European regulators dealt a blow to TikTok over its handling of children’s data, the largest fine the company has faced to date.
TikTok’s lead regulator in the European Union is slapping the company with a €345 million fine for violating Europe’s landmark privacy law, the General Data Protection Regulation.
The nearly $370 million penalty announced today by the Irish Data Protection Commission is related to TikTok’s handling of sensitive data from children, ages 13 to 17, who’ve used the app—as well as from kids under 13 whose personal data TikTok has processed as part of determining whether they were old enough to be on the platform. (Users must be at least 13 to be on TikTok.)
The privacy watchdog, which opened the investigation in 2021, looked in particular at TikTok’s public-by-default settings and “Family Pairing” tool, as well as its age verification process for individuals signing up for an account. It also scrutinized whether TikTok had been adequately transparent with young users about their privacy settings. The body found that TikTok violated several parts of GDPR in 2020, including articles pertaining to the processing of young users’ data and to so-called “dark patterns,” design decisions that deceive or manipulate users into taking certain actions in an app. In addition to the hefty fines in the hundreds of millions, the commission is requiring TikTok to make its data processing compliant by the end of the year.
This all but concludes one of two major investigations that the regulator in Ireland, home to TikTok’s European headquarters, has launched into the company and whether it has complied with GDPR. The other probe is examining whether TikTok—owned by Beijing-based parent ByteDance—has unlawfully transferred European users’ personal data from the EU to China, and whether it was sufficiently transparent with users about how it was handling their information. (The Commission recently told Forbes it expects a public update on that inquiry around now.)
Got a tip about TikTok or ByteDance? Reach out securely to Alexandra S. Levine on Signal/WhatsApp at (310) 526–1242, or email her at email@example.com.
This is TikTok’s largest ding from regulators to date, but it’s not the first time the social media giant has been punished for children’s privacy and safety missteps; earlier this year, Britain’s data watchdog issued TikTok a €12.7 million fine (almost $16 million) for breaking British data protection laws in its processing of kids’ information. In 2021, Dutch authorities issued a €750,000 fine (almost $1 million) for similar violations. And back in 2019, the Federal Trade Commission reached a $5.7 million settlement with TikTok (then Musical.ly) along the same lines. (Still, ByteDance posted $80 billion in revenue in 2022.)
“TikTok is a platform for users aged 13 and over,” a spokesperson said in response to the recent U.K.-issued fine, which the company disagreed with. “We invest heavily to help keep under-13s off the platform and our 40,000-strong safety team works around the clock to help keep the platform safe for our community.” Weeks before that fine was handed down, TikTok also launched Project Clover—a counterpart to Project Texas in the U.S.—in an effort to better protect European TikTok users and their data and address concerns about access to that information in China.
In the first quarter of 2023, TikTok removed nearly 17 million accounts thought to be younger than 13, and 91 million videos that broke its rules, according to its most recent enforcement report. More than a quarter of those posts were pulled down for policy violations related to minor safety.
TikTok did not immediately respond to a request for comment.