The Irish Data Protection Commission (DPC) has levied a substantial fine of €345 million ($368 million) against TikTok for violating the privacy rights of children aged 13 to 17 during the processing of their data. This extensive investigation, initiated in September 2021, scrutinized TikTok’s data practices from July 31 to December 31, 2020. The DPC found TikTok in breach of several articles of the European Union’s General Data Protection Regulation (GDPR).
Among the most alarming findings was that TikTok’s default profile settings for child user accounts exposed all posted content to public visibility, both within and outside the platform.
Another major concern arose from TikTok’s ‘Family Pairing’ feature, which allowed non-child users to link their accounts with minors aged 16 and above without proper verification. This raised serious potential risks to child users, as the non-child users gained the ability to enable Direct Messages.
Furthermore, TikTok failed to provide adequate transparency information to its young users, hindering their understanding of the platform’s data processing practices. The DPC also identified the use of “dark patterns” by TikTok, subtly guiding users toward options that compromised their privacy during registration and video posting.
In response to these critical findings, the Irish data privacy regulator imposed an administrative fine of €345 million on TikTok, along with an official reprimand. TikTok is required to align its data processing practices with regulatory standards within a strict three-month timeframe.
Anu Talus, the European Data Protection Board Chair, emphasized the responsibility of social media companies to present privacy options to users, especially children, in a fair and transparent manner. This ruling underscores the importance of safeguarding children’s data protection rights and the need for digital players to exercise caution in handling user data.