European authorities have found that Twitter had violated General Data Protection Regulation (GDPR) rules when it comes to how it processes its younger users’ personal data. Along with its decision, the regulator has revealed that it has slapped the social network with a €345 million ($368 million) fine. As the regulating body where TikTok is headquartered and where its first data center is located, the Irish Data Protection Commission investigated whether TikTok adhered to its privacy protection obligations for users between 13 and 17 years old between July 31 and December 31, 2020.
The regulator said it found that TikTok set child users’ — or users that fall within the aforementioned age bracket — profiles to public by default. That means their information was easily accessible, especially since the videos they posted were also made public by default and anybody could comment. Further, TikTok didn’t make Duet and Stitch opt in features for their accounts, so anybody could take parts of their videos to create new ones.
In addition, the regulator found that TikTok allowed child users’ accounts to be paired with adult users’, without verifying whether that person is their parent or guardian. It even allowed that adult user to enable direct messaging for both of them, when the feature shouldn’t be available for the underage user.
The UK Information Commissioner’s Office (ICO) fined TikTok £12.7 million ($15.75 million) earlier this year for misusing children’s data, as well. To be exact, it found that the service allowed 1.4 million UK children to sign up even when they were under the age of 13. The Irish Data Protection Commission didn’t establish whether TikTok had violated GDPR rules with regards to letting kids under 13 sign up. However, it did find that TikTok was in violation of GDPR for not implementing the proper measures and allowing anybody, regardless of their age and including kids 12 and below, to view content on its platform.