UK: TikTok's Misuse Of Children's Data Results In £12.7 Million ICO Fine

• The UK's Information Commissioner's Office ("ICO") has fined Tik Tok Information Technologies UK Limited and TikTok Inc ("TikTok") £12.7 million for breaching the UK GDPR, in particular for failing to protect children's privacy.
• The ICO had previously issued a notice of intent to fine TikTok £27 million for various data protection law breaches between May 2018 and July 2020.
• TikTok's infringement related to a failure to gain appropriate parental consent for children using its services who were under the age of 13, not sufficiently explaining its purposes of processing, and not processing data in a lawful, fair and transparent manner.
• A lower fine was applied on the basis that the ICO decided not to pursue a finding related to the unlawful use of special category data, however the fine is the third highest the ICO has levied.

Background

In September 2022, the ICO published a notice of intent to TikTok that it could face a £27 million fine for infringing UK data protection law and failing to protect children's privacy for a number of non-compliant activities from 2018 to 2020.

While the Data Protection Act 2018 sets a six month deadline for the ICO to convert the notice into a fine, if the ICO and recipient agree, such period can be extended. On this basis, some seven months later on 4^th April 2023, the ICO announced that it would be fining TikTok £12.7 million.

The investigation into TikTok occurs in a climate of increased scrutiny regarding:

• The protection of children in the digital environment, from the broader considerations of the Online Safety Bill (see our blog here), to those in the data protection space: at the time of the notice of intent, the ICO indicated that it was analysing over 50 online service providers and their compliance with the ICO's Children's code (or "Age appropriate design code" to give it its formal title), with six active investigations into potentially non-compliant companies.
• TikTok's behaviours generally in relation to data protection and privacy compliance: the platform has been sanctioned by the Dutch Data Protection Authority for failing to provide its privacy notice in Dutch and fined by the Turkish Personal Data Protection Board for failing to sufficiently protect user data from unlawful processing, amongst other investigations by various regulatory bodies.

The ICO's decision

The fine issued to TikTok, while less than what would have been the highest issued by the UK data regulator, at £12.7 million is still the third highest issued to date (behind the British Airways and Marriott Hotel fines (see our blog posts here and here)).

The ICO explained that it imposed a fine on the platform on the basis of several violations of UK data protection regulation, namely: (i) failing to gain the appropriate parental authorisation from children under the age of 13 in contravention of Articles 8 and 6(1); (ii) not explaining to its users (notably children) the extent and purpose of the processing of their personal data in a way that is easy to understand in breach of Article 12; and (iii) not processing data in a lawful, fair and transparent manner as required by Article 5(1)(a).

The ICO highlighted that, despite TikTok's own terms of services preventing children under the age of 13 from using its services, up to 1.4 million did so, with TikTok then failing to do enough to ensure parental consent had been obtained on those children's behalf. Indeed UK data protection legislation emphasises that a controller should make reasonable efforts to verify that consent is given by the holder of parental responsibility and the ICO investigation notes that TikTok stakeholders internally were aware of the issue of children under 13 years old using the platform.

This lack of verification, allied to the limited transparency, in the context of the processing of personal data which might lead to an increased risk of delivering targeted harmful content to vulnerable individuals can be seen as the driving force behind the level of the fine.

Despite investigating TikTok's processing of special category data, on the basis of representations received from TikTok the ICO decided against pursuing the provisional finding which therefore reduced the level of sanction from the £27 million set out in the notice of intent.

What is next?

While below what was initially communicated, the level of the fine highlights the seriousness with which the ICO takes UK GDPR penalties, particularly with the aggravating factors involved.

Since the period which was the subject of the investigation began, the ICO has published the Children's code and, while violation of the code does not in itself make an entity liable to legal proceedings, its expectations should be viewed as effective risk mitigation and compliance practices, such as enforcing age restriction policies.

For TikTok, this sanction is not the end of the road, with other action being taken against them, such as the filing of two class actions against it in Portugal, valued at €1.1 billion, in relation to various breaches of the law, including in relation to data privacy.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.