Dublin, Ireland – In a significant ruling, the Irish Data Protection Commission (DPC) has fined TikTok €345 million for violating child privacy regulations. The DPC found that TikTok failed to implement sufficient safeguards for children on its platform, thereby breaching EU privacy rules.
The investigation carried out by the DPC found glaring issues with TikTok’s default settings, particularly in the latter half of 2020. During this period, the platform’s default settings inadequately protected children’s accounts, leaving them exposed to potential privacy breaches.
For instance, newly created profiles for children were set to “public” by default, making them accessible to anyone on the internet, which raised significant concerns about data privacy and child safety.
Furthermore, the DPC noted that TikTok had not sufficiently informed young users about these privacy risks. The regulator also accused TikTok of employing “dark patterns,” user interface designs that manipulate or deceive users into making choices that may not be in their best interest, to encourage users to disclose more of their personal information.
Another critical violation of EU privacy law identified by the DPC concerned TikTok’s feature known as “Family Pairing,” designed as a parental control tool. The regulator found that this feature did not require adult users overseeing a child’s account to verify their status as the child’s parent or guardian.
This oversight potentially allowed any adult, even those unrelated to the child, to compromise the privacy protections of a minor.TikTok introduced the Family Pairing feature in April 2020 to enable adults to link their accounts with those of children for the purpose of managing screen time, restricting content, and limiting direct messaging to minors.
In response to the DPC’s decision, TikTok has been given a three-month deadline to address these violations and has received a formal reprimand. However, as of now, TikTok has not issued an official response to the ruling.
In a blog post on Friday, TikTok’s European privacy chief, Elaine Fox, expressed the company’s respectful disagreement with several aspects of the DPC’s decision. Fox argued that many of the criticisms leveled against TikTok were no longer applicable due to measures the company had implemented at the beginning of 2021.
These measures included automatically setting existing and new accounts to private by default for users aged 13 to 15. Furthermore, TikTok plans to introduce a redesigned account registration process for new users aged 16 to 17, which will also default to private settings.
While TikTok did not confirm that Family Pairing would now require verification of the adult’s relationship to the child, the company emphasized that the feature had evolved over time, offering new options and tools. TikTok maintained that none of the DPC’s findings suggested that its age verification measures violated EU privacy laws.
This recent fine adds to TikTok’s growing list of legal challenges, including a previous fine in the United Kingdom for multiple breaches of data protection law, including the misuse of children’s personal data.