DPC calls time on TikTok's data processing practices concerning children

The Data Protection Commission (DPC) announced on Friday, 15th September that it had concluded its investigation into TikTok’s data processing practices involving children’s data and that it was fining the social media platform €345 million for shortcomings in adequately protecting children and their personal data while using the platform. 

Following an inquiry conducted into the platform between 31 July 2020 and 31 December 2020, the DPC engaged with its supervisory counterparts in other EU Member States on its draft findings, leading to the EDPB adopting a binding decision on the matter on 2 August 2023 (pursuant to the Article 65 GDPR dispute resolution mechanism). Following this EDPB decision, the DPC adopted its final decision, summarising its key findings of non-compliance with various provisions of the GDPR, as follows: 

• profile settings for child user accounts on the TikTok platform were set to ‘public’ by default, meaning anyone (on or off the platform) could view the content posted by the child user; 
  
• the ‘Family Pairing’ setting allowed an adult user (who could not be verified as the parent or guardian of the child) to pair their account to a child’s account. This allowed the adult user to enable direct messages for children above the age of 16, which posed several possible risks to child users; 
  
• the ‘public by default’ setting on children’s accounts posed several significant risks to children aged under 13 who gained access to the platform; 
  
• TikTok failed to provide sufficient transparency information to children who use the platform; and 
  
• TikTok implemented ‘dark patterns’ by nudging users towards choosing more privacy-intrusive options during the registration process, and when posting videos. 

In addition to the administrative fine, the DPC has issued a reprimand and an order requiring TikTok to bring its processing into compliance within a period of three months from 1 September 2023 (the date on which the DPC notified TikTok of its decision). 

TikTok has publically disagreed with aspects of the decision, mentioning that the settings and features of the platform condemned by the DPC in its decision had been updated to enhance protection of child users, even before the DPC’s investigation commenced. 

The case highlights the growing interest taken by the DPC in ensuring the protection of children’s data and in assessing compliance by organisations with their obligations to children. This follows on from recent specific guidance by the DPC, the Children Front and Centre: Fundamentals for a Child-Orientated Approach to Data Processing (available here and please also see our previous publication on the draft DPC guidance available here). The DPC decision, while it may still be the subject of an appeal, is a reminder to organisations which may process children’s data that they should familiarise themselves with their specific obligations, including their protections for children and how this processing is dealt with in their Privacy Notice.

For further information, please contact Seán O’Donnell, Zelda Deasy or any member of our Data Protection Team.