The Information Commissioner’s Office (“ICO”) has imposed a £12.7 million fine on TikTok for a number of breaches of data protection law, including failing to use children’s personal data lawfully.
The ICO estimates that TikTok allowed up to 1.4 million UK children under 13 to use its platform in 2020, despite TikTok’s own rules not allowing children of that age to create an account. The ICO found that TikTok had failed to obtain the requisite parental consent under Article 8 UK GDPR. It also fined TikTok for breaches of Articles 12 and 13 GDPR, for failing to provide appropriate information to people using the platform about how their data is collected, used, and shared in a way that is easy to understand. Without that information, users of the platform, in particular children, were unlikely to be able to make informed choices about whether and how to engage with it. The ICO further found that TikTok had breached Article 5 UK GDPR, by failing to ensure that the personal data belonging to its UK users was processed lawfully, fairly and in a transparent manner.
The ICO’s announcement is available here.
The decision has been widely reported on, including by CNN, NBC, the Financial Times, the BBC, CNBC, the Guardian, the Telegraph and the Daily Mail.
Nikolaus Grubeck and Jenn Lawrence have been advising the ICO.