On April 4, 2023, the data protection regulator of the UK, the Information Commissioner’s Office (ICO), issued a fine of a £12.7 million to TikTok Information Technologies UK Limited and TikTok Inc (together, “TikTok”) for a number of breaches of UK data protection law, including failing to use children’s personal data lawfully.
In summary, the ICO found that TikTok breached the UK GDPR between May 2018 and July 2020 by:
- providing its services (i.e., an information society service) to UK children under the age of 13 and processing their personal data without consent or authorization from their parents or carers;
- failing to inform users of the platform about how their data is collected, used and shared in a way that is easy to understand, meaning users of the platform, in particular children, were unlikely able to make informed choices about whether and how to engage with it; and
- failing to ensure that the personal data of its users was processed lawfully, fairly and in a transparent manner.
The UK Information Commissioner, John Edwards, stated that “TikTok should have known better. TikTok should have done better. Our £12.7m fine reflects the serious impact their failures may have had. They did not do enough to check who was using their platform or take sufficient action to remove the underage children that were using their platform.”
This fine follows the initial notice of intent which was issued to TikTok in September 2022 for a fine of £27 million. The fine was reduced following representations from TikTok to the ICO which resulted in the ICO not pursuing the earlier finding related to unlawful use of special category data.