TikTok faces a £27 million fine ($29 million ... for the moment, at least) following a British government investigation that found the Chinese media giant may have breached UK data protection laws and failed to protect children's privacy.
The UK's Information Commissioner's Office (ICO) on Monday said it issued a notice of intent to TikTok and its TikTok Information Technologies UK entity alleging the internet goliath breached British rules between May 2018 and July 2020. A notice of intent precedes a potential fine from the regulator.
If the ICO does penalize TikTok, however, the $29 million penalty will likely be considered a mere administrative cost by the tech giant, which reportedly generates billions in revenue a year.
TikTok did not immediately respond to The Register's request for comment.
According to the watchdog's investigation, TikTok may have processed the data of children under 13 without parental consent, and used "special category" data without legal grounds to do so. This information includes ethnic and racial origin, political opinions, religious beliefs, sexual orientation, genetic and biometric data or health data.
Additionally, TikTok didn't provide information to users in a "concise, transparent and easily understood way," the regulator said.
"We all want children to be able to learn and experience the digital world, but with proper data privacy protections," Information Commissioner John Edwards said in a statement. "Companies providing digital services have a legal duty to put those protections in place, but our provisional view is that TikTok fell short of meeting that requirement."
Edwards also indicated the ICO plans to take enforcement action against other companies.
"We are currently looking into how over 50 different online services are conforming with the Children's Code and have six ongoing investigations looking into companies providing digital services who haven't, in our initial view, taken their responsibilities around child safety seriously enough," he added.
- Privacy watchdog steps up fight against Europol's hoarding of personal data
- TikTok: Yes, some staff in China can access US data
- Instagram fined in Ireland for violating children's privacy
- California Governor signs child privacy law requiring online age checks
The UK "Children's Code," also known as the age-appropriate design code, aims to create a safer internet for the children by enforcing 15 standards that apps and online services need to follow. It specifically targets Big Tech names including Meta, YouTube, and TikTok, and is applied to any companies, including those outside the UK, that process personal data of British kids.
It's worth noting that California's new child privacy law was modeled after the UK's version.
Carr's TikTok as national security threat tour goes to Europe
The ICO's notice of intent comes as FCC Commissioner Brendan Carr over in America called TikTok a "national security threat" during a technology forum in Brussels with EU lawmakers.
"Far from just another app for sharing funny videos or memes — that's just the sheep's clothing — TikTok functions as a sophisticated surveillance tool that harvests extensive amounts of personal and sensitive data," he claimed in prepared remarks [PDF] to European politicians in Belgium.
"And recent reporting indicates that there is no check on this sensitive data being accessed from inside China."
Carr, a Republican appointee to the Federal Communications Commission and staunch opponent of the Chinese tech firm, over the summer asked Apple CEO Tim Cook and Google CEO Sundar Pichai to remove the TikTok app from the iOS App Store and Google Play.
Carr's letter to the two CEOs cited past reports about TikTok as evidence that the TikTok app presently violates App Store and Google Play policies. Accounts of TikTok's data harvesting range from no worse than Facebook, to yes, OK, staff in China can access Americans' data. ®