TikTok’s $368 Million Penalty for Child Privacy Violations
The Irish Data Protection Commission (DPC) has reported that it finally made a decision regarding its inquiry into TikTok. It imposed a financial penalty of €345 million ($368 million) to settle the alleged violations of the EU’s General Data Protection Regulation (GDPR). The inquiry investigated TikTok’s privacy configurations for child users, age group, and transparency details for kids. TikTok was determined to have committed violations of 8 articles of the GDPR from 31 July 2020 to 31 December 2020.
Throughout that period of time, TikTok’s privacy configurations included public-by-default options for child platform users, meaning that all information published by children 13 to 17 years old was seen on the web by any individual by default, which includes people who were not members of the platform. The family partnering feature, which permits parents and guardians to connect parent and child accounts, was determined to be defective and permitted adult users who cannot confirm their parent or guardian status to match their account with those 16 years old or older. That meant that an adult user can allow a child user to receive direct messages, exposing the child to substantial dangers. TikTok was likewise found unable to offer enough transparency concerning the use of the platform by youngsters, which made it hard for child users to be aware of TikTok’s privacy settings, and that ‘dark patterns’ were utilized to drive them into choosing configurations on the platform that lowered privacy defenses.
The DPC put forward its draft judgement to all other pertinent supervisory agencies (SAs) in other EU states and the recommended results were largely accepted, though questions were brought up by the SAs in Berlin and Italy. The Berlin SA wanted to have an extra violation included to the judgement – Article 5(1)(a) – which pertains to the GDPR rule of fairness concerning ‘dark patterns.’ The SA in Italy wanted to undo the DPC’s judgement that TikTok complied with Article 25 of the GDPR with regard to TikTok’s age confirmation procedures.
TikTok users should be above 13 years old, which is confirmed during sign-up where users need to type in their birth date to make an account. The DPC discovered that kids below 13 years old who obtained access to the system being dishonest about their age would likewise have had their content open to the public automatically, exposing them to a number of possible challenges; nevertheless, failed to see that the age confirmation checks violated the GDPR.
Consensus cannot be arrived at with all SAs on the arguments, therefore the problem was forwarded to the European Data Protection Board (EDPB), which decided the violation of Article 5(1)(a) as per Berlin SA’s objection, however Italy was not successful in its effort to have the DPC’s judgment reverted with regard to age confirmation. The EDPB didn’t have enough proof available to effectively evaluate if the age confirmation specifications violated the GDPR however agreed with the DPC’s judgement that people below 13 years old who acquired access to the system were exposed to a number of likely risks.
Social media businesses are responsible for avoiding showcasing options to users, particularly children, in an unreasonable way – especially if that presentation could move individuals into making judgments that broke their privacy interests.
The last decision involves the violation of Articles 5(1)(a), 5(1)(c), 5(1)(f), 24(1), 25(1), 25(2), 12(1), and 13(1)(e) of the GDPR. As per the helpful powers offered to the DPC, TikTok was given a reprimand, purchase to take its information running consistent with the GDPR in 3 months of the decision date, and should pay admin penalties of €345 million.
This is not the first charge to be applied on TikTok for GDPR violations. In January 2023,
France (CNIL) data protection authority in France (CNIL) charged TikTok with €5 million ($5.33 million) for not giving clients a platform with enough details regarding how cookies were employed, and for making it difficult for end users to opt out of France (CNIL).