TikTok facing $29M fine over U.K. children’s privacy violations

An investigation opened by the Information Commissioner’s Office (ICO) in 2019 found the company might have breached the U.K.’s version of the General Data Protection Regulation (GDPR) regarding privacy protections for children using TikTok between May 2018 and July 2020, the regulator announced Monday.

The ICO issued TikTok’s U.K. subsidiary and parent company with a “notice of intent,” a provisional warning informing them it believes the platform might have processed the data of children under the age of 13 without appropriate parental consent and failed to provide users with concise, transparent information that could be easily understood.

The ICO also believes TikTok processed “special category data,” which can include sensitive personal information regarding ethnic and racial origin, sexual orientation, political opinions, and health data, without legal grounds to do so.

TikTok can make representations to the regulator before it reaches a final decision, which could take place any time within the next six months.

“This notice of intent is provisional, and as the ICO itself has stated, no final conclusions can be drawn at this time,” said TikTok in a statement. “While we respect the ICO’s role in safeguarding privacy in the U.K., we disagree with the preliminary views expressed and intend to formally respond to the ICO in due course.”

The ICO has been at the forefront of safeguarding children’s data online and trying to prevent online harm to youths.

In 2020, it launched its Children’s Code, a best practices guide to help companies providing online services likely to be accessed by children—such as apps, online games, and web and social media sites—better understand ways to limit data collection, retention, and sharing while maximizing privacy and transparency.

The ICO is looking into how more than 50 different online services are conforming with the code. It has six ongoing investigations into companies that haven’t, in the regulator’s initial view, taken their responsibilities around child safety seriously enough, said Information Commissioner John Edwards.

Earlier this month, Instagram was hit with a record fine of 405 million euros (then-U.S. $405 million) by the Irish Data Protection Commission for failing to keep teenage users’ data private in line with the European Union’s GDPR.

Making representations to the ICO to reduce initially proposed penalties has worked on previous GDPR final decisions issued in the United Kingdom.

Fines against British Airways and hotel chain Marriott International finalized in October 2020 were significantly reduced from their intended figures—each by more than 80 percent—partly because of the effects of the Covid-19 pandemic. In May, facial image aggregator Clearview AI saw its proposed fine cut by more than half, from £17 million (then-U.S. $22.6 million) to about £7.5 million (then-U.S. $9.4 million).

Pharmacy Doorstep Dispensaree had its fine cut by around two-thirds on appeal by a tribunal judge after the company successfully argued the penalty for a data breach was disproportionately high because the ICO had overestimated how many people might have been at risk.