The UK's data protection regulator, the Information Commissioner's Office ("ICO"), has issued a "notice of intent" to Tiktok. This notice is a precursor to imposing a potential £27 million fine, following an investigation conducted by the ICO which found that TikTok may have breached data protection law between May 2018 and July 2020. The maximum fine that TikTok could face is 4% of its global annual turnover.

The ICO investigation found that TikTok may have:

  • processed personal data of children under the age of 13 without appropriate parental consent; and
  • failed to provide proper information to its users in a concise, transparent and easily understood way; and
  • processed special category data (such as ethnic and racial origin, political opinions, religious beliefs, sexual orientation, trade union membership and genetic, biometric or health data) without the legal grounds (as specified in Article 9 of the UK GDPR) to do so.

The ICO's findings are, however, provisional. A conclusion on whether there has been a data protection law breach or whether a financial penalty will be imposed is expected from the ICO after considering any representations from TikTok.

Related articles:

If you would like to know more about the class action against TikTok for the misuse of child personal data please see our previous post on the topic here.

See the ICO's press release here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.