In early September 2023, Ireland's Data Protection Commission (DPC) imposed a €345 million fine along with corrective measures against TikTok in response to its improper handling of children’s personal data. This is the latest in a recent string of enforcement actions with high fines by European regulators indicating a push toward stricter compliance with the EU’s General Data Protection Regulation (GDPR).

TikTok’s GDPR Violations

The allegations against TikTok stem from its handling of children’s personal data during a five-month period from July 31, 2020, to December 31, 2020. During that period, the DPC alleges that TikTok set the profile settings for child users (ages 13 to16) to public-by-default, permitting any member of the public to view the child user’s profile and content. The company had also enabled a “Family Pairing” option that could link a child user account to an adult user account and permit the adult to increase child permissions without first verifying that the adult was a parent or guardian. Lastly, during the relevant period, TikTok employed certain pop-up notifications targeted at child users that made privacy-intrusive options more prominently displayed and easier to select than the privacy-protective options.

Based on these findings, the DPC ultimately charged and fined TikTok for violation of the following GDPR provisions:

• Article 5(1)(a), which prohibits manipulative design practices, otherwise known as dark patterns. (This violation was subsequently added by the German Supervisory Authorities during the window for open commentary by other Data Protection Authorities.)
• Articles 5(1)(c) and 5(1)(f), which require that personal data be processed fairly, transparently, under lawful basis, and under appropriate security measures;
• Articles 12(1) and 13(1)(e), which require that notice of a company’s handling of personal data and GDPR compliance be concise, transparent, intelligible, and easily accessible; and
• Articles 24(1), 25(1), and 25(2), which require companies to implement data protection by design and default, including integrating appropriate technical and organizational measures at the outset and abiding by data minimization principles.

TikTok was also initially accused of violating Article 25 age verification requirements, but the DPC ultimately found that the company’s practices were compliant despite objections from the Italian Supervisory Authority, Garante per la Protezione dei Dati Personali. 

TikTok claims that all issues that the DPC raised (e.g., default profile settings, account linking, and notification design) were remedied in early 2021 prior to commencement of the investigation.

The disagreement between Irish and Italian Data Protection Authorities (DPAs) highlights the important point that, while the GDPR is a single regional framework, its enforcement is ultimately up to the individual EU member states. Thus, companies must be conscious of the nuanced interpretations by the particular EU member states in which they operate.

Recent Trend in Enforcement Actions

The enforcement action and related steep fines against TikTok follow a string of comparable child data enforcement actions by regulators within the last year. Notably, the EU imposed a €405 million fine against a prominent social media company in September 2022 for similar public-by-default profile settings on child user accounts. In the United States, the Federal Trade Commission issued a $275 million penalty against a videogame developer in December 2022 for collecting child data without prior parent consent and setting child users’ text and voice communications to on-by-default, in violation of the Children’s Online Privacy Protection Act (COPPA).

Arguably even more impactful to companies than the steep fines are the corrective orders, which increasingly mandate substantial changes to a company’s data collection and use practices that may be central to its business model and profoundly impact business operations.

Takeaways

These enforcement actions serve as forceful reminders of the importance of conscientious handling of child data subjects and their personal data. European and U.S. regulators alike appear increasingly willing to employ harsh fines and corrective mandates to ensure compliance with their respective child data protection frameworks.

Accordingly, companies that may collect or use child personal data should take account of their collection practices and ensure that any related notices employ clear language that is appropriate for the age range and present privacy options in a neutral manner. Moreover, any companies that operate a platform with child end users should set child account viewing and communication settings to private-by-default. Such companies should also beware of linking of user accounts in a way that may give non-parent adult users control over child user settings.

If you would like to discuss your organization’s strategy for complying with frameworks like the GDPR or COPPA, please feel free to contact the Baker Botts Privacy & Cybersecurity team.

ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.