TikTok has faced a major regulatory setback in Europe. The Irish Data Protection Commission (DPC) announced a record penalty against the platform, potentially reaching up to 345 million euros, tied to privacy issues affecting users under the age of 18. The decision centers on how TikTok handled the personal information of minors and how those accounts were configured by default.
The DPC found that, between July and December 2020, TikTok did not sufficiently protect the privacy of users aged 13 to 17. By default, many underage accounts were public, allowing interactions with other users and exposing young creators to broader visibility and potential contact from strangers. This has raised concerns about safety and data protection for adolescents who were using the service.
In addition, the regulator criticized TikTok for permitting minor accounts to be linked with unverified adult accounts. That linkage could enable private messages to be sent to teenagers over 16, creating risks related to unwanted contact and potential exploitation. Authorities noted that similar risks had already been signaled by law enforcement in 2020, including warnings from Spain about misuse of the platform for contacting potential victims.
The decision also states that TikTok breached the General Data Protection Regulation (GDPR) because the company did not provide enough information about the risks involved in allowing users under 13 to access the platform, and because it failed to be transparent with younger users about how their data could be used. This lack of transparency was a key factor in the regulator’s assessment.
Oppression of minors
The DPC warned that TikTok used design practices that encouraged young users to publish their profiles publicly. The regulator described these features as deceptive interfaces that nudged minors toward accepting a public setting as the default. TikTok has been instructed to stop this tactic and to implement changes within three months. If the company does not comply, the DPC reserves the right to pursue further enforcement actions.
The penalty marks one of the largest GDPR fines ever issued to a technology company, underscoring the seriousness with which data protection authorities are approaching the privacy of young users on popular platforms.
TikTok response
TikTok responded to the ruling by stating that it disagrees with the decision and the size of the fine. A spokesperson explained that the regulator’s criticisms reference features and policies from several years ago, which the company had already updated prior to the investigation. The updates included setting all accounts for users under 16 to private by default and removing certain deceptive patterns that had been used in the past. TikTok also noted that it had taken steps to ensure privacy by expanding settings for users aged 16 and 17 and by revising the initial post-publish notification that appears to new users.
Looking ahead, TikTok has committed to continuing improvements in privacy protections for younger users, aiming to provide clearer information about data practices and to reduce the exposure of minors to unwanted contact. The company has also signaled readiness to adjust mechanisms that influence how new users encounter privacy choices during their first interactions with the app. Marking a broader trend, privacy regulators across regions are pressing for stronger safeguards for children and teens on social media platforms.
Citations: Irish Data Protection Commission statements; regulatory announcements on GDPR compliance; regional enforcement actions related to teen privacy and platform defaults.