TikTok incentivised millions of children to “skip” private settings on its video-sharing app, according to a damning report that found adults using public settings could enable direct messages for certain teenagers with whom they had no family connection.
As Ireland’s data protection commissioner (DPC) Helen Dixon imposed a €345 million fine on the Chinese-owned company for multiple breaches of children’s privacy, a report stated TikTo used language that seemed “to trivialise the decision to opt for a private account” in favour of public settings.
TikTok was also found to have used “vague and opaque” language when failing to inform children that public-by-default processing meant “an indefinite audience, including non-registered users, would be able to view their personal data”.
[ TikTok fined €345m by Ireland’s data regulator for violating children’s privacyOpens in new window ]
The case against the social media giant showed how the “family pairing” feature on TikTok’s app could link children’s accounts to “unverified” adults who were not their parents or guardians.
“The decision further details that non-child users had the power to enable direct messages for child users above the age of 16, thereby making this feature less strict for the child user,” said Ms Dixon’s office.
She has sweeping powers under Europe’s general data protection regulation (GDPR) to supervise the pan-European operations of large tech groups such as TikTok that have their EU headquarters in Ireland.
In findings endorsed by the Brussels-based European Data Protection Board, TikTok was reprimanded for eight breaches EU data law in relation to teenagers and criticised for failing to protect preteens.
Even though TikTok requires all users to be aged 13 and above, the report cited a “particularly high number of users” below that age and said pre-teens entering ages above 13, 16 or 18 gained access to app settings for such ages.
Rapid growth
The company “did not properly take into account” the risks posed to pre-teens who gained access by the default account setting, allowing anyone on or off TikTok to view content they posted.
TikTok has grown rapidly after the three-minute limit on viral dance videos, comedy skits and lip-sync routines proved a worldwide hit. But in a case highlighting “risks” to young TikTok users, Ms Dixon examined how children signed up “in such a manner that their accounts were set to public-by-default” on the app.
The ruling met a frosty response from TikTok. “We respectfully disagree with the decision, particularly the level of the fine imposed,” said the company. “The DPC’s criticisms are focused on features and settings that were in place three years ago, and that we made changes to well before the investigation even began, such as setting all under-16 accounts to private by default.”
[ TikTok begins moving European data to Dublin centreOpens in new window ]
Anu Talus, chairwoman of the European board, said: “Social media companies have a responsibility to avoid presenting choices to users, especially children, in an unfair manner — particularly if that presentation can nudge people into making decisions that violate their privacy interests. Options related to privacy should be provided in an objective and neutral way, avoiding any kind of deceptive or manipulative language or design.”
After resistance from Italian and German regulators, the TikTok sanction was settled only after a dispute in the Brussels board. The settlement increased the number of GDPR violations from seven to eight but objecting regulators failed to force an increase in the fine Ms Dixon proposed.
CyberSafeKids chief executive Alex Cooney — a lobby group — said TikTok must do “much more” to tackle underage use. “Our most recent data shows that 37 per cent of eight- to 12-year-olds are using TikTok, so the platform’s failings represent a clear danger to a large number of Irish children.”