PL
All cases E TikTok / X

TikTok — children's data

Fines for children's data — DPC EUR 345M, ICO GBP 12.7M

Explainer · 60s

TikTok — children's data · DPC EUR 345M + ICO GBP 12.7M

Static animation (SVG + CSS). No audio. No trackers. Open in a new window ↗

E02 — TikTok: Fines for children’s data — DPC EUR 345M, ICO GBP 12.7M

Category: Child protection / GDPR / public-by-default / deceptive interfaces / Family Pairing Company/companies: TikTok / ByteDance Years: July–December 2020 (period under review), April 2023 (ICO), September 2023 (DPC) Status: Concluded; TikTok on appeal in the Irish High Court Card ID: E02

Metadata

FieldValue
Country/regionEU (Ireland DPC lead), UK (ICO)
Year revealedSeptember 2021 (DPC opens inquiry)
Years of practice31 July – 31 December 2020 (period examined); more broadly 2019–2021
Total fineEUR 345,000,000 (DPC) + GBP 12,700,000 (ICO) = ~EUR 360M
CurrencyEUR / GBP
Legal basisGDPR art. 5(1)(a), 5(1)(c), 5(1)(f), 12(1), 13(1)(e), 24(1), 25(1), 25(2); UK DPA 2018; COPPA USA
Whistleblower/discovererIrish DPC own-volition inquiry (September 2021); UK ICO
Number affected1,400,000 children under 13 (UK); millions in the EU aged 13–17
Status (as of today)TikTok on appeal in High Court Ireland; ICO fine paid

TL;DR

On 15 September 2023, the Irish Data Protection Commission (DPC) announced a EUR 345 million fine against TikTok for GDPR violations in its handling of children’s data. Earlier, on 4 April 2023, the UK ICO (Information Commissioner’s Office) imposed a GBP 12.7 million fine for the unlawful processing of the data of 1.4 million children under 13 — who should not have had TikTok accounts in the first place.

The DPC’s review period covered 31 July – 31 December 2020 (5 months). Key violations:

  1. Public-by-default — children’s accounts (ages 13–17) were public by default. Anyone could follow them, view posts, and comment. A child had to actively change the setting. A textbook breach of privacy by design (GDPR art. 25).

  2. “Family Pairing” — a feature allowing a parent to pair their own account with a child’s account and manage settings. The problem: TikTok did not verify whether the person setting up Family Pairing was actually a parent. Any adult could pair themselves with a child’s account and expand access (for example, enabling Direct Messages for children over 16, even if the child had them turned off). A potential grooming tool.

  3. Dark patterns — the children-facing interface used deceptive design: the “Skip” text for ignoring privacy settings was larger than “Review,” and colors signaled “fast setup” = less privacy. The EDPB (European Data Protection Board), in its binding decision of August 2, 2023 (Binding Decision 2/2023), added a violation of GDPR art. 5(1)(a) (fairness principle).

  4. Transparency — information for children about the public nature of posts was inadequate. Terms like “public,” “anyone,” and “everyone” were unclear to a teenager.

  5. Age verification — the DPC initially challenged this but ultimately found it compliant (although Italy’s Garante filed an objection).

The DPC imposed a EUR 345 million fine + a compliance order within 3 months + a reprimand. The €345M fine comprised: €100M (public-by-default), €65M (Family Pairing), €180M (transparency). TikTok appealed to the Irish High Court in October 2023, arguing that the fine was “disproportionate” and that all charges concerned practices from 2020 — changed in 2021 (before the DPC inquiry had even begun).

UK ICO — separate case, April 2023. The ICO concluded that TikTok knowingly allowed 1.4 million children under 13 to use the platform without parental consent — in violation of the UK DPA 2018 and the Children’s Code. The fine of GBP 12.7 million was reduced from an initial figure of GBP 27 million after negotiations.

Case E02 is a turning point in enforcement of children’s online privacy in the EU. Subsequent cases: Instagram EUR 405 million (2022, for default public accounts of minors → A09). Together: the DPC imposed more than EUR 750 million in fines for child protection in 2022–2023.

Timeline

  • August 2018 — TikTok global launch.
  • 2019–2020 — TikTok grows among teenagers. Criticism of app culture — algorithm tuned to teenagers.
  • February 2020 — UK ICO opens a preliminary inquiry.
  • July 2020 — DPC audit period begins (31 July).
  • 31 December 2020 — end of the DPC audit period.
  • January–August 2021 — TikTok introduces changes on its own: minors’ accounts private by default; DMs disabled for under-16s; Family Pairing upgraded.
  • September 2021 — DPC officially opens an own-volition inquiry.
  • 2022 — DPC and ICO investigations.
  • April 2023ICO: GBP 12.7 million fine.
  • August 2, 2023 — EDPB Binding Decision 2/2023 adds a GDPR art. 5(1)(a) violation (fairness principle regarding deceptive interfaces).
  • 1 September 2023 — DPC adopts its final decision.
  • 15 September 2023DPC announces the EUR 345 million fine.
  • October 2023 — TikTok files an appeal in the Irish High Court (judicial review).
  • December 2023 — TikTok required to comply (3 months from the decision).
  • 2024–2026 — appeal pending.

Mechanism

Public-by-default

How it worked:

  • A 13-year-old created an account. It was automatically public.
  • Any TikTok user (1+ billion globally) could see the profile, view posts, comment, and send DMs (for those over 16).
  • Ads targeted to children’s public accounts.
  • The child had to actively navigate to Settings → Privacy → Private Account → enable.

