Irish Data Protection Commission (DPC) announced today Its decision to impose a fine of 345 million euros (equivalent to about 368 million dollars) to TikTok due to failures under GDPR when processing the personal data of child users on the platform. The investigation, which focused on the period between July 31 and December 31, 2020, examined TikTok’s obligations under GDPR in the context of:
- certain TikTok Platform settings, including default public settings, as well as the settings associated with the “Family Matching” feature; and
- Age verification as part of the registration process
The final EU-wide decision of the European Data Protection Board was made on August 2, 2023, and additional findings were to be included in the DPC’s draft decision that led not only to a fine, but to a reprimand and an order for TikTok to bring its processing. Comply with the requirements within 3 months from the date of notification of the decision.
A graphic showing the full summary of the findings is shown below, as provided by the DPC, detailing exactly where TikTok was found to be in breach of GDPR requirements.
Mainly, it focused on how the age verification feature was not enough to prevent users from accessing the platform by entering false information to bypass the verification, as well as failures in the “family matching” feature that would have given options to disable some options. Protections for direct messages for children over 16 years of age.
This is not the first time that TikTok has received a GDPR-related fine from the EU regarding children’s privacy on the platform, having been fined €750,000 in 2021 for a similar issue by the Dutch Data Protection Authority, which is mainly related to offering privacy policies and using only English rather than native languages of the member states.