ICO investigating online platforms and the importance of having a good privacy notice

The ICO has recently reported that it is investigating how social media and video sharing platforms use UK children’s personal information. In particular, it focuses on Tik Tok, Reddit and Imgur.  It says that it is looking into:

• How Tik Tok uses personal information of 13–17-year-olds in the UK to make recommendations to them and deliver suggested content to their feeds
• How Reddit and Imgur assess the age of their child UK users

It says that the investigations are part of its efforts to ensure companies are designing digital services that protect children.

This is not the first time Tik Tok has been investigated by the ICO.  In 2023, it was fined £12.7 million for misusing children’s data.  In that instance, the ICO found that TikTok breached the UK General Data Protection Regulation (UK GDPR) between May 2018 and July 2020 by:

• Providing its services to UK children under the age of 13 and processing their personal data without consent or authorisation from their parents or carers;
• Failing to provide proper information to people using the platform about how their data is collected, used, and shared in a way that is easy to understand. Without that information, users of the platform, in particular children, were unlikely to be able to make informed choices about whether and how to engage with it; and
• Failing to ensure that the personal data belonging to its UK users was processed lawfully, fairly and in a transparent manner.

As part of its investigation, the ICO found that Tik Tok’s privacy policies were not adequate.  This was for a variety of reason including:

• The language used was not clear or plain and so information was not conveyed in a lawful and appropriate manner
• They did not provide contact details for the Data Protection Officer
• They failed to provide sufficient information to clearly identify and link the specified category of personal data, the purpose of the specified processing operation and the legal basis being relied upon
• They failed to provide sufficient information on the legitimate interests being relied upon
• They failed to provide a sufficient level of detail as to the extent to which personal data was being provided to third party recipients and the identity of those recipients – for example they referred to ‘business partners’ ‘advertisers and advertising networks’ and ‘analytics and search engine provider’s which were deemed insufficient
• They failed to specify clearly which jurisdictions personal data would be transferred to
• They did not provide sufficient detail what information is retained, why and for how long
• Although they set out data subjects rights and the right to withdraw consent, the failure to adequately identify the legal basis being relied upon meant that data subjects could not assess when rights applied and resulted in a lack of clarity

This case was a stark reminder of how important privacy notices are and organisations who have not reviewed their policies recently should ensure they do so.  We have expert lawyers who can assist you in drafting or amending your privacy notice to assist you with compliance.

At this stage, it’s important to flag that Tik Tok, Reddit and Imgur have not been found to have committed any infringement in relation to the ICO’s recent investigations, but this announcement demonstrates the ICO’s focus on tackling these areas.

We regularly advise organisations on their data protection obligations and breach reporting obligations. Please do not hesitate to contact our Data Protection lawyers who would be happy to help.