The Information Commissioner’s Office (ICO) found that TikTok did not do enough to stop over 1 million UK children under 13 using the app in 2020. As a consequence, children’s personal data was used without parental consent which is a breach of Article 8 of the General Data Protection Regulation (GDPR).
Article 8 of the UK GDPR doesn’t completely rule against the processing of children’s personal data. It says that when a child is under the age of 13, data processing is lawful providing authorisation is given by the person with parental responsibility.
The problem with children’s data being processed without parental consent is that information about their preferences is stored, meaning inappropriate content can be put in front of them in targeting campaigns. Subsequently, child users could be placed at risk of exploitation or grooming in the worse of cases. Children may be more vulnerable to risks because they are less able to understand them and so they must be protected online.
The UK Information Commissioner said that TikTok should have done more to ensure that children were not using the app. TikTok could have investigated accounts that were suspected to be used by children through artificial intelligence or self-declarations, or, published clearer rules on gaining parental consent. The ICO states that when a company is considering whether they have strict enough standards when it comes to child users they should think about the potential risks to children. If the risks are high, the more reassurance a company needs to ensure parental consent is obtained.
The ICO investigation discovered that TikTok employees had raised concerns about under aged children using the video app but nothing was done about it. The breaches included the following according to the ICO:
- “Providing its services to UK children under the age of 13 and processing their personal data without consent or authorisation from their parents or carers.
- Failing to give proper and clear information to users about how their data is collected, and used.
- Failing to ensure that the personal data belonging to its UK users was processed lawfully, fairly, and in a transparent manner.”
This is not the first time that TikTok has been fined for putting children’s information at risk. In 2021, the Dutch Protection Authority fined TikTok for violating children’s privacy. TikTok’s privacy statement was written in English and not in Dutch which is an infringement of privacy laws. Children must be clear on exactly how their information will be used which may be impossible or more difficult if the policy is not in their own language.
The USA has also had its concerns about TikTok and the way it uses children’s information. As such, in order to protect child safety online, lawmakers in Montana passed a bill banning the app on personal devices. This will make it illegal for app stores to offer TikTok to users and a penalty of $10,000 will be applicable to those who do not comply.