5Rights welcomes ICO action to enforce children’s data protection

5Rights on Tuesday welcomed the news that the UK Information Commissioner’s Office (ICO) is considering enforcement action against TikTok for failing to protect children’s privacy. This is an important milestone in the enforcement of children’s data protection.

Should the Notice of Intent result in the envisaged fine, it would be the most significant penalty issued by the UK data regulator to date for violation of children’s data rights.

“This is clear proof that tech can be held accountable for the safety and privacy of children, said 5Rights Chair Beeban Kidron in reaction to the news. “The end goal should be that companies use their creativity and innovation to comply with privacy legislation, including the Age Appropriate Design Code, rather than make the regulator chase them retrospectively. But today we have seen the ICO take a stand for children and I applaud it.”

The period under investigation predates the introduction of more stringent rules for children’s data protection under the Age Appropriate Design Code, with the ICO finding TikTok is already in breach of more general requirements for the protection of children’s data codified in the Data Protection Act (UK GDPR), which mirrors EU data protection law.

Two of the allegations relate to data processing of children under 13 using the platform and special category data of all users. It is widely known that TikTok processes huge amounts of data about those who use its service and has large number of users who are under 13, despite its minimum age requirements. The question is whether or not TikTok is processing this data lawfully with a legitimate legal basis, namely parental or legal guardian consent. The other allegation relates to the fact that TikTok ‘failed to provide proper information to its users in a concise, transparent and easily understood way.’ 

The announcement revealed that the ICO issued a ‘Notice of Intent’ to TikTok, but does not confirm the ICO’s final decision on whether or not TikTok has breached data protection law in the UK, or if the company will receive a fine. The issuance of a Notice of Intent is not however the beginning of the ICO’s investigation but very much the start of the conclusion of their work. The Notice of Intent is intended to give TikTok formal notice of an impending fine, together with an opportunity to make representations to refute any findings. 

While the alleged violations are not technically difficult to verify and TikTok has had ample opportunity to provide evidence to the ICO, the company has expressed disagreement with the terms of the Notice and said it intends to formally respond.

The ICO announcement comes as pressure increases globally for companies to respect children’s privacy. 

On 15 September the Irish Data Protection Commission issued a record fine against Meta for abuses of children’s data protection rights on Instagram. Ireland’s guidelines for the implementation of children’s rights under the EU General Data Protection Regulation – the “Fundamentals” closely mirror the requirements of the AADC. 

The news also comes only ten days after the Governor of California signed the Californian Age Appropriate Design Code – modelled on the UK code – into law. The success of the Californian bill was in no small part thanks to the demonstrated ability of companies to comply with the AADC in the UK, and raises hopes that the Code will set the basis for an enforceable global standard for children’s data protection.

Marking the one year anniversary of the AADC on 01 September the ICO announced that it was conducting ongoing investigations into four companies for breaches of the Code. More specific infringement notices are therefore expected shortly, but we hope the next news we welcome will be of positive changes – from TikTok and others – to make their services safer for children.