The U.K.’s privacy regulator, the Information Commissioner’s Office, may fine TikTok Inc. 27 million pounds or $28.9 million over its data collection practices.
The ICO announced the development today. It has also issued a document known as a notice of intent to TikTok and its U.K. subsidiary, TikTok Information Technologies UK Ltd. The notice of intent frequently precedes a fine, but it’s not yet certain that the ICO will decide to issue the potential $29 million penalty.
The ICO’s decision to raise the prospect of a fine follows an investigation into the way TikTok processes children’s data. The regulator determined that, between May 2018 and July 2020, the company may have processed the data of children under the age of 13 in breach of the U.K.’s data protection law.
As part of its investigation, the ICO reached the provisional view that TikTok may have processed the data of children without appropriate parental consent. ICO officials also believe it may have processed special category data, a legal term that encompasses multiple types of sensitive user data, without “legal grounds to do so.”
The third preliminary conclusion of the ICO’s investigation focuses on the way TikTok discloses its information collection practices to users. According to the ICO, the company “failed to provide proper information to its users in a concise, transparent and easily understood way.”
“We all want children to be able to learn and experience the digital world, but with proper data privacy protections,” said Information Commissioner John Edwards. “Companies providing digital services have a legal duty to put those protections in place, but our provisional view is that TikTok fell short of meeting that requirement.”
The ICO’s findings are not final. TikTok can provide feedback about the investigation within 30 days and, based on the company’s input, ICO officials will determine whether or not to issue the potential $29 million fine. The regulator may also decide to reduce the size of the fine.
“While we respect the ICO’s role in safeguarding privacy in the UK, we disagree with the preliminary views expressed and intend to formally respond to the ICO in due course,” a TikTok spokesperson told CNBC in a statement.
Companies that are found to breach the U.K.’s data protection laws can be fined up to 17.5 million pounds, the equivalent of $18.7 million, or 4% of their global annual revenue, whichever is higher. The ICO can also order companies to change business practices that fail to meet data protection requirements.
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.