Ryan Gracey Quoted by Mail Online After TikTok was Fined for Breaking Data Protection Law

Thursday 6th April 2023

Ryan Gracey, partner at Gordons and data privacy expert has been quoted by the Mail Online after the Information Commissioner’s Office (ICO) announced it has fined TikTok £12.7m.  

The fine follows an investigation by the ICO which discovered the popular video-sharing social media platform has broken a number of data protection laws with regard to children’s personal data.

The ICO said that more than one million children under 13 were using TikTok in 2020, despite its terms of use not allowing that.

It added that personal data belonging to those children was used without parental consent and that the company did not do enough to check who was using the social media app and take enough action to remove the underage children that were.

TikTok had faced a fine of £27m, but the final total was reduced to £12.7m.

Commenting on the fine, Ryan said: “This fine may be well below what the ICO initially threatened, but it is still a significant penalty and one of the largest ever given by the ICO. It’s another acute reminder that technology companies must take steps to protect personal data, especially the data of children online.”

Information commissioner John Edwards said TikTok had failed to abide by laws to make sure children are as safe in the digital world ‘as they are in the physical world’. He added that children’s data may have been used to track and profile them, potentially presenting them with harmful or inappropriate content.

Commenting on how children can be protected in today’s digital world, Ryan added: “Businesses need to be aware of the ICO’s statutory code of practice known as the ‘Children’s Code’ which sets out a series of standards they expect businesses to follow when designing and building online services which may be used by children.

“The standards include using clear language in ‘bite-size’ chunks for children to tell them what they are doing with the user’s personal data, being open about the risks and safeguards involved, and letting the user know what to do if they are unhappy.”

You can read Ryan’s comments on Mail Online here.


Understanding child data protection, from data privacy experts at law firm Gordons:

Who is classed as a ‘child’?

Anyone under the age of 18, but for ‘consent’ to be valid under GDPR, individuals must be at least 13 years old. Parental or guardian consent must be given if the child is under 13 years old. It is worth noting that services need not be ‘directed’ at children to be caught by these stringent protections. For example, TikTok is aimed at any online users but attracts a number of teenage users.

Shouldn’t parents be responsible for their children?

Safeguarding a child’s personal data does not only fall to the parents. The UN Convention on the Rights of the Child states that, in all actions concerning children, regardless of who is taking them, the best interest of the child must be a primary consideration.

What should businesses be doing to protect children’s personal data?

Businesses should:

  1. Use clear language in ‘bite-size’ chunks for children by:
    • Telling them what they are doing with the user’s personal data
    • being open about the risks and safeguards involved
    • letting the user know what to do if they are unhappy
  1. Establish what age range individual users are likely to fall into, so businesses can tailor the safeguards accordingly.
  2. Configure the service’s default settings as private to protect everyone’s privacy even though businesses don’t expect children to use their services.
  3. Draft a Data Protection Impact Assessment (“DPIA”) to help assess and mitigate the risks to children.
  4. Have policies to support and demonstrate compliance with data protection legislation.
  5. Ensure that anyone who provides their consent is at least 13 years old and keep and update records of consent received.
  6. Consider providing visual or audio prompts telling children to get help from a parent if they try to change the privacy settings.
As more businesses turn to digital tech to support their customers, it is essential they have the right legal partner providing high-quality regulatory and data protection guidance. Find out more about what our data privacy lawyers can do for you.