The Chinese-owned short-video platform, which has grown rapidly among teenagers around the world in recent years, breached a number of EU privacy laws between July 31, 2020, and December 31, 2020, Ireland’s Data Protection Commissioner (DPC) said in a statement on Friday.
It is the first time ByteDance-owned TikTok has been reprimanded by the DPC, the lead privacy regulator for Big Tech companies whose European headquarters are largely in Dublin.
DPC’s investigation found that the sign-up process for teen users resulted in settings that made their accounts public by default, allowing anyone to view and comment on their videos.
Those default settings also posed a risk to children under 13 who gained access to the platform even though they were not allowed.
Also, a “family pairing” feature designed for parents to manage settings was not strict enough, allowing adults to turn on direct messaging for users aged 16 and 17 without their consent. And it nudged teen users into more “privacy intrusive” options when signing up and posting videos, the watchdog said.
A spokesperson for TikTok said it disagreed with the decision, particularly the size of the fine, and that most of the criticisms are no longer relevant as a result of measures it introduced before the DPC’s probe began in September 2021.
“Most of the decision’s criticisms are no longer relevant as a result of measures we introduced at the start of 2021 — several months before the investigation began,” TikTok’s head of privacy for Europe, Elaine Fox, wrote in a blog post.
TikTok added tougher parental controls to family pairing in November 2020 and changed the default setting for all registered users under the age of 16 to “private” in January 2021.
TikTok said on Friday it plans to further update its privacy materials to make the differences between public and private accounts clearer and that a private account will be preselected for new users aged 16 or 17 when they register for the app from later this month.
The DPC gave TikTok three months to bring all its processing into compliance where infringements were found.
The regulator is still carrying out a second investigation into whether TikTok complied with the EU’s General Data Protection Regulation when it transferred users’ personal information to China, where its owner, ByteDance, is based.
TikTok has faced accusations it poses a security risk over fears that users’ sensitive information could end up in China. It has embarked on a project to localise European user data to address those concerns: opening a data centre in Dublin this month, which will be the first of three in the continent.
Instagram, WhatsApp and their owner Meta are among other tech giants that have been hit with big fines by the Irish regulator over the past year.