The ICO fines TikTok £12.7 million for violations when processing children’s personal data
The ICO fines TikTok £12.7 million for violations when processing children’s personal data
The ICO has published Children’s Code, which contains guidance for online systems likely to be accessed by children. The ICO has also created design tests for compliance to accompany the code.
Overview
The protection of children’s personal data came into the spotlight once more as the ICO issued TikTok a £12.7 million fine for misusing children’s data. The fine relates to the following breaches of the UK GDPR:
- The failure to obtain consent or authorisation from the parent or carer of a child under the age of 13 when providing services.
- The failure to comply with the information rights under the UK GDPR, which require controllers to provide information to data subjects about the data processing in a clear and easy-to-understand language. The ICO stated that, due to the absence of this information, users of TikTok’s platform ‘were unlikely to be able to make informed choices about whether and how to engage with it’.
- The failure to process the data of UK users lawfully, fairly and in a transparent manner.
The original ICO notice of intent for TikTok published in 2022 proposed a fine of £27 million. The amount of the proposed fine took into account the provisional finding that TikTok processed special category data without legal grounds to do so. However, having considered TikTok’s representations, the ICO ultimately decided not to pursue the provisional finding, resulting in the near halving of the proposed fine.
Why is this significant and what does it mean for me?
The TikTok case helps to illustrate the importance of obtaining parental consent where personal data of children under the age of 13 are being collected. At the same time, it also serves as a reminder for organisations that privacy information must be communicated to data subjects and, in particular, children in an easy-to-understand, concise and transparent manner.
Notably, in this regard, the ICO has published the Children’s Code (the Code), which contains design guidance for online systems that are likely to be accessed by children. The ICO has also published design tests to accompany the Code. They have been created with a view to assisting designers of online products or services in complying with the Code. The ICO clarifies, however, that they are for guidance only and do not constitute an official assessment of the compliance level. Nevertheless, controllers exposed to the processing of children’s data should consider testing their online products or services to identify and remedy any potential compliance gaps as soon as possible.
If you have any queries or would like further information, please visit our data protection services section or Christopher Beveridge.