TikTok fined £296 million by Ireland watchdog over how it processed children’s data

TikTok has been fined £296 million (€345m) by a watchdog in Ireland following an investigation into how the app processed children’s data.

The Data Protection Commission (DPC) examined the social media platform’s privacy settings and age verification processes between 31 July and 31 December 2020, concluding this September that it had committed multiple breaches of the European Union’s (EU) General Data Protection Regulation (GDPR) rules.

One of the issues it found were that users aged between the age of 13 and 17 were steered through the sign-up process in a way that resulted in their accounts being set to public by default. This meant their videos could be viewed by any user of any age - and anyone could contact them.

The probe also discovered that, as part of TikTok’s Family Pairing feature, a child user’s accounts could be “paired” with a ‘non-child’s - but that there was no verification process to ensure this adult was a parent or guardian. This adult then had the power to enable direct messages for children over the age of 16, which allowed the app’s safety and privacy features to become less strict for the child user.

The DPC concluded that these had all been breaches of the EU’s GDPR rules, leading to a fine of £296 million (€345m) for TikTok Technology Limited (TTL). The watchdog also ruled that TikTok, which has a minimum user age of 13, did not properly take into account the risks posed to underage users who managed to gain access to the platform.

A spokesperson for Tiktok said: “We respectfully disagree with the decision, particularly the level of the fine imposed. The DPC’s criticisms are focused on features and settings that were in place three years ago, and that we made changes to well before the investigation even began - such as setting all under-16 accounts to private by default.”

The DPC, which adopted its final decision regarding its inquiry into TTL on 1 September, urged the organisation to ensure that its processing is compliant with the EU’s data protection regulations.

This is just the latest in a series of fines handed out by the DPC in Ireland to social media giants.

In January, Facebook’s parent company Meta Ireland was fined £335 million (€390m) for breaches of the European Union’s data privacy rules. It was fined £180 million (€210m) for violations involving Facebook and an additional £155 million (€180m) for breaches involving Instagram.

Around the same time, WhatsApp was fined more than £3.4 million (€5m) over data protection breaches, and in 2022, Instagram received a separate fine of £348 million (€405m) over the way it handled teenagers’ personal data.

Earlier this year in the UK, the Information Commissioner’s Office fined TikTok more than £12 million because it “did not do enough” to make sure underage children were not using its platform.