DUBLIN — TikTok has been fined 345 million euros ($370 million) for breaching privacy laws regarding the processing of children’s personal data in the European Union, its lead regulator in the bloc said on Friday.
The Chinese-owned short-video platform, which has grown rapidly among teenagers around the world in recent years, breached a number of EU privacy laws between July 31, 2020, and Dec. 31, 2020, Ireland’s Data Protection Commissioner (DPC) said in a statement.
It is the first time ByteDance-owned TikTok has been reprimanded by the DPC, the lead regulator in the European Union for many of the world’s top tech firms due to the location of their regional headquarters in Ireland.
A spokesperson for TikTok said it disagreed with the decision, particularly the size of the fine, and that most of the criticisms are no longer relevant as a result of measures it introduced before the DPC’s probe began in September 2021.
3 months to comply
The DPC said TikTok’s breaches included how in 2020 accounts for users under the age of 16 were set to “public” by default and that TikTok did not verify whether a user was actually a child user’s parent or guardian when linked through the “family pairing” feature.
TikTok added tougher parental controls to family pairing in November 2020 and changed the default setting for all registered users under the age of 16 to “private” in January 2021.
TikTok said on Friday it plans to further update its privacy materials to make the differences between public and private accounts clearer and that a private account will be preselected for new 16 to 17-year-old users when they register for the app from later this month.
The DPC gave TikTok three months to bring all its processing into compliance where infringements were found.
It has a second probe open into the transferring by TikTok of personal data to China and whether it complies with EU data law when moving personal data to countries outside the bloc. In March, the DPC said it was preparing a preliminary draft decision into that investigation.
Two-year inquiry
Under the EU’s General Data Protection Regulation (GDPR), introduced in 2018, the lead regulator for any given company can impose fines of up to 4 percent of the company’s global revenue.
The DPC has hit other tech giants with big fines, including a combined 2.5 billion euros levied on Meta. It had 22 inquiries open into multinationals based in Ireland at the end of 2022.
The fine is the culmination of a two-year inquiry by the Irish watchdog, which plays a key role in policing the bloc’s strict GDPR.The regulator highlighted in its ruling Friday how children signing up had TikTok accounts set to public by default, meaning anyone could view or comment on their content.
It also criticized TikTok’s “family pairing” mode, which is designed to link parents’ accounts to those of their teenage offspring, but the DPC found the company did not verify parent or guardian status.
17M accounts deleted
TikTok is extremely popular among young people, with 150 million users in the United States and 134 million in the European Union.
In response to the fine, TikTok said it “respectfully disagrees” with the verdict and was “evaluating” how to proceed.
“The DPC’s criticisms are focused on features and settings that were in place three years ago, and that we made changes to well before the investigation even began, such as setting all under 16 accounts to private by default,” a TikTok spokesperson told Agence France-Presse (AFP).
The platform insists that it closely monitors the age of its users and takes action when needed.
TikTok says it deleted almost 17 million accounts worldwide in the first three months of this year due to suspicions that they belonged to people under 13 years old.
Friday’s fine comes after the Europen Union last week unveiled a list of digital giants—including Apple, Facebook owner Meta and ByteDance—that will face tough new curbs on how they do business.
READ: Which apps are the least friendly when it comes to respecting user privacy?