The Data Protection Commission (DPC) has fined social-media platform TikTok €345 million for breaches of GDPR privacy rules linked to the processing of children’s personal data.
After its investigation, the DPC had submitted a draft decision to other national regulators, two of which raised objections.
As no consensus could be reached, the European Data Protection Board (EDPB) stepped in to make a binding determination, the results of which are included in the final decision published today (15 September).
The DPC found that profile settings for TikTok’s child-user accounts were set to ‘public’ by default, meaning that anyone could view content posted by a child user.
It also found that a ‘Family Pairing’ setting allowed a non-child user, who could not be verified as a parent or guardian, to pair their account to that of a child user.
The watchdog also ruled that TikTok failed to provide sufficient transparency information to child users.
The EDPB also added an additional finding of infringement linked to ‘dark patterns’, agreeing with an objection made by Berlin’s data watchdog that TikTok nudged users towards choosing more privacy-intrusive options during the registration process.
As well as the fine, the DPC has reprimanded TikTok, and ordered the firm to bring its data-processing into compliance with GDPR rules within three months.