This article was written by Marija Nonkovic.

The ICO has announced that it has issued TikTok Inc and TikTok Information Technologies UK Limited (‘TikTok’) with a ‘notice of intent’ - a legal document that precedes a potential fine. The notice, which sets out the ICO’s provisional findings, suggests that a fine of £27 million may be imposed on the platform if it is found to have breached data protection law by processing the data of under-13s without proper consent.  

Why might TikTok be fined?

Following its investigation the ICO found that between May 2018 and July 2020 TikTok may have:

  • processed the data of children under the age of 13 without appropriate parental consent;
  • failed to provide proper information to its users in a concise, transparent and easily understood way; and
  • processed special category data, without the proper legal basis for doing so.

This is the second time that TikTok has been scrutinised in relation to its handling of children’s data on its platform. In 2019 it was fined $5.7 million by the US Federal Trade Commission for collecting children’s data without obtaining parental consent.

This latest notice from the UK regulator forms part of a wider set of investigations that the ICO is conducting into technology firms’ compliance with the Children’s Code.  This ‘age-appropriate’ code of practice came into force in September 2020 and is aimed at online services (such as social media sites) likely to be accessed by children. Information Commissioner John Edwards said:

“I’ve been clear that our work to better protect children online involves working with organisations but will also involve enforcement action where necessary. In addition to this, we are currently looking into how over 50 different online services are conforming with the Children’s code and have six ongoing investigations looking into companies providing digital services who haven’t, in our initial view, taken their responsibilities around child safety seriously enough.”

Key takeaways

The potential fine of £27,000,000 (US$29,000,000) represents the highest level of penalty that can be imposed under UK GDPR – the higher of £17.5 million or 4% of global annual turnover. This continues the trend of the ICO using its enforcement powers to issue significant fines for breaches of UK GDPR. If the TikTok fine is ultimately imposed, it will be the largest fine ever issued by the ICO, after the £20 million penalty given to British Airways in 2020.

As the frequency and level of fines increase, organisations need to be proactive in monitoring their data processing activities and continuously reviewing whether their systems and procedures comply with data protection law. Against the backdrop of ongoing investigations into compliance with the Children’s Code, organisations providing online services which may be more likely to be accessed by children (this includes apps, games and social media platforms) need to be particularly aware of their duties when it comes to the younger users’ data. Furthermore, the continuing discussions around the protection of children online in the context of the upcoming Online Safety Bill mean that the burden on organisations to ensure proper protection of children online will only increase in the future.

Next steps

The ICO’s findings are still provisional and so it has not yet been established whether TikTok has breached data protection law and there is no clear indication as to whether the proposed fine will be imposed. TikTok will be given a chance to present any representations before a final decision is made.

A TikTok spokesperson has said: “While we respect the ICO’s role in safeguarding privacy in the UK, we disagree with the preliminary views expressed and intend to formally respond to the ICO in due course.