ICO announces intention to fine TikTok regarding the processing of Children’s data
On 26 September 2022, the UK Information Commissioner’s Office (ICO) released a statement confirming that it had issued a notice to impose a £27 million fine on TikTok Inc. and TikTok Information Technologies UK Limited (collectively known as TikTok), for its failure to protect the privacy and data of children.
The notice of intent to fine comes following an investigation by the ICO, which found that TikTok breached UK data protection laws between May 2018 and June 2020, in its failure to protect the privacy of children when they use the TikTok platform. Specifically, the ICO identified breaches including processing the data of children under the age of 13 without obtaining parental consent, failure to provide information to TikTok users in a transparent and easy to understand manner and processing special category of data without an appropriate Article 9 basis or condition under the Data Protection Act 2018. These findings were made in light of Ofcom’s findings that 44% of 8 to 12-year-olds in the UK use TikTok, despite TikTok’s policies not allowing children under the age of 13 to use the platform. The notice of intent to fine stems from a wider investigation being conducted by the ICO into technology firms to ensure compliance with the Children’s Code.
Although the findings of the ICO are provisional, John Edwards, the Information Commissioner, stated that ‘Companies providing digital services have a legal duty to put [child privacy] protections in place, but the [ICO’s] provisional view is that TikTok fell short of meeting that requirement’.
Given that the ICO is using its enforcement powers to issue fines of a significant amount, and is doing so against a backdrop of ensuring technology companies are complying with the Children’s Code, organisations providing digital services which are likely to be accessed by children, such as social media platforms, apps and online gaming sites, should take the time to understand their responsibilities when it comes to protecting children online and ensuring that where not permitted by law, children are not accessing online platforms.
The potential fine of £27 million falls into the highest level of penalty that can be imposed under the UK GDPR i.e., the higher figure of £17.5 million or 4% of global annual turnover of the company in question. The £27 million figure signals the ICO’s intention to take decisive action when protection of children’s privacy is at stake. The fine is provisional and before it is finalised TikTok will have an opportunity to present representations before the ICO before any final decision is made.