In October, the Information Commissioner’s Office (ICO) issued the ever-popular app ‘TikTok’ with a notice of intent issuing a potential fine of £27 million after the ICO launched an investigation into the company’s failure to protect children’s privacy while using the app.

The notice of intent set out the ICO’s provisional view that TikTok breached UK data protection legislation between May 2018 and July 2020.

ICO investigation into TikTok data processing

The ICO’s investigation found that they may have processed the personal data of children under the age of 13 without appropriate parental consent, failed to provide proper information to its users in a concise, transparent and easily understood way, and processed special category data without a legal ground(s) to do so.

According to Ofcom, 44% of 8 to 12-year-olds in the UK use TikTok, despite its policies forbidding under-13s on the platform.

Since receiving the notice of intent, TikTok launched a televised advert promoting the use of parental controls as part of their new safety features.

The new features allow parents and carers to link their child’s account to their own to give parents and carers more control over what their child is exposed to.

Parents and carers will also be able to control the amount of screen time allowed on the app each day, limit who can send direct messages and restrict the content appearing in the feed of their child’s account.

How should online services process children’s data?

Online services need to follow a set of standards when using children’s personal data. These standards are set out in the ICO’s ‘Children’s Code’ which can be found here.

Websites and products affected by the code need to provide additional mechanisms to protect children’s personal data. Some of the suggested mechanisms in the code include:

  • privacy settings being automatically set to ‘very high’;
  • children and their parents/carers being given more control of the privacy settings;
  • non-essential location tracking being switched off;
  • children no longer being ‘nudged’ by sites through notifications to lower their privacy settings; and
  • clearer and more accessible tools being in place to help children exercise their data protection rights (including parental consent tools).

These changes should result in a more positive experience for children online.

For example, not having location tracking on may reduce unwanted friend recommendations from people that your child doesn’t know. It should also mean that people your child isn’t friends with shouldn’t be able to see their profile.

Further to the ICO’s notice of intent, Commission national de l’informatique ed des libertes (CNIL) in France fined TikTok UK and TikTok Ireland €5 million for failing to comply with its obligations as a data controller under the French Data Protection Act.

Rather than having a “reject all” button for the use of cookies, TikTok created several buttons before its users could reject all cookies used causing annoyance to its users and encouraging them to select the single “accept” button for ease.

Data protection advice

Our data protection team can support with bespoke advice about specific types of policies and procedures to assist in dealing with data protection and processing.

If you have any queries, please do not hesitate in contacting us.

Get in touch with Alex Craig using or 0191 211 7911.