No company would want to be publicly shamed for misusing the data of over a million children, but that’s where TikTok finds itself today after the U.K.’s Information Commissioner’s Office whacked it with a £12.7 million ($15.9 million) fine.
TikTok has a minimum age limit of 13, which is in line with U.K. data protection law, but the privacy watchdog said it nonetheless had as many as 1.4 million British kids below that age on its platform in 2020. Because it failed to get parental consent for processing their data, that means it did so illegally.
“There are laws in place to make sure our children are as safe in the digital world as they are in the physical world. TikTok did not abide by those laws,” said Information Commissioner John Edwards. “As a consequence, an estimated one million under 13s were inappropriately granted access to the platform, with TikTok collecting and using their personal data. That means that their data may have been used to track them and profile them, potentially delivering harmful, inappropriate content at their very next scroll.”
This is the third-biggest fine ever issued by the British privacy watchdog—British Airways had to pay £20 million and Marriott Hotels £18.4 million in 2020 and 2018 respectively, both for major security breaches—and Edwards was clear that the amount “reflects the serious impact [TikTok’s] failures may have had.”
TikTok is adamant that the Information Commissioner’s Office got this one wrong, saying it invests “heavily to help keep under 13s off the platform”—my emphasis to highlight TikTok’s implicit admission that it can’t fully meet that legal obligation. However, we can expect more of the same in the not-too-distant future. The Irish privacy regulator decided last year that TikTok deserved a fine for its handling of underage users’ data, and will make the penalty official once it’s finished consulting with its EU peers on the amount.
France already fined TikTok €5 million earlier this year over an unrelated issue about cookie consent, but there’s a difference between such bog-standard privacy violations and those involving millions of children. Kids’ data is an emotive subject, and all this couldn’t be coming at a worse time for TikTok.
TikTok is already on graphene-thin ice across Western countries, which is why CEO Shou Zhi has been racing around trying to convince the U.S. Congress and the European Commission that his company means well and is listening to everyone’s concerns about everything from privacy to online addiction to national security.
So far, he’s not been successful. Australia just became the last member of the “Five Eyes” intelligence-sharing alliance (the other four are the U.S., the U.K., Canada, and New Zealand) to ban TikTok from official devices. The EU’s Brussels institutions have a similar ban in place. And a couple of weeks ago, a cross-party group of British lawmakers asked the information commissioner to investigate whether TikTok’s handling of data was legal—particularly given the potential for employees in China to access British users’ data.
It may be the case that no one has proven Beijing can plug into TikTok’s data troves, but the suspicion won’t go away and, with the temperature this high, it really doesn’t help TikTok’s case to be nailed over the illegal mishandling of children’s information.
Want to send thoughts or suggestions to Data Sheet? Drop a line here.
David Meyer
Data Sheet’s daily news section was written and curated by Andrea Guzman.