In the matter of TikTok Technology Limited

€345 million in fines

Excerpt

TikTok was held liable for nudging children towards privacy-intrusive settings using bold text in two pop-up notifications, hindering neutral and objective choices.

Our analysis

TikTok was found liable for its processing of children's data, particularly in the implementation of dark patterns violating the fairness principle outlined in Article 5(1)(a) of the GDPR.
-The default setting for all new TikTok accounts, including those belonging to children, was public, and
-Child Users were prompted with a pop-up notification to 'Go Private' or 'Skip.' This notification failed to present a neutral and objective choice to users.
-The DPC observed that TikTok employed dark patterns such as Preselection, Visual Interference, and Forced Action.
-The Registration Pop-Up encouraged opting for a public account by emphasizing the "Skip" option, while
- the Video Posting Pop-Up nudged users to select "Post Now" in bold, darker text, making it less apparent and accessible for users to choose privacy settings. The lack of clarity regarding the consequences of different choices further contributed to the infringement of the fairness principle under the GDPR.

Outcome

The Data Protection Commission found TikTok guilty of violating various GDPR articles and has taken corrective measures. TikTok received a reprimand and must bring its data processing in line with regulations within three months. The DPC has also imposed a total of €345 million in fines for the breaches.

Parties

TikTok Technology Limited and Data Protection Commission

Case number

DPC Inquiry Reference : IN-21-9-1

Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us