TikTok May Have Illegally Used Kids’ Data: UK Privacy Regulator

The UK’s privacy regulator, the Information Commissioner’s Office (ICO), has today served TikTok with notice that it believes the app may have breached UK data protection law, including processing the data of children under the age of 13 without parental consent.

The ICO, which has the power to censure and fine companies for up to four percent of their annual global turnover, has issued TikTok’s UK arm a notice of intent – which is a legal document that comes before the regulator decides whether to levy a fine. TikTok could be hit with a £27 million ($29.3 million) penalty should the ICO’s hunch be found to be true.

The ICO has reason to believe that TikTok may have collected and processed underage users’ data between May 2018 and July 2020, the agency said Monday. TikTok may have likewise failed to provide users with proper information about how their data would be processed alongside unnecessarily processing what’s called “special category data,” including people’s ethnic and racial origin, political opinions, religious beliefs, sexual orientation, trade union membership, genetic and biometric data or health data.

“We all want children to be able to learn and experience the digital world, but with proper data privacy protections,” says John Edwards, the UK Information Commissioner, who took up his role in January 2022. “Companies providing digital services have a legal duty to put those protections in place, but our provisional view is that TikTok fell short of meeting that requirement.”

The notice of intent is one of a number of measures that the ICO is taking against tech companies, with six ongoing investigations into companies that the regulator believes have not done enough to protect children’s privacy.

However, the ICO has been careful in its wording to say that it’s only potentially willing to fine TikTok – and make pains to say that the issuance of a notice of intent means that any discoveries it’s made about how TikTok handles kids’ data is provisional. The company adds that “no conclusion should be drawn at this stage that there has, in fact, been any breach of data protection law or that a financial penalty will ultimately be imposed.”

TikTok declined to share information about the contents of the notice of intent with Gizmodo, citing its confidentiality. A spokesperson tells Gizmodo: “This Notice of Intent, covering the period May 2018 – July 2020, is provisional and as the ICO itself has stated, no final conclusions can be drawn at this time. While we respect the ICO’s role in safeguarding privacy in the UK, we disagree with the preliminary views expressed and intend to formally respond to the ICO in due course.”

TikTok’s userbase is very broad, and is known to include children under the age of 13. A March 2022 investigation by Ofcom, the UK’s media regulator, found that more than one in eight UK kids aged three and four view content on TikTok, while one-third of those aged five to seven do.

Despite this, TikTok has frequently denied it has any users under the age of 13. Internal documentation, obtained by Gizmodo and dating back to the time that the ICO believes TikTok may have breached children’s privacy rules, advises employees in the company’s PR department to say that “The app is only for users aged 13 and over, according to our terms and conditions. Therefore, in relation to our users, we may speak of young people, but not of children.”

Baroness Beeban Kidron, Founder of 5Rights Foundation and architect of the UK’s Age-Appropriate Design Code, a list of 15 guidelines that online services should follow in order to best protect children that use their apps, says she welcomes the news that the ICO is considering taking enforcement action against TikTok.

“This is clear proof that tech can be held accountable for the safety and privacy of children,” she says. “The end goal should be that companies use their creativity and innovation to comply with privacy legislation, including the Age Appropriate Design Code, rather than make the regulator chase them retrospectively. But today we have seen the ICO take a stand for children, and I applaud it.”

The reason the ICO is so cagey in not definitively declaring wrongdoing is that it has been down this path before with a big tech company. In mid-2018, the ICO issued Facebook with a similar notice of intent. At the time, the ICO made significant claims about how Facebook had mishandled user data. Facebook appealed against the decision, and took the ICO to court. In the end, both parties settled in October 2019, with Facebook admitting no liability to the ICO about mishandling user data.

“My main thought is that I think it shows poor judgment” on behalf of the ICO, says Tim Turner, a UK-based data protection expert. “The investigation isn’t finished, so announcing it now just to get some PR suggests Edwards and his team are rattled because they’ve not actually done very much in 2022.

“The announcement doesn’t tell us anything concrete,” adds Turner. “We don’t know how big the fine is going to be or even if there’s going to be one. It would be much better to let TikTok have their final say, weigh up whatever that is, and announce a final decision which we can all then assess. As it is, we don’t know what’s in the NOI [notice of intent] or where it’s going.”

If the ICO has found grounds that TikTok mishandled underage users’ data, it could open up the possibility that other regulators elsewhere could take similar action. TikTok is currently subject to two data privacy investigations in Europe, while TikTok settled a case with the US Federal Trade Commission alleging its predecessor app, Musical.ly violated Children’s Online Privacy Protection Act (COPPA). On Monday, The New York Times reported that TikTok and the U.S. government were nearing an agreement that would resolve national security concerns over the app’s transference of data to its Chinese parent company ByteDance. Previously, TikTok advised its public relations teams to “downplay the China association,” as first reported by Gizmodo.

“The ICO might have got to the bottom of something that helps other authorities take action,” says Turner, “but unless they’ve shared it on the quiet, that won’t happen until the conclusion.”