The UK’s privacy regulator has announced its intention to fine TikTok £27m over breaches of the country’s data protection laws.
The Information Commissioner’s Office (ICO) issued the Chinese social networking giant with a “notice of intent” that explains it believes TikTok broke the law between 2018 and 2020.
The ICO's provisional findings indicate that TikTok may have:
- Processed the data of children under the age of 13 without “appropriate” parental consent
- Failed to provide information to users “in a concise, transparent and easily understood way”
- Processed special category data – which includes ethnic and racial origin, genetic, health and biometric data, and more – without legal grounds to do so
Information commissioner, John Edwards, argued that TikTok fell short of its legal duty to protect the privacy of its youngest users.
“I’ve been clear that our work to better protect children online involves working with organizations but will also involve enforcement action where necessary,” he added.
“In addition to this, we are currently looking into how over 50 different online services are conforming with the Children’s code and have six ongoing investigations looking into companies providing digital services who haven’t, in our initial view, taken their responsibilities around child safety seriously enough.”
However, the big caveat here is that these findings are provisional. TikTok now has the right to make its own representations to the regulator, after which a final decision will be made.
Historically, large organizations like Marriott International and British Airways have managed to significantly reduce the value of fines initially set out in similar “notice of intent” documents.
Commentators have argued in the past that GDPR regulators like the ICO are often out-gunned, especially in the tech sector, by companies with deeper pockets, better lawyers and more technology expertise.