A U.K. data privacy regulator said it could fine TikTok up to £27 million for “failing to protect children’s privacy when using the platform,” according to a release.
The Information Commissioners Office—a regulatory body in the U.K. that reports directly to Parliament—notified TikTok that it may have broken U.K. data protection law between May 2018 and July 2020.
An investigation from the ICO found that TikTok processed data from children under the age of 13 without consent from their parents, and failed to provide information to users in a transparent way.
“We all want children to be able to learn and experience the digital world, but with proper data privacy protections,” Information Commissioner John Edwards said. “Companies providing digital services have a legal duty to put those protections in place, but our provisional view is that TikTok fell short of meeting that requirement.”
TikTok did not respond to a request for comment. The ICO filed what’s known as a “notice of intent,” which typically precedes a fine. The ICO has not said specifically when the fine would come down or what would accompany it, only that the fine could possibly occur, noting in the release that “no conclusion should be drawn at this stage that there has, in fact, been any breach of data protection law or that a financial penalty will ultimately be imposed.”
TikTok has frequently been the subject of government regulatory ire from a number of nations, especially because the app is uniquely popular among young people.
Back when TikTok was known as Musical.ly, the Federal Communications Commission hit it with a $5.7 million fine for illegally collecting children’s data.
In the years since, watchdog groups claimed that TikTok is not abiding by the agreements it made with the U.S. government as part of its settlement, including that TikTok did not remove videos from users under the age of 13.