- 12 April 2023
- Privacy and Data Protection
The popular social networking app TikTok, which allows users to record and share short videos, was fined £12.7 million on 4 April 2023 by the Information Commissioner’s Office (ICO) for breaching data protection laws.
What laws did TikTok breach?
Under article 8 of the UK General Data Protection Regulation (UK GDPR), an organisation must have parental consent if it wishes to use personal data when providing information society services to children under 13. TikTok was accused of exploiting these regulations by using children’s personal information without their parents’ consent during the period between May 2018 to July 2020. The networking app allowed up to 1.4 million UK children under the age of 13 to use its platform, notwithstanding that its terms and conditions specify 13 as the minimum age to register an account. It was later discovered that, at the time, TikTok’s systems were insufficient to enforce this age restriction.
Article 12 of the UK GDPR states that individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under UK law. For example, an organisation must disclose to the individual: the reasons why their personal information is being processed; how long that information will be kept; and who it will be shared with. Consequently, TikTok breached article 12 of the UK GDPR because it did not adequately inform its users of how their data was being gathered, used, and shared. As a result, users were not able to make informed decisions, particularly those under the age of 13, which was a fundamental breach.
Taking into the account the above, TikTok breached a key principle of the UK GDPR under article 5(1)(a) for the unlawful processing of children’s personal data in an unfair and untransparent way.
These findings were concluded by the ICO as a result of its extensive investigation into TikTok.
TikTok breached article 12 of the UK GDPR because it did not adequately inform its users of how their data was being gathered, used, and shared.
The ICO investigation
The ICO alleged that the app’s efforts to identify and ban users who were underage fell short. Workers of TikTok reportedly expressed worries to senior staff about the lack of underage profiles that were being removed. Thus, TikTok may have used children’s data to track and profile them, potentially exposing children to dangerous or inappropriate content. Mr John Edwards from the UK Information Commissioners Office said “all that was required was a self-certification that the applicant was over 13, by clicking a box with no verification, with no extra checks. We understand that there are now significantly more checks and balances in place to detect that kind of thing.” He also added “there are laws in place to make sure our children are as safe in the digital world as they are in the physical world. TikTok did not abide by those laws”.
Although a representative for TikTok said the company disagrees with the ICO’s decision, TikTok is grateful that the fine has been reduced by over half. This is because the original ICO notice of intent for TikTok in September 2022 suggested the fine should be up near £27 million. However, after considering TikTok’s arguments, the ICO decided against pursuing the initial finding of “improper use of special category data”, which subsequently decreased the fine to £12.7 million.
Codes of Conduct
As the investigation of TikTok came to a close, the ICO released the ‘Children’s code’ in order to better safeguard children in the digital world. The Children’s code is a legal framework that sets out fifteen standards of conduct for online services that are likely to be utilised by minors. These include: websites, smart device apps, video sites, streaming platforms, games sites and social networking platforms. It is envisaged that, through effective compliance and governance, these standards will work as an aid in decreasing violations of the data protection laws surrounding children.
For more information on the data protection legislation or if you require advice or an audit as to whether your business currently meets UK GDPR standards, please feel free to contact a member of the Data Protection team.
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.
Read, listen and watch our latest insights
- 29 November 2023
How will the Autumn Statement 2023 affect the Construction Industry?
On 22 November 2023 Parliament was presented with the Chancellor’s Autumn Statement.
- 28 November 2023
The risk of insolvency with equal pay claims: how can you avoid them?
Even though the law states that everyone should be paid equally for work of comparable value, this does not always happen in practice.
- 16 November 2023
TUPE Podcast Series: Service Provision Changes – Single specific events or tasks of short duration
In this fourth podcast in our TUPE Podcast Series, Amanda Glover will be looking at the second of the three conditions required for a service provision change transfer..
- 15 November 2023
Employment law changes on the horizon
There has been a few recent announcements relating to employment law reforms, which could be significant for businesses, and is considered below.
- 31 October 2023
The Whistleblowing Wraith – a Halloween Horror
A short reminder of the horrors that whistleblowing can bring, do not ignore them, as like the wraith, it can be devastating.