The social media company TikTok was cautioned by the U.K.'s data protection authority that failure to secure children's data might result in a punishment of 27 million pounds (U.S. $29 million).
The firm may have violated the U.K.'s General Data Protection Regulation (GDPR) regarding privacy safeguards for youngsters using TikTok between May 2018 and July 2020, according to an inquiry launched by the Information Commissioner's Office (ICO) in 2019, the regulator said on Monday.
The ICO delivered a "notice of intent"—a preliminary warning—to TikTok's parent firm and U.K. subsidiary, notifying them that it suspects the site may have processed children under the age of 13's data without proper parental consent and failed to give users clear, understandable information.
The ICO is also of the opinion that TikTok processed "special category data"—sensitive personal information on racial and ethnic origin, sexual orientation, political beliefs, and health information—without having a valid legal basis to do so.
Before the regulator makes a final judgment, which might happen at any time in the upcoming six months, TikTok has the opportunity to make submissions.
As the ICO itself has said, no firm conclusions can be made at this time, according to TikTok. "This notice of intent is provisional," it added. "While we respect the ICO’s role in safeguarding privacy in the U.K., we disagree with the preliminary views expressed and intend to formally respond to the ICO in due course."
The ICO has been at the forefront of efforts to protect children's internet privacy and stop children from being harmed online.
It released its Children's Code in 2020 as a best practices manual to assist businesses that offer online services that kids are likely to access, like apps, online games, and websites and social media platforms, in better understanding how to minimize data collection, retention, and sharing while maximizing privacy and transparency.
The ICO is investigating the compliance of more than 50 different internet services with the rules. According to Information Commissioner John Edwards, it is now looking into six businesses that, in the regulator's first opinion, have not taken their obligations to ensure the protection of children seriously enough.
The Irish Data Protection Commission imposed a record punishment of 405 million euros ($405 million) on Instagram earlier this month for violating the EU's GDPR by failing to protect the privacy of its young users' data.
Making arguments to the ICO to lessen originally suggested fines has resulted in favorable final GDPR judgements in the UK in the past.
The completed fines against British Airways and the hotel giant Marriott International in October 2020 were much lower than their original amounts—each by more than 80%—in part because to the Covid-19 pandemic's impact. The planned penalties for face picture aggregator Clearview AI was reduced by more than half in May, from £17 million (then $22.6 million US) to around £7.5 million (then $9.4 million US).
After Pharmacy Doorstep Dispensaree successfully argued that the penalties for a data breach was excessively large because the ICO had overstated the number of persons who would have been at danger, the tribunal judge reduced the fine by about two-thirds.
By fLEXI tEAM