Pierluigi Paganini
September 16, 2023
The Irish Data Protection Commission (DPC) fined TikTok €345 million for violating children’s privacy. The Irish data regulators discovered that the popular video-sharing app allowed adults to send direct messages to certain teenagers who have no family connection with them.
The investigation conducted by the DPC revealed that a severe flaw in TikTok’s “family pairing” feature that could be abused to link children’s accounts to “unverified” adults.
Children under 13 are exposed to serious risks due to the default account setting that allows anyone to view the content they publish.
“The decision further details that non-child users had the power to enable direct messages for child users above the age of 16, thereby making this feature less strict for the child user,” explained the officer of DPC Helen Dixon, as reported by the Irish Times. “This also meant that, for example, videos that were posted to child users’ accounts were public by default, comments were enabled publicly by default, the Duet and Stitch features were enabled by default.”
TikTok is also accused of lacking adequate transparency when dealing with the way it processes data of its young users.
The DPC also criticized the processes behind the TikTok registration and the publishing of videos, which according to the Irish authority were designed to drive the users toward selecting options that exposed their privacy to risks.
“In the Registration Pop-Up, children were nudged to opt for a public account by choosing the right-side button labelled “Skip”, which would then have a cascading effect on the child’s privacy on the platform, for example by making comments on video content created by children accessible.” states the EU Edpb.
“In the Video Posting Pop-Up, children were nudged to click on “Post Now”, presented in a bold, darker text located on the right side, rather than on the lighter button to “cancel”. Users who wished to make their post private first needed to select “cancel” and then look for the privacy settings in order to switch to a “private account”. Therefore, users were encouraged to opt for public-by-default settings, with TikTok making it harder for them to make choices that favoured the protection of their personal data.”
The DPC issued an order requiring the platform to make its processing compliant with EU directives within three months from the date on which the DPC’s decision is notified to the company (September 1, 2023).
TikTok was disappointed by this decision
“We respectfully disagree with the decision, particularly the level of the fine imposed,” reads a statement issued by the company on Friday. “The DPC’s criticisms are focused on features and settings that were in place three years ago, and that we made changes to well before the investigation even began, such as setting all under-16 accounts to private by default.”
The company is evaluating whether it would appeal the DPC ruling in the High Court.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, privacy)
