The Irish Data Protection Commission (DPC) slapped TikTok with a €345 million (about $368 million) fine for violating the European Union’s General Data Protection Regulation (GDPR) in relation to its handling of children’s data.
The investigation, initiated in September 2021, examined how the popular short-form video platform processed personal data relating to child users (those between the ages of 13 and 17) between July 31 and December 31, 2020.
Some of the major findings include –
- The content posted by child users was set to public by default, thereby allowing any individual (with or without TikTok) to view the material and exposing them to additional risks
- A failure to provide transparency information to child users
- The implementation of dark patterns to steer users towards opting for privacy-intrusive options during the registration process, and when posting videos
- A weakness in the Family Sharing setting that allowed any non-child user (someone who could not be verified as a parent or their guardian) to pair their account to that of a minor’s, which made it possible for the adult user to enable direct messages for child users above the age of 16
In addition to the financial penalty, the DPC has ordered TikTok to bring its processing mechanisms into compliance within three months.
“Social media companies have a responsibility to avoid presenting choices to users, especially children, in an unfair manner – particularly if that presentation can nudge people into making decisions that violate their privacy interests,” Anu Talus, EDPB Chair, said.