Turkish Data Protection Authority ("DP Authority") fined TikTok for TRY 1.75 million as a result of an investigation commenced against TikTok due to various news and complaints.

The decision was published on DP Authority's website on March 1, 2023.

01 What does the decision say?

DP Authority's decision is summarized below:

  • TikTok updated its privacy policy in January 2021 and changed the default privacy setting to "private" for users aged between 13-15. However, before this update, the profiles of minors were publicly viewable by default, which poses a risk with respect to this vulnerable age group;
  • Prior to this update, the personal data of minors under the age of 13 were viewable, and minors' data were collected by TikTok without appropriate parental consent;
  • Although TikTok's privacy policy includes the legal bases for data processing, there is a lack of clear information on what personal data is processed for what purpose and on which legal basis;
  • Users are deemed to have accepted TikTok's terms of service and privacy policy while creating an account. However, the terms of service have not yet been translated into Turkish, and thus, it may not be possible for users to understand it clearly;
  • Although TikTok provides its privacy policy to users to fulfill its obligation to inform, it uses the same document also to obtain users' explicit consent. However, the privacy policy and explicit consent text should be presented to data subjects separately; and
  • TikTok does not obtain explicit consent from users to use cookies for profiling purposes.

Based on the reasonings above, DP Authority;

  • Fined TikTok for TRY 1.75 million and
  • Instructed TikTok to:
    • translate the terms of service into Turkish, and
    • prepare privacy policy to be compliant with DP Law.

02 Who must be concerned?

The decision is relevant to all data controllers who;

  1. process personal data of minors (especially those under 13 age),
  2. set cookies for profiling data subjects,
  3. use a language other than Turkish to provide privacy policies or terms of service to data subjects/users.
  4. use privacy notices:
    • that do not include detailed information on processing activities, and/or
    • for also obtaining explicit consent (i.e. as an explicit consent text).

03 Key takeaways to be considered

Key takeaways based on DP Authority's decision on TikTok are as follows:

  • A data controller, whose services also target minors, should carry out a risk assessment for processing of minors' data;
  • Although DP Law doesn't have a clear rule on processing of minors' personal data, after this decision collecting/processing of personal data of minors under the age of 13 without appropriate parental consent will constitute a risk;
  • Privacy notice should include clear information on (i) the processed data, (ii) the purpose of processing and (iii) legal basis for processing (and also collection method, as per Turkish DP Law);
  • Privacy notice and terms of service should be submitted to the data subjects in Türkiye in Turkish language;
  • Explicit consent text must be provided to data subjects separately from the privacy notice/policy;
  • Data controllers who carries out profiling activities by using cookies should rely on explicit consent.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.