TikTok could face a £27m fine for failing to protect children’s privacy when using the platform.
The UK’s Information Commissioner’s Office (ICO) found the video-sharing platform may have processed the data of under-13s without appropriate consent.
The watchdog said the breach happened over more than two years – until July 2020 – but that it had not yet concluded. TikTok disputes the findings, noting that they are “provisional”.
The ICO has issued TikTok Inc and TikTok Information Technologies UK Limited with a “notice of intent” – a legal document which precedes a potential fine.
The notice shows the ICO’s provisional view that TikTok breached UK data protection law between May 2018 and July 2020.
According to Ofcom, 44% of the UK’s eight- to 12-year-olds use TikTok, despite its policies forbidding under-13s on the platform. Information Commissioner John Edwards said: “We all want children to be able to learn and experience the digital world, but with proper data privacy protections.
“Companies providing digital services have a legal duty to put those protections in place, but our provisional view is that TikTok fell short of meeting that requirement.”
TikTok has rolled out several features to strengthen the privacy and safety on the site – including allowing parents to link their accounts to their children’s and disabling direct messaging for under-16s.
But Mr Edwards continued: “I’ve been clear that our work to protect children better online involves working with organisations, but will also include enforcement action where necessary.
“In addition to this, we are currently looking into how over 50 different online services conform with the Children’s Code and have six ongoing investigations looking into companies providing digital services who haven’t, in our initial view, taken their responsibilities around child safety seriously enough.”
Rolled out in September last year, the Children’s Code put new data protection codes of practice for online services likely to be accessed by children, built on existing data protection laws, with financial penalties and a possibility of severe breaches.
The ICO said its findings in the notice were provisional, with no conclusion to be drawn at this stage that there had been any breach of data protection law.
It added: “We will carefully consider any representations from TikTok before taking a final decision.”
A TikTok spokesperson said: “This notice of intent, covering the period May 2018-July 2020, is provisional, and as the ICO itself has stated, no conclusions can be drawn at this time.
“While we respect the ICO’s role in safeguarding privacy in the UK, we disagree with the preliminary views expressed and intend to respond formally to the ICO in due course.”