TikTok face the music with potential fine of £27 million

The Information Commissioner’s Office (ICO) recently announced that it could impose a £27M fine on social media giant TikTok for failing to protect the privacy of children who access their services.

The social media platform has been issued with a ‘notice of intent’ (a legal document that precedes a potential fine) stating the ICO’s provisional view that TikTok has breached UK data protection laws between May 2019 and July 2020.

An investigation conducted found that TikTok may have:

• Processed the data of children below the age of 13, without appropriate parental consent;
• Failed to supply proper information to its users in a transparent, concise, straightforward manner; and
• Processed special category data such as political opinions, religious beliefs, and genetic and biometric data without the legal grounds to do so

Companies who breach UK data protection law and/or the Data Protection Act could be fined up to £17.5M or 4% of the company’s annual global turnover, whichever is the highest. At this stage, the Commissioner’s findings are provisional - the ICO will have to consider any representations and materials TikTok provide before making a final decision.  However, if TikTok were to be fined this amount it would be the largest in the ICO’s history, exceeding the record £20M handed to British Airways two years ago, that saw the personal information of more than 400,000 customers compromised by hackers. 

The announcement of this potential fine comes in the wake of the anniversary of the Children’s Code which was introduced in September 2021. The ICO indicated that it wanted to prioritise children’s online safety, and announced it was undertaking a review of over 50 online services to assess their compliance with the code. We can only assume TikTok was one of these!

Our senior data protection and privacy solicitor, Becky White who recently commented on the ICO’s Children’s Code and its impact on businesses said:

‘This latest news shows the ICO means business with regards to protecting children’s online privacy. Online platforms who don’t perceive themselves as operating a child-focused service could still find themselves in hot water if the service they are offering is ‘not inappropriate’ for children to access either.'

Businesses need to take a step back and assess whether they are caught by the ICO criteria, and potentially reconsider their approach to remaining compliant. As a parent myself, it’s safe to say that we all want children to be able access and experience the internet with the assurance that they remain protected at all times.

'Digital platforms have a duty of care to make sure provisions are in place to ensure that no child is left unprotected.’

As a business, understanding your responsibilities under UK data protection law, GDPR and the Children’s Code can be difficult, but our specialist team of data protection solicitors can clarify these, removing any jargon and guiding you through what it is you need to do to make sure you remain compliant. We offer a data protection health check so, you can get a clear outlook of your compliance needs.