TikTok, the Chinese-owned short-video platform popular among global teenagers, faces a hefty €345 million ($370 million) fine for breaching European Union privacy laws pertaining to children’s personal data. Ireland’s Data Protection Commissioner (DPC), the lead regulator in the EU for several major tech companies due to their regional headquarters’ location in Ireland, issued the penalty. This marks the first reprimand by the DPC against TikTok.
The violations occurred between July 31, 2020, and Dec. 31, 2020, according to the DPC’s statement. Among the infringements, TikTok defaulted accounts for users under 16 to “public” in 2020 and did not adequately verify whether a user was genuinely a child’s parent or guardian when using the “family pairing” feature.
TikTok enhanced parental controls in family pairing in November 2020 and switched the default setting for all users under 16 to “private” in January 2021. The platform intends to further update its privacy materials to clarify the distinctions between public and private accounts and automatically select a private account for new users aged 16 to 17 starting later this month.
The DPC has given TikTok a three-month ultimatum to rectify all data processing infringements identified. Additionally, the regulator is conducting a separate investigation into TikTok’s transfer of personal data to China and its compliance with EU data regulations concerning data transfers to non-EU countries.
Under the EU’s General Data Protection Regulation (GDPR) implemented in 2018, the lead regulator for any company can impose fines of up to 4% of the firm’s global revenue. The DPC has previously imposed substantial fines on tech giants, including a combined €2.5 billion levied against Meta.