The European Union’s Irish Data Protection Commission (DPC) has imposed a staggering fine of €345 million (equivalent to $368 million) on TikTok, citing violations of the General Data Protection Regulation (GDPR) concerning the treatment of data from underage users.
The inquiry, launched in September 2021, delved into the methods TikTok employed to handle the personal information of young users aged 13 to 17 from July to December 2020.
Key findings from the investigation revealed:
- By default, videos uploaded by underage users were public, making them viewable to anyone, with or without a TikTok account, thus raising safety concerns.
- TikTok’s failure in offering clear information to these young users.
- The introduction of “dark patterns” during registration, nudging users to select options that compromise their privacy while uploading content.
- Flaws in the Family Sharing feature that potentially let non-guardian adults link their accounts to that of a minor, facilitating the activation of direct messaging for users older than 16.
Beyond the monetary penalty, the DPC has instructed TikTok to rectify its data-processing methods within a 90-day timeframe.
Anu Talus, Chair of the EDPB, commented, “Digital platforms must ensure that they present choices, especially to the young audience, in a fair and balanced way. Any engagement that can subtly influence people into making privacy-compromising decisions should be avoided.”
TikTok, in its official response, expressed disagreement with the DPC’s conclusions. The platform emphasized that the points of criticism were associated with features and configurations that existed three years prior and have since been revised, particularly setting accounts of users under 16 to a default private status. It remains unclear if TikTok plans to contest the judgment.
The platform further announced the introduction of an enhanced account setup process for new users aged 16 and 17, presetting their profiles to private. Presently, TikTok boasts approximately 134 million active users monthly within the E.U.
This isn’t TikTok’s first brush with data privacy issues. Earlier in January 2023, a fine of €5 million (around $5.4 million) was imposed by France’s data protection authority on the grounds of violating cookie consent protocols and complicating the opt-out process.
This update follows closely on the heels of recent news from California, where Google consented to pay $93 million to settle allegations of infringing upon the state’s consumer protection statutes, specifically capturing users’ location specifics for targeted advertising without obtaining proper consent.