The UK's data protection watchdog said it would fine the Chinese firm behind the popular video app TikTok £27m for failing to protect children's privacy.
The Information Commissioner's Office of the UK (ICO) determined that YouTube may have processed the information of children under 13 without the appropriate consent.
The integrity body said the incident lasted more than two years - until July 2020 - but that it was not ready to draw firm conclusions.
TikTok says the findings are 'premature'.
The ICO has issued TikTok Inc and TikTok Information Technologies UK Limited with a "notice of intent" - a legal notice preceding a potential fine - to warn them against non-compliance with the GDPR.
The notice describes the ICO's preliminary view that TikTok infringed UK data protection law between May 2018 and July 2020.
The investigation into the company's ICO found that the social platform may have:
- processed the data of children under the age of 13 without appropriate parental consent
- failed to provide proper information to its users in a concise, transparent, and easily understood way
- processed special category data, without legal grounds to do so
Despite TikTok's policies restricting usage to those aged 13 years or older, 44% of eight to 12-year-olds in the UK use the app, according to Ofcom.
Commissioner John Edwards concurred, saying, 'We want children to be able to learn and experience the digital world, but with proper data privacy protections.'
"Our preliminary view is that TikTok fell short of meeting the legal requirement to provide digital services with protections."
In an attempt to increase the security and privacy of the platform, TikTok has implemented several initiatives. Parents may connect their accounts to their children's, and direct messaging is disabled for those under 16 years old.
However, Mr. Edwards said, 'I've made it clear that our goal of protecting children online requires collaboration, but also requires enforcement.'
"We are also investigating whether over 50 online services are adhering to the Children's Code and if six companies providing digital services haven't sufficiently taken child safety seriously enough in our initial opinion."
A new code of practice for online services that children might use was rolled out in September and built on existing data protection laws, with financial penalties possible for serious violations.
The ICO said in the notice that it had not yet concluded that data protection law had been breached, noting that these findings were preliminary.
The regulator said it would 'carefully consider any representations from TikTok before taking a final decision.'
The ICO has stated that no final conclusions can be drawn at this time, covering the period May 2018-July 2020. This notice of intent is provisional.
We respect the ICO's mission to safeguard privacy in the UK, but we disagree with its preliminary opinions and plan to formally respond to it in the future. A TikTok spokesperson said.
Prior activity
The firm was fined $5.7 million by the Federal Trade Commission in 2019 for mishandling children's data.
It has also been fined in South Korea for the same reasons.
The US Senate Commerce Committee voted in July to approve a measure raising the age at which children are afforded special online privacy protections to 16, and banning targeted advertising to children without parental consent.