- The Information Commissioner's Office said it has provisionally found that TikTok breached U.K. data protection law between May 2018 and July 2020.
- TikTok may have processed the data of children under 13 without parental consent and failed to present information to its users in a way that's easy to understand, the regulator said.
- The ICO noted that its findings are "provisional" and not final.
- TikTok now has 30 days to come up with a response.
LONDON — TikTok may face a £27 million ($29 million) fine in the U.K. after privacy regulators found failings in the company's handling of children's data.
The Information Commissioner's Office issued TikTok a "notice of intent" informing the Chinese-owned video app of its "provisional view that TikTok breached UK data protection law between May 2018 and July 2020." It follows an investigation into the company that began in 2019.
According to the ICO, TikTok may have processed the data of children under the age of 13 without parental consent, failed to present information to its users in a way that's easy to understand, and processed "special category data" — such as information on a person's race or ethnicity — without legal grounds.
We're making it easier for you to find stories that matter with our new newsletter — The 4Front. Sign up here and get news that is important for you to your inbox.
"We all want children to be able to learn and experience the digital world, but with proper data privacy protections," Information Commissioner John Edwards said in a statement Monday.
"Companies providing digital services have a legal duty to put those protections in place, but our provisional view is that TikTok fell short of meeting that requirement."
The ICO noted that its findings are "provisional" and that "no conclusion should be drawn at this stage that there has, in fact, been any breach of data protection law or that a financial penalty will ultimately be imposed." The ICO can issue a maximum fine amounting to 4% of TikTok's annual global revenues under the EU's GDPR, which is still enshrined in U.K. law.
TikTok now has 30 days to come up with a response to the decision. If company officials make a convincing enough case defending its handling of children's data, the ICO may reduce the size of the penalty, or refrain from imposing a fine altogether.
In a statement to CNBC, a TikTok spokesperson said the company disagrees with the ICO's provisional fine and plans to make a formal response.
"While we respect the ICO's role in safeguarding privacy in the UK, we disagree with the preliminary views expressed and intend to formally respond to the ICO in due course," the TikTok spokesperson said.
The ICO said it is looking into 50 different online platforms' handling of children's data overall, and has six active investigations into companies "who haven't, in our initial view, taken their responsibilities around child safety seriously enough."
TikTok is highly popular with teens, who post everything from dancing videos to educational clips about the war in Ukraine. The platform, owned by Beijing-based internet giant ByteDance, is now used by over 1 billion people worldwide every month.
Last year, the Netherlands' Data Protection Authority handed TikTok a 750,000 euro ($723,371) fine for violating the privacy of young children and failing to offer its information in Dutch. TikTok is appealing the fine.
For years, TikTok had largely skirted the attention of regulators, with much of the focus reserved for American firms like Facebook and Google. However, the company — now a force to be reckoned with in the battle for eyeballs online — is being subjected to heightened political scrutiny.
Western officials are worried the platform may be providing a backdoor to Beijing allowing it to snoop on non-Chinese users. Before his tumultuous tenure as U.S. leader came to an end, former President Donald Trump had tried to force TikTok to divest its U.S. division.