safe

It’s been a long time coming but TikTok has finally been found in breach of the European Union’s General Data Protection Regulation (GDPR) in relation to its handling of children’s data. Under the decision issued today by the Irish Data Protection Commission (DPC), the video sharing platform has been reprimanded and fined €345 million (~$379 million). It has also been ordered to bring its offending data processing into compliance within three months.

In all TikTok has been found to have violated the following eight articles of the GDPR: 5(1)(a); 5(1)(c); 5(1)(f); 24(1); 25(1); 25(2); 12(1); and 13(1)(e) — aka breaches of lawfulness, fairness and transparency of data processing; data minimization; data security; responsibility of the controller; data protection by design and default; and the rights of the data subject (including minors) to receive clear communications about data processing; and to receive information on recipients of their personal data. So it’s quite the laundry list of failings.

The decision did not find a breach in relation to methods used by TikTok for age verification, which has been a flash point for it with a number of regional regulators, but the Irish watchdog notes the decision does record a violation of Article 24(1) of the GDPR — as it found TikTok did not implement appropriate technical and organisational measures since it did not properly consider certain risks posed to under 13s who gained access to the platform as the default account setting allowed anyone (on or off TikTok) to view social media content posted by those users.

Settings TikTok had implemented at this time were found to have enabled child users to progress through the sign-up process in such a manner that their accounts were set to public by default. “This also meant that, for example, videos that were posted to child users’ account were public-by-default, comments were enabled publicly by default, the ‘Duet’ and ‘Stitch’ features were enabled by default,” the DPC notes. 

 A child’s account could also be “paired” with an unverified non-child user — via a so-called “Family Pairing” feature — but TikTok did not verify whether the user was actually the child user’s parent or guardian. The non-child user could use the feature to enable direct messages for child users above the age of 16 — “thereby making this feature less strict for the child user”, per the DPC’s findings.

Responding to the decision, a TikTok spokesperson sent us this statement:

We respectfully disagree with the decision, particularly the level of the fine imposed. The DPC’s criticisms are focused on features and settings that were in place three years ago, and that we made changes to well before the investigation even began, such as setting all under 16 accounts to private by default.

TikTok also told us it is considering its next steps in light of the sanction. So the platform could seek to file a legal appeal in Ireland.

In a longer response posted to its website, Elaine Fox, TikTok’s head of privacy in Europe, elaborated on measures she said the company took to address safety concerns prior to the DPC’s investi