The popular social media platform TikTok, has been ordered to overhaul its design practices concerning minors, following a binding decision by the European Data Protection Board (EDPB). The board found that TikTok violated the General Data Protection Regulation (GDPR) principles of fairness in processing personal data of children aged between 13 and 17.
The EDPB’s decision, issued on 2nd August 2023, scrutinized TikTok’s activities between 31st July and 31st December 2020. The board emphasized that social media companies must present choices to users, especially children, fairly, avoiding any manipulative language or design that could nudge them into making decisions compromising their privacy.
Anu Talus, EDPB Chair, remarked, “Digital players need to be extra cautious and implement necessary measures to protect children’s data rights. The presentation of options related to privacy should be objective and neutral, steering clear of any deceptive language or design.”
Unfair Nudging Tactics
The EDPB analyzed two pop-up notifications displayed to children aged 13-17 on TikTok: the Registration Pop-Up and the Video Posting Pop-Up. The board found that both notifications failed to present options objectively and neutrally, nudging children towards choices that violated their privacy interests.
In the Registration Pop-Up, children were subtly encouraged to opt for a public account, which could potentially expose their content to a wider audience, thereby compromising their privacy. Similarly, the Video Posting Pop-Up nudged children to post content publicly by default, making it more challenging for them to choose privacy-protective settings.
Doubts Over Age Verification Measures
The EDPB also raised serious concerns regarding the effectiveness of TikTok’s age verification measures implemented between July and December 2020. The board noted that the age gate deployed by TikTok could be easily bypassed, and the measures applied post-access were not sufficiently systematic, putting many children at risk.
Despite the lack of conclusive evidence to assess TikTok’s compliance with GDPR during this period, the EDPB urged the Irish Data Protection Authority (IE DPA) to reflect the serious doubts about the effectiveness of TikTok’s measures in its final decision.
A Hefty Fine
As a result of these infringements, the IE DPA has imposed a fine of €345 million on TikTok, alongside a compliance order and a reprimand. The final decision, which incorporates the legal assessments expressed by the EDPB, was adopted following a dispute resolution procedure triggered by objections raised by several concerned supervisory authorities.
The EDPB’s decision marks a significant step in holding digital platforms accountable for protecting the data rights of minors, emphasizing the necessity for transparent and fair design practices.
For further details, the final decision by the IE DPA can be accessed in the Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.