TikTok was fined €345m for breaching EU data laws in its handling of child accounts, including not shielding underage users' content from public view.
The Irish data watchdog, which regulates TikTok across the EU, said the Chinese-owned video app had committed multiple breaches of GDPR rules.
The company found that TikTok violated GDPR by putting child users' accounts on a public setting, failing to provide transparent information to child users; allowing an adult to access a child's account on the 'family pairing' setting to enable direct messaging for over-16s, and not accurately taking into account the risks posed to under-13s on the platform who were placed on a public setting.
The authors also found that the 'family pairing' scheme, which provides an adult control over a child's account settings, did not check whether the adult paired with the child user was a parent or guardian.
The DPC ruled that TikTok, which has a minimum user age of 13 and does not properly take into account the risk posed to underage users who gained access to the platform. The public-setting-by-default process allowed anyone to 'view social media content posted by those users'.
Duet and Stitch features, which allow users to combine content with other Tiktokers, were also enabled by default for under-17s. The DPC's report found that there was no breach of GDPR in terms of its methods for verifying users' ages.
The decision comes after Tiktok was fined $12.7m by the UK data regulator for processing the data of 1.4 million children under 13 who were using its platform without parental consent. The information commissioner said Tik Tok had done very little, if anything, to check who was using the platform.
TikTok said the investigation looked at the company's privacy setup between July 31 and December 31, 2020, and said it had addressed the problems raised by the inquiry. All TikTok accounts for 13-to-15-year-olds have been set to private, meaning only users approved by the user can view their content.
The DPC also acknowledges that it had been overruled by the European Data Protection Board, a group of EU member states data and privacy authorities, on some aspects of its decision. The German government is obligated to include a proposed finding by the German government that the use of 'dark patterns', the term for deceptive website and app designs that steer users into certain behaviours or making particular choices, breached a GDPR provision on fair processing of personal data.