Privacy watchdogs in Europe have fined TikTok €345 million ($368 million) after finding that the social platform infringed the GDPR when processing children’s data.
The European Data Protection Board (EDPB) analyzed the design practices implemented by TikTok in the context of two pop-up notifications shown to children aged 13 to 17 – namely the Registration pop-up and the Video Posting pop-up.
The board, working alongside supervisory authorities, found both pop-ups failed to present options to the user in an objective and neutral way.
During the Registration step, children were “nudged” to opt for a public account by choosing the right-side button labeled Skip, according to the EDPB, “which would then have a cascading effect on the child’s privacy on the platform, for example by making comments on video content created by children accessible.”
When prompted to select Posting settings, children were again “nudged” to opt for ‘Post Now,’ which was “presented in a bold, darker text located on the right side, rather than on the lighter button to ‘cancel,” the board notes.
“Users who wished to make their post private first needed to select ‘cancel’ and then look for the privacy settings in order to switch to a ‘private account,’ according to the press release. “Therefore, users were encouraged to opt for public-by-default settings, with TikTok making it harder for them to make choices that favoured the protection of their personal data.”
The watchdog also notes that the consequences of opting for either path were unclear, whereas social media platforms should not make it difficult for their users to adjust privacy settings.
As a result of these practices, the board found TikTok infringed the principle of fairness under the GDPR. The EDPB also expressed serious doubts regarding the effectiveness of TikTok’s age verification measures.
In light of these findings, Europe’s Data Protection Commission issued TikTok an administrative fine of €345 million, a reprimand, as well as an order to bring its data processing practices into compliance in the next three months.
This is not TikTok’s first run-in with European data protection bodies. At the start of the year, France’s CNIL sanctioned the social network $5 million euros for making it hard to reject cookies, and for not offering sufficiently precise explanations of the purpose of different cookies.
In June, the US Department of Defense (DoD), General Services Administration (GSA), and NASA banned the presence of TikTok (and other apps developed by TikTok's Chinese owner ByteDance) on employee devices.