While TikTok denies that anyone under the age of 13 can set up an account, the UK data regulator suspects that the app may have previously breached UK data protection law.
On 26th September, the UK Information Commissioner’s Office (ICO) announced it had issued a notice of intent to TikTok’s UK company – a legal document that must be issued before considering issuing a fine to a firm for breaching UK data protection rules.
The ICO has suspicion to believe that TikTok – one of the world’s biggest social media platforms – may have processed the data of child users under the age of 13 without gaining the consent of parents. It also might have processed what’s called “special category data” – about someone’s race, gender, or religious beliefs, for instance, without needing to – and also not given enough detail to users in a clear manner about what data is collects and why. Because of that, the ICO believes it could, in the future, be able to fine TikTok up to £27 million (£29.3 million).
The ICO is at pains to make clear that the findings are provisional and that no conclusion should be drawn at this stage that there has, in fact, been any breach of data protection law or that a financial penalty will ultimately be imposed. Instead, it’s inviting TikTok to respond to the claims.
However, the rules by which the ICO can issue notices of intent such as this means that it can only do so if it has a strong suspicion that there has been a “failure” in adhering to the UK Data Protection Act. This provision falls under schedule 16, paragraph 3(2) of the Data Protection Act. In short: the ICO’s own rules mean it can’t shout about a fire if there’s no smoke.
TikTok, for its part, is keen to highlight the provisional nature of the report. “This Notice of Intent, covering the period May 2018 - July 2020, is provisional, and as the ICO itself has stated, no final conclusions can be drawn at this time,” says a TikTok spokesperson. “While we respect the ICO's role in safeguarding privacy in the UK, we disagree with the preliminary views expressed and intend to formally respond to the ICO in due course.”
Why the ICO acted now
The timing for the announcement may seem unusual, given all that’s happening in the world. But there is a method to the ICO acting now. “It is perhaps timely that the ICO is currently taking action against one of the big tech giants and so is being seen to proactively protect children’s personal data,” says Sian Stephens, data privacy lawyer at Payne Hicks Beach, who points out that the news of the notice of intent comes just after the first anniversary of the ICO passing the Children’s Code, a list of 15 good practices it expects tech companies to follow when handling children’s data.
“We assume that TikTok may receive a fine if found to be in breach of UK data protection laws and that this will then serve as a stark warning to other global tech companies which process large volumes of children’s data,” says Stephens.
Andy Burrows, head of child safety online policy at the NSPCC, says: “It’s welcome to see the ICO investigating and enforcing regulation. Companies should take note and make sure they are keeping children safe on their platforms.
Burrows adds: “The Children’s Code is a reminder that regulation works, with a number of sites implementing better safety measures. Children can be given even stronger protections by government delivering the Online Safety Bill in full and without delay.”
More from Cybernews:
Subscribe to our newsletter