TikTok’s fine: what it means for businesses, and how you can avoid the same mistakes
TikTok has rapidly become very popular as a social media platform. Despite its success, it has received one of the largest fines ever issued by the Information Commissioner’s Office (ICO) for misusing children’s data.
The “notice of intent” previously issued, warned of a potential £27 million fine but it was lowered to £12.7 million after the ICO took into consideration representations from TikTok. The ICO decided not to pursue the provisional finding of unlawful use of special category data (such as health and gender identity information), which “reduced” the severity of the breach.
The ICO’s investigation
The fine was issued for breaches of UK data protection law, including the use of personal data of children under 13 years of age without parental consent. The ICO estimated that as many as 1.4 million children under the age of 13 had been allowed by TikTok to use its platform in 2020, despite its terms saying that 13 was the minimum age to create an account.
Children’s data may have also been used to track and profile them, with the risk that they could be presented with inappropriate, or potentially harmful, content.
TikTok now has an opportunity to appeal the value of the fine and will have 28 days in which to make representations. A representative for TikTok said: “While we disagree with the ICO’s decision, which relates to May 2018 – July 2020, we are pleased that the fine announced… has been reduced to under half the amount proposed last year. We will continue to review the decision and are considering next steps.”
What does this mean for TikTok?
The video-sharing platform has already been scrutinised for its non-compliance with data protection legislation, however, the UK Online Safety Bill is likely to introduce more stringent measures. It is intended that this will be passed in 2023 to make social media companies legally responsible for keeping children and young people safe online.
The £12.7 million fine is a drop in the ocean compared to the £64 billion revenue reported to have been made by ByteDance, TikTok’s parent company, in 2022. The maximum fine which can be issued by the ICO is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher. Therefore, enforcement action by the ICO has the potential to significantly impact organisations’ bottom line.
What does this mean for your organisation?
TikTok’s fine serves as a reminder to organisations of the need to comply with data protection legislation, and how to respond if there has been non-compliance.
When considering regulatory action, the ICO will first consider the seriousness of the breach and the culpability of the controller. Mitigating and aggravating factors will also be taken into consideration on a case specific basis, and are likely to significantly impact the calculation of any fine. These includes the behaviour of the controller following a breach and its track record. The financial means of the controller and economic impact on it and the wider sector will also be relevant.
Organisations should also be aware that a fine from the ICO, and the adverse publicity that comes with it, may not be the only consequence of non-compliance. It is possible that data breach claims may also be issued by individuals against them, incurring significant time and costs.
Our message
- It is important to have in place policies and procedures which accurately reflect how organisations are controlling and processing data. This starts with a data map.
- Technical and organisational measures should be appropriate for the organisation and ensure compliance with its policies.
- Organisations should always react promptly if there is change in the way data is handled or in the event of a breach.
What is necessary for each organisation will be subject to its size; the nature of its activity; and the amount and type of data processed. We recommend that organisations keep their data maps and policies under review and take advice if anything they are doing changes.
If you require advice on getting your policies and procedures in order, or in dealing with a data breach, please contact our specialist data protection team to assist.
Listen to our podcast
Listen to Fran and Charley discuss the TikTok fine on our Legal Thinking Podcast.
In this episode, we discuss the recent TikTok fine and its wider implications for businesses. We explain how the UK Information Commissioner’s Office determined the fine amount for TikTok’s data privacy violation and the potential legal consequences for businesses that violate data privacy laws. We’ll also dive into the specific laws and regulations around collecting data from children, and how businesses can ensure compliance.