TikTok Slapped with Record €345 Million GDPR Fine for Children’s Privacy Violations
The popular social media platform TikTok has been issued a massive €345 million fine by the Irish Data Protection Commission (DPC) for violating the privacy rights of children under the European Union’s General Data Protection Regulation (GDPR). This represents the largest GDPR penalty imposed on TikTok to date and serves as a stern warning to companies operating in Europe regarding compliance with data protection laws.
According to the DPC, TikTok failed to protect the personal data of minors in several key ways:
- User accounts for children aged 13-17 were set to public by default from July to December 2020, allowing anyone to view and comment on their videos. This represents a major privacy risk.TikTok did not adequately evaluate the risks of under 13s accessing the platform and did not do enough to prevent this from occurring.
- The platform used manipulative ‘dark pattern’ designs to push teenagers into making their accounts public when signing up.
- Minors’ accounts were potentially matched with unverified adult accounts during the second half of 2020.
- TikTok failed to properly explain the ramifications of having a public account to underage users.
- The DPC found these practices violated GDPR requirements around processing children’s data lawfully, transparently and securely.
- TikTok has been ordered to change its misleading account sign-up process within three months.
In response to the fine, TikTok stated: “We respectfully disagree with the decision, particularly the level of the fine imposed. The criticisms are focused on features and settings that were in place three years ago, and that we made changes to well before the investigation even began.”
The company says it disagrees with the size of the penalty but will comply with the DPC’s instructions to further improve its privacy protections for teenagers. TikTok claims the issues identified stem from old policies that have since been amended.
GDPR in Croatia
While TikTok is facing heavy consequences for its GDPR non-compliance in Ireland, the implications of this case extend across the EU. Here in Croatia, the local data protection authority or AZOP (Agencija za zaštitu osobnih podataka) is responsible for enforcing the GDPR.
Recent checks by AZOP have identified numerous Croatian companies falling short of GDPR requirements around data processing, security and subject rights. Local giant Zagrebački Holding was recently issued a fine of 25.000 Euros by AZOP for the following GDPR violations:
- Failing to adequately inform service users about the legal basis and retention period for collecting copies of ID documents for issuing bill reprints by email. This breaches Article 13(1)(c) and 13(2)(a),(e) on transparency requirements.
- Not implementing appropriate technical and organizational measures when processing personal data for user identification for email bill reprints. This violates Article 25(2) on data security.
- Lacking clear rules for identifying service users by email, instead requesting ID copies when the user’s email address didn’t match their name. This resulted in insecure processing of ID copies without proper transparency to users.
This example shows increased GDPR enforcement in Croatia across sectors like utilities. Companies must ensure full compliance or risk facing substantial penalties.
Protecting Children’s Data
A key lesson from the TikTok case is that extra care must be taken with processing children’s personal information. Due to their vulnerability, minors merit special protection under the GDPR. Companies should:
- Assess and mitigate risks to children before processing their data.
- Provide clear information to minors in plain, age-appropriate language.
- Switch settings like geolocation and profiling off by default for child users.
- Establish robust age verification measures to keep underage users off platforms.
- Conduct DPIAs focused on the best interests of children.
- Appoint personnel dedicated to children’s privacy.
- Limit collection and retention of children’s data.
Upholding these enhanced safeguards for young users’ sensitive information will help avoid major fines.
Achieving GDPR Compliance
With regulators enforcing the GDPR more strictly across Europe, businesses must align their data policies and practices with the regulation if they handle EU citizen data. Performing a full GDPR compliance audit is recommended to identify any gaps.
GDPR specialists can also assist in areas like:
- Creating data protection policies and procedures
- Training staff on GDPR obligations
- Conducting in-depth DPIAs
- Appointing a qualified DPO
- Implementing data security controls
- Handling DSAR requests and data breaches
- Overseeing record-keeping and reporting
Leveraging expert guidance can help guarantee lawful, ethical processing of personal data and avoidance of substantial penalties for violations. By partnering with specialists like Vision Compliance, companies can achieve robust GDPR compliance and create customer trust.