Image: Solen Feyissa (unsplash)
TikTok encountered a significant financial penalty after Ireland’s data protection authority determined that the platform violated the GDPR in terms of how it handled data from underage users.
The Data Protection Commission (DPC) released its definitive verdict on the matter last Friday. This conclusion came after an extensive examination of TikTok’s handling of minor users’ personal information spanning from July 31, 2020, to December 31, 2020.
Concerns were voiced by supervisory bodies in Italy and Berlin regarding the DPC’s initial decisions. After the European Data Protection Board (EDPB) weighed in on the matter, the Ireland DPC confirmed that TikTok had indeed violated several articles of the GDPR.
Due to these findings, the prominent Chinese social media company is obligated to pay a hefty €345m ($368m) fine. Furthermore, they must adjust their data handling processes to be in accordance with regulations within a three-month timeframe.
Delving into the specifics, the Ireland DPC’s report highlighted several areas of concern:
- Default settings on accounts belonging to minors were public, allowing both users and non-users alike to access content from these profiles.
- The platform’s “Family Pairing” feature let unverified users, who might not be parents or guardians, connect their accounts with those of underage users. This had the potential for these unverified users to activate direct messaging for users over 16, presenting what the DPC termed as “significant potential dangers.”
- The platform didn’t furnish enough clarity regarding data handling to its younger audience.
- TikTok was criticized for using “dark patterns” that nudged users towards selections that were less privacy-conscious when setting up their profiles or uploading content.
This incident isn’t an isolated case for TikTok. Back in 2019, the platform settled with the FTC for $5.7m after allegations surfaced that they had violated the Children’s Online Privacy Protection Act (COPPA). The violation in question was their failure to obtain parental approval before collecting data from users under 13.
Furthermore, just a year ago, the UK’s Information Commissioner’s Office (ICO) declared its plans to fine TikTok £27m for not adequately safeguarding the privacy rights of its younger demographic.