Ireland’s privacy regulator today issued a fine of €345 million, or $367 million, to TikTok after finding that the company had breached the European Union’s GDPR regulation.

TikTok has more than 130 million users in the EU. Ireland’s Data Protection Commission, or DPC, leads oversight of the company’s privacy practices within the bloc. The reason is TikTok’s EU subsidiary, TikTok Technology Ltd., is incorporated in Ireland.

Ahead of today’s fine, the DPC determined that TikTok has breached more than half a dozen of the rules included in GDPR. Several of the rules with which the company failed to comply pertain to children’s privacy. According to DPC officials, TikTok breached GDPR between July 31, 2020, and Dec. 31 of the same year. 

The first privacy issue identified by the regulator is that TikTok had set children’s accounts to public by default. As a result, anyone could view the content posted on those accounts. The DPC found that TikTok’s public-by-default settings breached four different sections of GDPR.

The second issue that led to today’s fine is TikTok’s use of dark patterns, or interface elements designed to influence user behavior. According to the DPC, TikTok used such interface elements to increase the chance that users will publicly share content from their accounts.

One dark pattern was found in a pop-up panel that TikTok’s app displayed during the account creation process. It asked users if they wished to make their accounts public. According to the DPC, the pop-up panel included a prominently placed “Skip” button that set the user’s account to public when clicked.

Regulators also took issue with a second pop-up panel in TikTok’s interface. It enabled users to configure whether a newly uploaded video should be set to public. According to the DPC, the button used to make a video public was not only placed in a prominent section of the panel but also featured bold text. 

Transparency is another area where TikTok was found to have fallen short of GDPR requirements. Regulators determined that the company had failed to provide children with a clear, plain language overview of the “scope and consequences of the public-by-default” data processing within its app. 

The third reason the CDP issued today’s €345 million fine has to do with a TikTok feature called Family Pairing. The feature allows a child’s account to be linked with an account belonging to a parent or guardian. When Family Pairing is enabled, the parent or guardian can manage some of the child’s account settings. 

According to the DPC, TikTok failed to verify that the account linked to a child’s account belongs to a parent or guardian. Regulators also flagged that the Family Pairing feature can be used to enable Direct Messages for users above the age of 16. “The above processing posed severe risks to the rights and freedoms of child users, ” the DPC stated in its ruling. 

The DPC issued the initial version of the ruling last September. A few weeks ago, it modified the draft to address feedback submitted by regulators in Germany. This modification introduced the section of the ruling that addresses the dark patterns found in TikTok’s interface. 

Previously, the U.K.’s privacy regulator fined TikTok £12.7 million in April for misusing children’s data. Officials found that the company failed to comply with several of the privacy requirements set forth in the U.K.’s General Data Protection Regulation. The regulator originally planned to issue a £27 million fine, but lowered the sum after receiving additional information from TikTok about its data processing practices.

Image: TikTok