The ICO estimates that up to 1.4m children in the UK used TikTok in 2020, despite the platform’s own rules not allowing children to create an account.
TikTok has been fined £12.7m by the UK’s data watchdog for failing to protect the privacy of children on its platform.
The Information Commissioner’s Office (ICO) found that TikTok breached GDPR between 2018 and 2020 by providing services to children under the age of 13 and processing their personal data without consent from parents or carers.
The ICO estimates that up to 1.4m children under the age of 13 in the UK were able to use the video platform in 2020, despite TikTok’s own rules not allowing children that age to create an account.
The data watchdog also said concerns were raised internally by senior TikTok employees about children using the platform. The ICO said TikTok “did not respond adequately”.
UK information commissioner John Edwards said the data of these children could have been used to track and profile them, “potentially delivering harmful, inappropriate content at their very next scroll”.
“TikTok should have known better,” Edwards said. “TikTok should have done better. They did not do enough to check who was using their platform or take sufficient action to remove the underage children that were using their platform.”
Last September, the ICO gave notice to TikTok that the company may have breached UK data protection law. This initial notice set the fine at £27m, but this included concerns that TikTok had processed special category data “without legal grounds to do so”.
After receiving data from TikTok, the ICO decided to not pursue the special category data findings, which reduced the fine to £12.7m. TikTok now has 28 days to appeal against the scale of the fine, the BBC reports.
Mark James, a data privacy consultant with data privacy company DQM GRC, said the fine shows that privacy and security concerns related to apps are a “growing issue for regulators and governments around the world”.
“This incident, along with other high-profile data breaches and misuses, highlights the need for companies to take strong measures to protect user data and prevent unauthorised access,” James said.
“At the same time, regulators and policymakers may use the incident as a basis for introducing new regulations or guidelines for app developers and digital service providers.”
The EU is in the process of bringing a new landmark bill into force called the Digital Services Act. This act sets out to make the internet safer with new rules for all digital services, from social media platforms to search engines to online marketplaces and more.
All eyes on TikTok
The decision marks another blow for the video platform, which is under scrutiny by multiple governments over security and privacy concerns.
As TikTok is owned by Chinese company ByteDance, multiple countries have raised concerns about its connections with the Chinese government and whether it could access user data.
Earlier today (4 April), Australia become the latest country to ban TikTok on all federal devices amid these growing security concerns.
The US has also banned TikTok on all government devices, with similar moves made in the EU, the UK, Canada and New Zealand.
TikTok also faces the threat of a full ban in the US if parent company ByteDance doesn’t sell its shares in the US version of the app.
Less than two weeks ago, TikTok CEO Shou Zi Chew was grilled by a bipartisan committee over a five-hour period on the social media giant’s practices while the US, which is home to 150m TikTok users, considers whether it should ban the app.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.