Children’s personal data: the Irish DPC fines TikTok €345M for violating the GDPR

Children’s personal data: the Irish DPC fines TikTok €345M for violating the GDPR

What you need to know


The Irish DPC fined TikTok €345M for breaching the GDPR provisions on children’s personal data.


On 1st September 2023, TikTok Technology Ltd, provider of the TikTok video sharing application, a subsidiary of the Chinese company ByteDance, was fined €345 million by the Data Protection Commission (DPC), the Irish supervisory authority. (1)

This decision is a result of the DPC investigation initiated in September 2021, covering the July-December 2020 period. The DPC identified several breaches of the General Data Protection Regulation (GDPR) by TikTok regarding minors’ data.

The DPC decision mainly focuses on two breaches of the GDPR:

    - The accounts opened by new users, including teenagers between 13 and 17 years old, were set on “public” by default, meaning that the content posted on TikTok was visible by anyone, whether or not TikTok users. Children below the age of 13 were also able to register on TikTok, without parental consent, in violation of the GDPR. (2)

    - The “Family Pairing” functionality which allows a parent, also registered on TikTok, to pair their account to the child’s account to be able to monitor the child’s private messages and time spent on the application, was not verifying that the parent account did actually belong to a parent or a guardian.

Also, according to the DPC, TikTok used “dark patterns” to entice users to choose more privacy-intrusive options during the registration process and when posting videos, breaching the principles of lawfulness, fairness and transparency. (3)

TikTok has three months in order to remedy the identified violations and comply with the GDPR.

This decision by the Irish data protection authority follows a previous decision rendered by the British Information Commissioner’s Office (ICO) against TikTok on 4th April 2023, also concerning children’s personal data. In this case, the ICO found that over one million British children under the age of 13 were registered on TikTok in 2020, in breach of their user terms and conditions and without parental consent, as required by the British law on data protection. TikTok was fined £12.7 million by the ICO. (4)

* * * * * * * * * * *


(1) In the matter of TikTok Technology Ltd - Decision of the Data Protection Commission made pursuant to section 111 of the Data Protection Act, 2018 and articles 60 and 65 of the General Data Protection Regulation, 1st September 2023

(2) See art. 8 GDPR. In France, the age below which parental consent is required for children to register on a website is set at 15 years old.

(3) “Dark patterns” are user interface configurations set up to mislead or manipulate the users.

(4) ICO fines TikTok £12.7 million for misusing children’s data, 4th April 2023

Bénédicte DELEPORTE
Avocat

Deleporte Wentz Avocat
www.dwavocat.com

September 2023