Massive TikTok Fine: EU Regulator Slaps $370 Million Penalty for Child Data Privacy Breach

In a recent development, TikTok has incurred a hefty fine of 345 million euros ($370 million) for violating privacy regulations concerning the handling of children’s personal data within the European Union, as announced by the bloc’s primary regulatory authority on Friday.

Ireland’s Data Protection Commissioner (DPC) disclosed that the Chinese-owned short-video platform, widely popular among teenagers worldwide, had contravened several EU privacy laws during the period between July 31, 2020, and December 31, 2020.

This marks the first instance of TikTok, owned by ByteDance, facing admonishment from the DPC, which serves as the EU’s lead regulator for numerous major tech companies, thanks to their regional headquarters being located in Ireland.

In response, a TikTok spokesperson expressed disagreement with the decision, particularly objecting to the magnitude of the fine. They also contended that many of the issues raised had already been addressed with corrective measures implemented prior to the initiation of the DPC’s investigation in September 2021.

The DPC’s investigation revealed TikTok’s infringements, including the default “public” setting for accounts of users under the age of 16 in 2020, without proper verification of whether a user was indeed a child’s parent or guardian, particularly in cases involving the “family pairing” feature.

TikTok introduced more stringent parental controls to family pairing in November 2020 and altered the default setting for all users under 16 to “private” in January 2021. Moreover, they announced plans to enhance privacy materials, making the distinctions between public and private accounts clearer. For new users aged 16-17, a private account will be pre-selected when registering on the app later this month.

The DPC has granted TikTok a three-month window to rectify all processing practices that were found to be in violation.

Furthermore, the DPC is conducting a second inquiry into TikTok’s transfer of personal data to China and its compliance with EU data laws governing the movement of personal data outside the EU. In March, the DPC indicated its preparation of a preliminary draft decision regarding this investigation.

Under the EU’s General Data Protection Regulation (GDPR), which came into effect in 2018, the lead regulator for a company has the authority to impose fines of up to 4% of the company’s global revenue. The DPC has previously imposed substantial fines on other tech giants, including a combined penalty of 2.5 billion euros on Meta. As of the end of 2022, it had 22 ongoing inquiries involving multinational companies headquartered in Ireland.