TikTok could face a £27m fine after an ICO investigation found that the company may have breached UK data protection law, failing to protect children’s privacy when using the TikTok platform. The ICO has issued TikTok Inc and TikTok Information Technologies UK Limited (‘TikTok’) with a ‘notice of intent’ – a legal document that precedes a potential fine.

The notice sets out the ICO’s provisional view that TikTok breached UK data protection law between May 2018 and July 2020.

The ICO investigation found the company may have:

• Processed the data of children under the age of 13 without appropriate parental consent;
• Failed to provide proper information to its users in a concise, transparent and easily understood way; and
• Processed special category data, without legal grounds to do so.

Special category data includes ethnic and racial origin, political opinions, religious beliefs, sexual orientation, trade union membership, genetic and biometric data and health data.

Companies can only process special category data if they can meet one or more of ten specific conditions in Article 9 of the GDPR. These conditions are:

1. Explicit consent
2. Employment, social security and social protection
3. Vital interests
4. Not-for-profit bodies
5. Made public by the data subject
6. Legal claims or judicial acts
7. Reasons of substantial public interest
8. Health or social care
9. Public health
10. Archiving, research and statistics

The Commissioner has stressed that its findings in the notice are provisional and no conclusion should be drawn at this stage that there has, in fact, been any breach of data protection law or that a financial penalty will ultimately be imposed. It will carefully consider any representations from TikTok before taking a final decision.

Information Commissioner, John Edwards said:

“We all want children to be able to learn and experience the digital world, but with proper data privacy protections. Companies providing digital services have a legal duty to put those protections in place, but our provisional view is that TikTok fell short of meeting that requirement. I’ve been clear that our work to better protect children online involves working with organisations but will also involve enforcement action where necessary. In addition to this, we are currently looking into how over 50 different online services are conforming with the Children’s code and have six ongoing investigations looking into companies providing digital services who haven’t, in our initial view, taken their responsibilities around child safety seriously enough.”

Companies that breach the UK GDPR and/or the Data Protection Act can be fined up to £17.5m or 4% of the company’s annual global turnover, whichever is higher.