July 28, 2021

TikTok fined in the Netherlands for GDPR violations

On July 22, 2021, the Autoriteit Persoonsgegevens (the Dutch Data Protection Authority, or DDPA) announced that it had imposed a € 750,000 fine on TikTok, Inc. for failing to offer its privacy statement in Dutch.  The DDPA concluded that TikTok’s failure to provide an adequate explanation — in a language that all users, including children, could understand – regarding its collection and use of personal data constituted an infringement of Article 12(1) of the General Data Protection Regulation for the period from May 25, 2018 to July 28, 2020.  The fine represents the maximum of the penalty under Dutch law for violations of this nature.

The DDPA began its investigation of TikTok’s practices in 2020.  Following receipt of the DPA’s initial findings, TikTok implemented some changes to make the application safer for children, including:

  • Making “private account” the default setting for users younger than 16;
  • Turning off the “Suggest your account to others” function by default for users younger than 16, and making the “Duet” and “Stitch” features unavailable to those users;
  • Disabling the downloads option for users younger than 16;
  • Creating an internal reporting function to facilitate the identification of accounts held by users under the age of 13, and;
  • Enhancing the parental control options.
  • Providing the application’s privacy policy to Dutch consumers in Dutch.

The DDPA noted in its press release that some youth privacy issues remain unresolved, particularly surrounding the identification of underage users who claim to be over sixteen.  More recently, TikTok established a headquarters in Ireland, and the investigation has been transferred to the Irish Data Protection Commission.

DDPA press release | Decision