London, UK. European regulators have imposed a hefty $368 million fine on TikTok for failing to adequately safeguard children’s privacy, marking the first time the popular short video-sharing platform has faced penalties for breaching Europe’s stringent data privacy regulations.
The fine was issued by Ireland’s Data Protection Commission, which serves as the lead privacy regulator for major tech companies with European headquarters primarily based in Dublin. The commission announced a fine of 345 million euros and a formal reprimand for TikTok’s privacy violations that date back to the second half of 2020.
The investigation revealed that TikTok’s sign-up process for teenage users resulted in default settings that made their accounts public, allowing anyone to view and comment on their videos. These default settings also posed a risk to children under the age of 13 who gained access to the platform despite being prohibited.
Additionally, the “family pairing” feature, designed for parents to manage settings, was found to be inadequately strict. It allowed adults to enable direct messaging for users aged 16 and 17 without their explicit consent. Furthermore, it steered teenage users toward more “privacy-intrusive” options during the registration and video posting process, according to the regulatory watchdog.
In response to the fine, TikTok issued a statement expressing its disagreement with the decision, particularly the severity of the fine imposed. The company emphasized that many of the regulator’s criticisms pertained to features and settings that had been modified prior to the investigation’s commencement in September 2021. TikTok had already made significant changes, including setting all accounts for users under 16 to private by default and disabling direct messaging for those aged 13 to 15.
Elaine Fox, TikTok’s head of privacy for Europe, stated in a blog post, “Most of the decision’s criticisms are no longer relevant as a result of measures we introduced at the start of 2021 — several months before the investigation began.”
The Irish regulator had previously faced criticism for the perceived delay in its investigations into major tech companies since the European Union’s stringent privacy laws came into effect in 2018. In the case of TikTok, objections from German and Italian regulators regarding aspects of a draft decision issued a year ago further extended the process.
To address such issues and streamline enforcement, the European Union’s headquarters in Brussels has taken on the responsibility of enforcing new regulations aimed at promoting digital competition and regulating social media content. These rules are designed to maintain the EU’s position as a global leader in tech regulation.
In response to initial German objections, the European Data Protection Board, the EU’s top panel of data regulators, noted that TikTok used pop-up notices to inform teen users but failed to present their choices in a neutral and objective manner. Anu Talus, chair of the European Data Protection Board, emphasized that social media companies have a responsibility to ensure fair presentations of choices, especially for children.
While the Irish regulator did not find any rule violations in TikTok’s measures to verify users’ ages (at least 13 years old), it is currently conducting a separate investigation into whether TikTok complied with the EU’s General Data Protection Regulation when transferring user data to China, where its parent company, ByteDance, is headquartered.
TikTok has faced concerns regarding data security, with fears that sensitive user information could be accessed in China. In response, TikTok has initiated a project to localize European user data, including the recent opening of a data center in Dublin, the first of three planned on the continent.
The UK’s data privacy regulators, having left the EU in January 2020, previously fined TikTok £12.7 million ($15.7 million) in April for misuse of children’s data and violations of other protections related to young users’ personal information. Other major tech companies, including Instagram, WhatsApp, and their parent company Meta, have also incurred substantial fines from the Irish regulator over the past year.
Carlo Juancho FuntanillaFrontend Developer, WordPress, Shopify
Contributing Editor
AMA ACLC San Pablo
