The potential fine of £27 million, or about $29 million, follows an investigation by the UK’s data privacy regulator, which found that over the course of two years from May 2018 to July 2020, TikTok may have breached UK law by processing data of kids under 13 without parental consent.
In a legal document notifying TikTok of the possible fine, the UK Information Commissioner’s Office also said TikTok may have processed sensitive categories of data “without legal grounds,” and may have failed to provide information to its users transparently enough.
“We all want children to be able to learn and experience the digital world, but with proper data privacy protections,” said Information Commissioner John Edwards in a statement. “Companies providing digital services have a legal duty to put those protections in place, but our provisional view is that TikTok fell short of meeting that requirement.”
In a statement, TikTok said: “While we respect the ICO’s role in safeguarding privacy in the UK, we disagree with the preliminary views expressed and intend to formally respond to the ICO in due course.”
The ICO did not name the specific types of sensitive data TikTok may have mishandled under UK law, but in general the country places higher obligations on data that reveals a person’s racial or ethnic origin, political opinions, religious beliefs, health status, sexual orientation and more.