Contact Our Commercial Lawyer Today
If you need legal advice regarding GDPR and data protection laws, please contact our Commercial and Technology lawyers on:
Yesterday the ICO issued a £12.7M fine to TikTok for misusing children’s data, and we consider the wider implications.
The Information Commissioner’s Office (ICO) has fined Information Technologies UK Limited and TikTok Inc (TikTok) £12.7m for several breaches of data protection law, including failing to use children’s personal data lawfully.
The fine is half what the ICO had notified TikTok it might issue (circa £27m); the fine was reduced as the ICO decided not to pursue the unlawful use of special categories of data.
The ICO (the UK’s data protection regulatory body) has estimated that TikTok has allowed up to 1.4 million children within the UK under the age of 13 access to use its platform since 2020, in breach of its own terms prohibiting children of such age from creating an account.
TikTok failed to obtain consent from parents or carers before using the personal data of children when providing access and use of its platform – which is a requirement under UK data protection law.
The ICO also found that TikTok had failed to carry out adequate checks to identify and remove underage children from its platform.
How did TikTok breach UK data protection law?
The ICO found that TikTok breached the UK GDPR between the period of May 2018 and July 2020:
- Providing access and use of its platform to UK children under the age of 13 and processing their personal data without consent or authorisation from their parents or carers;
- Failing to provide accurate information to people using the platform about how their data is collected, used, and shared in a way that is easy to understand. Without that information, users of the platform (particularly children) were unlikely to be able to make informed choices about whether and how to engage with it; and
- Failing to ensure that the personal data belonging to its UK users was processed lawfully, fairly and in a transparent manner.
TikTok may appeal the ICO’s findings and, if successful, may see the total value of the fine reduced. However, TikTok has been under increasing pressure from many Western governments due to concerns that personal data is shared with the Chinese government.
TikTok has been banned on government devices in the UK, US, Canada, Belgium, Denmark, New Zealand, and Taiwan, in addition to those working at the European Commission.
The fine against TikTok has also been issued amongst a changing legal landscape for online social media and other platform providers operating within the UK, with the UK Online Safety Bill due to be passed by the UK Government in 2023, which will require strict age verification processes to be in place by social media networks.
Further information about the Online Safety Bill can be found in our article 2023: A Year of Focus on Online Advertising, Influencers and Greenwashing, where we highlighted the introduction of the Online Safety Bill as an area of regulatory change within 2023.
What is the law when processing children's personal data?
Two core sources of legislation primarily govern UK data protection laws: the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA).
The UK GDPR sets out prescriptive information and transparency requirements that organisations must satisfy when processing personal data.
In particular, recital 38 of the UK GDPR provides that “children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences, and safeguards concerned and their rights in relation to the processing of personal data”.
The ICO published the Children’s Code in 2020 (the Children’s Code) – a statutory code of practice aimed at organisations that provide online services, including Apps, gaming platforms, and social media platforms likely to be accessed and used by children.
The Children’s Code comprises 15 standards that must be incorporated into the design and upgrade process and development of children’s online services and products.
By complying with the Children’s Code, organisations can demonstrate that they process children’s personal data in a fair and transparent manner and, therefore, in compliance with the UK GDPR.
Further information on the Children’s Code can be found in our article Compliance With the Children’s Code for Online Services and Products and via the ICO website.