TikTok didn’t protect kids from the view of strangers and adults, the regulator found. The fine brings penalties on Big Tech to almost €3bn by the Irish watchdog over the last two years.
The fine is mostly for TikTok not doing enough to make sure that children and young teenagers who use the service had privacy from strangers and adults.
But the DPC also found that TikTok used “dark patterns”, making users more susceptible to privacy-intrusive experiences when signing up or posting videos.
It’s the third largest fine that the Irish regulator has imposed on Big Tech, bringing to almost €3bn the total amount of financial penalties on tech giants over the last two years. Under the GDPR fines system, Ireland gets to keep all of the money.
This month, a survey of 5,000 Irish schoolchildren found that the majority of 12-year-olds in Ireland use TikTok, ranging between 55pc in primary school to 80pc in secondary school.
“The profile settings for child user accounts were set to public by default, meaning anyone, on or off TikTok, could view the content posted by the child user,” said the DPC today.
“The Family Pairing setting allowed a non-child user, who could not be verified as the parent or guardian, to pair their account to a child user’s account. This allowed the non-child user to enable Direct Messages for child users above the age of 16, which posed severe possible risks to child users.”
On protecting under-13s, who are not legally alllowed to use TikTok, the regulator recorded a mixed verdict. While it found that TikTok did not target children under 13 to join, or that its measures to stop under-13s joining were lacking, it did find that TikTok didn’t give proper “consideration of the certain risks posed to those under 13s who did gain access to the TikTok platform”.
Because of this, it said, TikTok “did not implement appropriate technical and organisational measures” under GDPR.
It said that the “dark patterns” used by TikTok resulted in the platform “nudging users towards choosing more privacy-intrusive options” during the registration process and when posting videos.
The DPC also issued an order for TikTok to “bring its processing into compliance” within three months,
In response, TikTok said that it had already implemented most of the DPC’s required changes voluntarily ahead of the ruling, including making accounts owned by kids aged 13 to 15 private by default.
The company, whose European headquarters in Dublin employs 3,000 people, says that it has not decided whether or not to appeal the fine, adding that it is “disappointed” in the finding.
The watchdog was investigating TikTok over a six month period, from July to December in 2020.
Unlike previous large fines from the DPC, the €345m TikTok sanction fine was not the result of other European privacy regulators petitioning for higher penalties.
The DPC has a separate investigation into whether TikTok is obeying GDPR with regard to sending user information to its parent firm in China. That enquiry is set to see a draft decision by the end of the year.
Earlier this year, the Irish regulator issued cumulative fines of almost €2bn on Meta subsidiaries, Facebook, Instagram and WhatsApp.
