TikTok is facing a substantial fine of 345 million euros ($370 million) for violating privacy regulations related to the handling of children’s data within the European Union, according to an announcement made by the EU’s primary regulatory authority.
Ireland’s Data Protection Commissioner (DPC) revealed that TikTok, the popular Chinese-owned short-video platform favoured by teenagers globally, had breached several EU privacy laws during a specific time frame from July 31, 2020, to December 31, 2020.
This incident marks the first time TikTok, owned by ByteDance, has come under scrutiny from the DPC, which acts as the EU’s leading regulator for many major tech companies due to their regional headquarters being based in Ireland.
In response to the decision, a spokesperson for TikTok expressed disagreement, particularly with the size of the fine.
They also argued that many of the issues raised had already been addressed through corrective actions taken before the DPC initiated its investigation in September 2021.
The DPC’s investigation revealed TikTok’s violations, “Including the default “public” setting for accounts of users under the age of 16 in 2020, without proper verification of whether the user was indeed a child’s parent or guardian, especially concerning the “family pairing” feature.”
TikTok made changes to family pairing in November 2020, switched the default setting for users under 16 to “private” in January 2021 and announced plans to improve privacy materials to clarify the distinctions between public and private accounts.
For new users aged 16-17, a private account will be pre-selected when registering on the app starting later this month.
The DPC has given TikTok a three-month window to address all processing practices found to be in violation.
Additionally, the DPC is conducting a separate investigation into TikTok’s transfer of personal data to China and its compliance with EU data laws regarding the transfer of personal data outside the EU. In March, the DPC indicated its preparation of a preliminary draft decision regarding this investigation.
Under the EU’s General Data Protection Regulation (GDPR), which took effect in 2018, the lead regulator for a company has the authority to impose fines of up to 4% of the company’s global revenue.
The DPC has previously imposed substantial fines on other tech giants, including a combined penalty of 2.5 billion euros on Meta. As of the end of 2022, it had 22 ongoing inquiries involving multinational companies headquartered in Ireland.