ICO fined TikTok 12.7M GBP over misuse of children's data

23 May 2023

On April 4th, 2023, the U.K. Information Commissioner's Office (ICO) announced the imposition of a £12.7 million fine against TikTok Information Technologies UK Limited and TikTok Inc (TikTok), for breaches of the U.K. General Data Protection Regulation (UK GDPR), including failing to use children’s personal data lawfully.

Contrary to TikTok's terms of service which declare that children under 13 years old are not allowed to create an account, the ICO estimated that up to 1.4 million U.K. children under the age of 13 were using the platform in 2020.

As per the ICO’s press release, organizations that use personal data when offering information society services to children under 13, must obtain parental consent. TikTok failed to do so.
Furthermore, the organization did not to carry out adequate checks to identify and remove underage children from its platform.
Therefore, the ICO found that TikTok breached the UK GDPR between May 2018 and July 2020 by:

  • Providing its services to UK children under the age of 13 and processing their personal data without consent or authorisation from their parents or carers;
  • Failing to provide proper information to people using the platform about how their data is collected, used, and shared in a way that is easy to understand. Without that information, users of the platform, in particular children, were unlikely to be able to make informed choices about whether and how to engage with it; and
  • Failing to ensure that the personal data belonging to its UK users was processed lawfully, fairly and transparently.

Through the increased focus on data subjects and their rights as well as through the technological developments, the protection of minors becomes a global challenge necessitating enhanced protection of their personal data. Data protection authorities are increasingly focused on the protection of minors and this will increase as users produce more data. This leads to the development of national legislation in the EU and worldwide that is intended to ensure safety and reduce online harm.

Within the last couple of months, we have come across numerous lawsuits, complaints and onerous fines, concerning the inadequate protection of children’s data.

Given this landscape, Privacy Minders can assist your organization in developing an Action Plan specifically addressing Children’s Data.


GDPR Success: Commissioner fines newspaper for disclosing Turkish Cypriot property holders
Navigating the Digital Advertising Landscape: Latest Developments and Strategies for Success
Ireland’s DPC imposes a record GDPR fine of €1.2 billion for Meta's EU-U.S. data transfers
MEPs rejected the EU- U.S. Data Privacy Framework
Larnaca, Cyprus

32 Konstantinou Paleologou Street,
The Square, 2nd Floor,
6036 Larnaca, Cyprus

London, United Kingdom

71-75 Shelton Street
London WC2H 9JQ
United Kingdom

Get in touch

Tel: +357 99 470 484
Email: info@privacyminders.com

Click here to Subscribe