The Information Commissioner’s Office issues £12.7m fine for misusing children’s data

The ICO has issued the social media platform TikTok with a £12.7m fine for breaching the UK GDPR, including failing to process children’s data lawfully.

What does the UK GDPR say about children’s data?

Children’s data requires specific protection as children may be less aware of the risks and their rights concerning their personal data.

Therefore, organisations should have in place technical and organisational measures to safeguard the rights of children.

Furthermore, article 8 of the UK GDPR states that when you are providing online services to a child under the age of 13, you need to get consent from whoever holds parental responsibility for the child.

How did TikTok breach the data protection laws?

The ICO estimated that TikTok allowed up to 1.4 million UK children under the age of 13 to use its platform, despite it having rules that do not allow children of this age to access the platform.

The ICO’s investigation found that TikTok failed to obtain parental consent for these children using its platform, and therefore the collection of their data was unlawful. Furthermore, the ICO found that TikTok did not take adequate checks to identify and remove underage children from its platform, despite concerns raised internally with senior employees.

A major concern of the ICO was that the data collected by TikTok could be used to track the underage children and possibly deliver harmful and/or inappropriate content to them.

What action did the ICO take?

Under the UK GDPR, an organisation can be fined up to the higher of £17.5m or 4% of the organisation’s global annual turnover.

The ICO initially issued TikTok with a notice of intent which could have seen TikTok facing a £27 million fine. However, after the ICO heard TikTok’s representations, it narrowed the scope of its pursual, particularly excluding its findings related to the misuse of special category data (which includes data such as ethnicity, health records and sexual orientation). TikTok was ultimately fined £12.7m for its non-compliance with the UK GDPR.

Further guidance on the use of children’s data

Following the ICOs investigation into TikTok, it has published the Children’s Code which gives further guidance on the measures that should be taken in relation to children’s data, which include (but are not limited to):

• Acting in the best interests of the child;
• Being transparent and providing information to children in an age-appropriate manner, including information around parental controls;
• Defaulting privacy settings to ‘high’; and
• Minimising the data collected only to that which is necessary to the child’s use of the services you are offering.

The purpose of the code is to ensure the safety of children whose prevalence in online services is ever increasing, and the ICO’s fine to TikTok serves as a stark reminder to organisations collecting children’s personal data that they must do so lawfully, or potentially face serious consequences.

Please note that this information is for general guidance only and should not substitute professional legal advice. If you have specific concerns, we recommend consulting one of our legal experts.