Irish privacy regulator issued a fine of €345 million, or $367 million, to TikTok after it breached the European Union’s GDPR regulation.
The DPC determined that TikTok has breached more than half a dozen of the rules included in GDPR. Several of the rules with which Tiktok has failed to comply pertain to children’s privacy. According to DPC officials, TikTok breached GDPR between July 31, 2020, and Dec. 31 of the same year.
The first issue identified is that TikTok had set children’s accounts to public by default. As a result, anyone could view the content posted on those accounts. The DPC found that TikTok’s public-by-default settings breached four different sections of GDPR.
The second issue is TikTok’s use of dark patterns or interface elements designed to influence user behavior. The DPC says TikTok used such interface elements to increase the chance that users will publicly share content from their accounts.
One dark pattern was found in a pop-up panel that TikTok’s app displayed during the account creation process. It asked users if they wished to make their accounts public. The pop-up panel included a prominently placed “Skip” button that set the user’s account to the public when clicked.
Regulators also took issue with a second pop-up panel in TikTok’s interface. It enabled users to configure whether a newly uploaded video should be set to public. The DPC says, the button used to make a video public, was not only placed in a prominent section of the panel but also featured bold text.
Regulators determined that Tiktok had failed to provide children with a clear, plain language overview of the “scope and consequences of the public-by-default” data processing within its app.
The third reason the DPC issued today’s €345 million fine has to do with a TikTok feature called Family Pairing. The feature allows a child’s account to be linked with an account belonging to a parent or guardian. When family pairing is enabled, the parent or guardian can manage some of the child’s account settings.
TikTok failed to verify that the account linked to a child’s account belongs to a parent or guardian. Regulators also flagged that the Family Pairing feature can be used to enable direct messages for users above the age of 16. The above processing posed severe risks to the rights and freedoms of child users.
The DPC issued the initial version of the ruling last September. A few weeks ago, it modified the draft to address feedback submitted by regulators in Germany. This modification introduced the section of the ruling that addresses the dark patterns found in TikTok’s interface.
The U.K.’s privacy regulator fined TikTok £12.7 million in April this year for misusing children’s data. The regulator originally planned to issue a £27 million fine but lowered the sum after receiving additional information from TikTok about its data processing practices.