TikTok Hit with €345 Million Fine in Europe for Child Privacy Violations

TikTok, the wildly popular short-form video app, has been hit with a massive €345 million ($368 million) fine by the Irish Data Protection Commission (DPC) for failing to adequately protect children’s privacy on its platform. This landmark decision represents a significant moment in the ongoing battle to safeguard the personal information and online safety of young users. The DPC’s investigation revealed serious shortcomings in TikTok’s privacy practices, raising concerns about default settings, parental controls, and the use of “dark patterns” to collect user data.

Default Settings and Privacy Risks

One of the primary concerns addressed by the DPC’s investigation was TikTok’s default settings, which, during the latter half of 2020, failed to provide adequate protection for children’s accounts. Notably, the default setting for newly-created children’s profiles was set to “public,” meaning that anyone on the internet could view their content. This setting posed a significant risk to the privacy and safety of young users, as it made their personal information readily accessible to a global audience without their explicit consent.

Furthermore, TikTok was found to have inadequately disclosed these privacy risks to its young users. This lack of transparency regarding data collection and privacy settings left children and their parents unaware of the potential risks associated with using the platform.

Use of “Dark Patterns”

The DPC also highlighted TikTok’s use of “dark patterns” to encourage users to share more of their personal information. “Dark patterns” refer to design choices that manipulate or deceive users into taking specific actions, often without their full understanding or consent. TikTok’s utilization of such tactics to collect user data raises serious ethical and legal concerns, particularly when it comes to children who may be less equipped to recognize and resist these strategies.

Family Pairing and Weak Privacy Safeguards

Another critical issue identified by the DPC was TikTok’s parental control feature known as Family Pairing. This feature was designed to allow adults to link their accounts with those of their children, offering options to manage screen time, restrict unwanted content, and limit direct messaging to children. However, the DPC found that this feature did not adequately verify the relationship between the adult and the child, potentially allowing unauthorized adults to weaken a child’s privacy safeguards.

TikTok’s Response

In response to the DPC’s decision, TikTok issued a blog post expressing its respectful disagreement with several aspects of the ruling. TikTok’s European privacy chief, Elaine Fox, pointed out that many of the criticisms raised by the DPC had already been addressed through measures implemented at the beginning of 2021. These measures included making existing and new accounts private by default for users aged 13 to 15. Additionally, TikTok announced plans to roll out a redesigned account registration flow for new users aged 16 and 17, also defaulting to private settings.

While TikTok did not explicitly state that Family Pairing would now verify an adult’s relationship to the child, the company claimed that the feature had been continually strengthened with new options and tools. TikTok also emphasized that none of the regulator’s findings concluded that its age verification measures violated EU privacy law.