The Republic of Ireland’s Data Protection Commission (DPC) imposed administrative fines totalling €345 million on TikTok after it found the company failed to comply with GDPR in handling children’s’ information.
In a statement, the DPC explained an investigation commenced in 2021 found TikTok had breached multiple privacy laws between July 2020 and December 2020 for failing to protect data belonging to child users.
The watchdog pointed to the settings which made children’s accounts publicly accessible by default, exposing the content posted to users and non-users of the platform.
Other infringements include a family pairing feature which can connect children’s accounts with adults who had not been verified as a parent or guardian and flaws in the age verification system.
Furthermore, the DPC explained a Supervisory Authority in Berlin called for the inclusion of “an additional finding of infringement” of GDPR fairness principles relating to so-called dark patterns which nudge “users towards choosing more privacy-intrusive options” during sign up and when posting videos.
TikTok has three months to bring its “processing into compliance”.
In response to the decision, TikTok argued “most of the decision’s criticisms are no longer relevant as a result of measures we introduced at the start of 2021, several months before the investigation began”.
“We respectfully disagree with several aspects of the decision, particularly the level of the fine, and we want to provide some important context while we evaluate next steps.”