TikTok, the popular social media platform, has been slapped with a hefty €345 million ($368 million) fine by a major European tech regulator over allegations of insufficient measures to safeguard children’s privacy. The Irish Data Protection Commission (DPC), responsible for monitoring TikTok’s operations in the European Union, issued the fine, citing violations of the EU’s privacy regulations.
The investigation carried out by the DPC revealed critical lapses in TikTok’s default settings during the latter part of 2020, with specific regard to the protection of children’s accounts. Notably, the default settings for newly created children’s profiles were set to “public,” making them accessible to anyone on the internet.
The DPC further highlighted that TikTok failed to adequately communicate these privacy risks to its young users and employed “dark patterns” to encourage users to disclose more of their personal information.
Another breach of EU privacy law was identified concerning TikTok’s parental control feature known as “Family Pairing.” This feature did not mandate the verification of adults overseeing a child’s account as the child’s legitimate parent or guardian. Consequently, this oversight theoretically allowed any adult to weaken the privacy safeguards put in place for a child’s account.
TikTok introduced Family Pairing in April 2020, intending to permit adults to link their accounts with those of children to manage screen time, restrict unwanted content, and limit direct messaging for children.
As part of the DPC’s decision, TikTok has been given a three-month window to rectify these violations and has received a formal reprimand.
TikTok has not yet responded to the fine or the DPC’s findings, but the company issued a blog post asserting its disagreement with several aspects of the ruling. TikTok’s European privacy chief, Elaine Fox, argued that many of the criticisms raised by the DPC have already been addressed through measures implemented at the beginning of 2021. These measures included setting existing and new accounts as private by default for users aged 13 to 15. Additionally, a redesigned registration flow for new 16- and 17-year-old users will soon default to private settings.
While TikTok did not confirm changes to Family Pairing’s adult verification process, the company emphasized that the feature had undergone enhancements over time and pointed out that the DPC’s findings did not conclude that TikTok’s age verification measures violated EU privacy laws.
Notably, this fine follows TikTok’s previous penalties in the United Kingdom for data protection law breaches, including the misuse of children’s personal data, earlier this year.