European Regulators Fine Twitter and TikTok for GDPR Violations Involving Young Users

European authorities have taken action against social media giants Twitter and TikTok for violating General Data Protection Regulation (GDPR) rules concerning the processing of personal data belonging to younger users. The Irish Data Protection Commission, as the regulating body where TikTok is headquartered and its first data center is located, conducted an extensive investigation into TikTok’s privacy protection practices for users aged 13 to 17 between July 31 and December 31, 2020.

As a result of this investigation, the Irish Data Protection Commission has imposed a hefty €345 million ($368 million) fine on Twitter. The regulators found that Twitter had failed to comply with GDPR rules in its handling of personal data for younger users.

Specifically, the regulator’s investigation into TikTok unveiled several significant privacy violations:

1. Default Public Profiles: TikTok was found to set child users’ profiles to public by default. This meant that their personal information was readily accessible to anyone, especially since the videos they posted were also set to public by default, allowing unrestricted comments.
2. Lack of Opt-in for Duet and Stitch Features: TikTok did not require users in the 13 to 17 age group to opt in for features like Duet and Stitch, which allowed anyone to use parts of their videos to create new content.
3. Pairing Child and Adult Accounts: TikTok allowed child users’ accounts to be paired with those of adult users without adequately verifying whether the adult was their parent or guardian. This pairing also allowed the adult user to enable direct messaging for both accounts, a feature that should not have been available to underage users.

The UK Information Commissioner’s Office (ICO) had previously fined TikTok £12.7 million ($15.75 million) earlier in the year for misusing children’s data. This penalty was a result of TikTok allowing 1.4 million UK children to sign up for the platform, even when they were under the age of 13.

While the Irish Data Protection Commission did not establish whether TikTok had violated GDPR rules concerning users under 13, it did find that TikTok had failed to implement adequate measures to prevent users of all ages, including children aged 12 and below, from accessing content on its platform.

These fines and regulatory actions underscore the growing scrutiny and accountability faced by social media platforms in Europe regarding their handling of user data, especially when it comes to younger users and their privacy protection.

Twitter and TikTok have not yet released official statements in response to these fines and findings.