23 May 2023
On April 4th, 2023, the U.K. Information Commissioner's Office (ICO) announced the imposition of a £12.7 million fine against TikTok Information Technologies UK Limited and TikTok Inc (TikTok), for breaches of the U.K. General Data Protection Regulation (UK GDPR), including failing to use children’s personal data lawfully.
Contrary to TikTok's terms of service which declare that children under 13 years old are not allowed to create an account, the ICO estimated that up to 1.4 million U.K. children under the age of 13 were using the platform in 2020.
As per the ICO’s press release, organizations that use personal data when offering information society services to children under 13, must obtain parental consent. TikTok failed to do so.
Furthermore, the organization did not to carry out adequate checks to identify and remove underage children from its platform.
Therefore, the ICO found that TikTok breached the UK GDPR between May 2018 and July 2020 by:
- Providing its services to UK children under the age of 13 and processing their personal data without consent or authorisation from their parents or carers;
- Failing to provide proper information to people using the platform about how their data is collected, used, and shared in a way that is easy to understand. Without that information, users of the platform, in particular children, were unlikely to be able to make informed choices about whether and how to engage with it; and
- Failing to ensure that the personal data belonging to its UK users was processed lawfully, fairly and transparently.
Through the increased focus on data subjects and their rights as well as through the technological developments, the protection of minors becomes a global challenge necessitating enhanced protection of their personal data. Data protection authorities are increasingly focused on the protection of minors and this will increase as users produce more data. This leads to the development of national legislation in the EU and worldwide that is intended to ensure safety and reduce online harm.
Within the last couple of months, we have come across numerous lawsuits, complaints and onerous fines, concerning the inadequate protection of children’s data.
Given this landscape, Privacy Minders can assist your organization in developing an Action Plan specifically addressing Children’s Data.