The Irish Data Protection Commission (DPC) has announced today its decision to issue a fine of €345 million (equivalent to approximately $368 million) to TikTok due to failures under GDPR when processing the personal data of child users of the platform. The inquiry, which was focused on the time between 31 July and 31 December 2020, looked at TikTok"s obligations under GDPR in the context of:
- Certain TikTok platform settings, including public-by-default settings as well as the settings associated with the "Family Pairing" feature; and
- Age verification as part of the registration process
The final decision by the European Data Protection Board across the EU was adopted on 2 August 2023, and further findings were to be included in the DPC"s draft decision leading to not just the fine, but a reprimand and an order for TikTok to bring its processing into compliance within 3 months of notification of the decision.
A graphic showing the full summary of the findings is shown below, as provided by the DPC, with a breakdown of exactly where TikTok was found to be in breach of the requirements of the GDPR.
Primarily, it focused on how the age-verification feature was not sufficient to prevent users from accessing the platform by inputting false information to bypass the check, as well as failings with the "Family Pairing" feature that would give options to disable some of the Direct Message protections for over 16-year-olds.
This isn"t the first time that TikTok has been slapped with a GDPR-related fine from the EU relating to children"s privacy on the platform, having been issued a €750,000 fine in 2021 for a similar subject by the Dutch Data Protection Authority, which primarily related to offering privacy and usage policies only in English and not in member states" native languages.