How can we help?


TikTok is fined £12.7 million by the ICO for failing to safeguard children’s data

The popular social networking app TikTok, which allows users to record and share short videos, was fined £12.7 million on 4 April 2023 by the Information Commissioner’s Office (ICO) for breaching data protection laws.

What laws did TikTok breach?

  • Parental consent

Under article 8 of the UK General Data Protection Regulation (UK GDPR), an organisation must have parental consent if it wishes to use personal data when providing information society services to children under 13.  TikTok was accused of exploiting these regulations by using children’s personal information without their parents’ consent during the period between May 2018 to July 2020. The networking app allowed up to 1.4 million UK children under the age of 13 to use its platform, notwithstanding that its terms and conditions specify 13 as the minimum age to register an account.  It was later discovered that, at the time, TikTok’s systems were insufficient to enforce this age restriction.

  • Transparent information

Article 12 of the UK GDPR states that individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under UK law. For example, an organisation must disclose to the individual: the reasons why their personal information is being processed; how long that information will be kept; and who it will be shared with. Consequently, TikTok breached article 12 of the UK GDPR because it did not adequately inform its users of how their data was being gathered, used, and shared.  As a result, users were not able to make informed decisions, particularly those under the age of 13, which was a fundamental breach.

  • Unlawful processing

Taking into the account the above, TikTok breached a key principle of the UK GDPR under article 5(1)(a) for the unlawful processing of children’s personal data in an unfair and untransparent way.

These findings were concluded by the ICO as a result of its extensive investigation into TikTok.

TikTok breached article 12 of the UK GDPR because it did not adequately inform its users of how their data was being gathered, used, and shared.

The ICO investigation

The ICO alleged that the app’s efforts to identify and ban users who were underage fell short.  Workers of TikTok reportedly expressed worries to senior staff about the lack of underage profiles that were being removed.  Thus, TikTok may have used children’s data to track and profile them, potentially exposing children to dangerous or inappropriate content.  Mr John Edwards from the UK Information Commissioners Office said “all that was required was a self-certification that the applicant was over 13, by clicking a box with no verification, with no extra checks. We understand that there are now significantly more checks and balances in place to detect that kind of thing.” He also added “there are laws in place to make sure our children are as safe in the digital world as they are in the physical world. TikTok did not abide by those laws”.

Although a representative for TikTok said the company disagrees with the ICO’s decision, TikTok is grateful that the fine has been reduced by over half.  This is because the original ICO notice of intent for TikTok in September 2022 suggested the fine should be up near £27 million. However, after considering TikTok’s arguments, the ICO decided against pursuing the initial finding of “improper use of special category data”, which subsequently decreased the fine to £12.7 million.

Codes of Conduct

As the investigation of TikTok came to a close, the ICO released the ‘Children’s code’ in order to better safeguard children in the digital world.  The Children’s code is a legal framework that sets out fifteen standards of conduct for online services that are likely to be utilised by minors. These include: websites, smart device apps, video sites, streaming platforms, games sites and social networking platforms. It is envisaged that, through effective compliance and governance, these standards will work as an aid in decreasing violations of the data protection laws surrounding children.

For more information on the data protection legislation or if you require advice or an audit as to whether your business currently meets UK GDPR standards, please feel free to contact a member of the Data Protection Lawyers.

About this article

This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

  • 10 April 2024
  • Employment

New Guidance: Confidence to Recruit

The new Government guide in collaboration with the CIPD aims to give employers the confidence to recruit its workforce from a wider range of people including those who may have been overlooked in the past as a problem rather than an asset.

  • 03 April 2024
  • Employment

FAQ’s on the new Carer’s Leave Act

Beginning on 6 April 2024, the Carer’s Leave Act comes into force, meaning carers are now entitled to request 1 week’s unpaid leave to care for their dependants.

  • 26 March 2024
  • Employment

Navigating Neuroinclusion: A Guide for Employers

Over the past few years, we have seen a marked rise in awareness of neurodiversity, as well as campaigns for awareness and inclusion in the workplace for neurodiverse employees.

  • 21 March 2024
  • Employment

TUPE Podcast Series: Who Transfers?

In this fifth podcast in our TUPE Podcast Series, Amanda Glover will be focusing on ‘who transfers’ under TUPE. Looking at the definition of ‘employee’ under TUPE legislation and the tests that apply in deciding if those employees transfer.

  • 20 March 2024
  • Employment

Changes to Employment Laws from April 2024 – are you ready?

There’s a large number of employment law changes coming in April which are set to shake up the workplace. It’s crucial for employers to stay informed and prepared.

  • 19 March 2024
  • Employment

Instant Messaging in the Workplace: Factors to be aware of

Workplaces have changed beyond recognition in the four years since the first COVID-19 lockdowns. This anniversary represents an opportunity to look back at how workplaces have changed in that period, from the increased use of flexible and hybrid working, to the continuing and significant integration of more technology in office-based work.