The GDPR problem:

  • Art. 25(1) — privacy by design. The default should be minimum data disclosure.
  • Art. 25(2) — privacy by default. Default settings should be the most protective.
  • Art. 5(1)(c) — data minimization. A public account = maximum exposure.

For a 13-year-old, the “you can change it” argument is inadequate. Teenagers rarely dig into settings, and even if they do, the public exposure has already happened.

Family Pairing — the loophole

How it was supposed to work:

  • Parent installs TikTok on their phone.
  • Child installs TikTok on theirs.
  • Parent → Family Pairing → scans QR code from the child’s phone → link established.
  • Parent can limit screen time, filter content, control DMs.

How it actually worked:

  • No verification that the “parent” was actually a parent. Any adult could pair with a child’s account.
  • An adult could expand the child’s access: enable DMs, change privacy settings to less restrictive ones.
  • Potential grooming tool: predator → pairs with child’s account → enables DMs → direct contact.

The GDPR loophole:

  • Art. 5(1)(f) — integrity and confidentiality principle. No verification = no security.
  • Art. 25(1) — privacy by design. A feature enabling grooming is a textbook violation.

Dark patterns (EDPB 2023)

  • “Skip” more prominent than “Review” — the public defaults were platform-friendly.
  • Green buttons for “fast setup” (less privacy), gray ones for “more info” (more privacy).
  • Pop-ups encouraging public sharing of the first video.

EDPB binding decision (August 2023): “Social media companies have a responsibility to avoid presenting choices to users, especially children, in an unfair manner – particularly if that presentation can nudge people into making decisions that violate their privacy interests.”Anu Talus, EDPB Chair.

UK ICO — 1.4 million children under 13

TikTok’s minimum age is 13. But in the period May 2018 – July 2020 (exact range examined by ICO), the ICO determined that TikTok knowingly allowed 1.4 million British children under 13 to use the platform. How:

  • Weak age gates — a child could enter a false date of birth.
  • No age assurance (tools for verifying age).
  • The UK Children’s Code (ICO, 2020) requires robust age verification.

Fine: GBP 12.7 million. The ICO originally considered GBP 27 million, but reduced it after negotiations.

Discovery

Irish DPC — own-volition inquiry

Helen Dixon (DPC Commissioner until 2024), later Dale Sunderland and Des Hogan — lead regulators. The DPC opened the inquiry on its own initiative (own-volition, without a specific complaint) in September 2021. The context:

  • Earlier fines against Facebook Messenger Kids and Instagram (A09).
  • Public outcry over TikTok culture among teenagers.
  • NGO reports: 5Rights Foundation, Children Rights International Network.

UK ICO

John Edwards (ICO Commissioner from 2022, succeeding Elizabeth Denham). He ran the investigation in parallel with the DPC. The Children’s Code (Age Appropriate Design Code) has been one of the strongest global standards since 2020.

First reports

  • 4 April 2023 — ICO: “TikTok fined £12.7M for misusing children’s data”
  • 15 September 2023 — DPC: “DPC announces €345 million fine of TikTok”
  • Commentary: BDO, McCann FitzGerald, Baker Botts, IAPP

Key people

DPC / EU

  • Helen Dixon — DPC Commissioner 2014–2024.
  • Dale Sunderland — Commissioner from 2024.
  • Des Hogan — Commissioner from 2024.
  • Anu Talus — EDPB Chair since May 25, 2023, Data Protection Ombudsman of Finland.

ICO / UK

  • John Edwards — UK Commissioner from 2022.

TikTok

  • Shou Chew — Global CEO of TikTok.
  • Theo Bertram — VP Public Policy Europe (until 2024).
  • Michael Beckerman — VP Americas, Public Policy.

National authorities (objections)

  • Garante per la Protezione dei Dati Personali (Italy) — filed an objection on age verification.
  • Berliner Beauftragte für Datenschutz (Berlin) — filed an objection on deceptive interfaces.

Critics/organizations

  • 5Rights Foundation — UK, Baroness Beeban Kidron.
  • European Digital Rights (EDRi).

Company response

TikTok

Stage 1: changes before the inquiry (2021). Before the DPC inquiry formally opened, TikTok on its own introduced:

  • Accounts for under-16s private by default (January 2021)
  • DMs disabled for under-16s (November 2020)
  • Family Pairing upgraded

Stage 2: defense (2022–2023). Argument: “everything has already been fixed before you started.”

Stage 3: response to the fine (15 September 2023): TikTok statement: “We respectfully disagree with the decision, particularly the level of the fine imposed. The DPC’s criticisms are focused on features and settings that were in place three years ago, and that we made changes to well before the investigation even began, such as setting all under-16 accounts to private by default.”

Stage 4: appeal (October 2023). TikTok filed for judicial review in the Irish High Court. Arguments:

  • Fine “disproportionate”
  • No oral hearing — violation of the right to a fair process
  • DPC did not share its provisional views
  • Sections of the 2018 Data Protection Act (Ireland) unconstitutional / incompatible with the EU Charter of Fundamental Rights
  • Demand for a referral to the CJEU

Status as of April 2026: case pending in the High Court.

Jurisdictions

  • Ireland — DPC (lead supervisory authority)
  • UK — ICO (post-Brexit, separate)
  • Italy, Berlin — objections to the DPC
  • Netherlands — AP — separate proceedings regarding transfers

The DPC decision cites:

  • GDPR art. 5(1)(a) — fairness principle — added by the EDPB for deceptive interfaces
  • GDPR art. 5(1)(c) — minimization
  • GDPR art. 5(1)(f) — integrity and confidentiality (Family Pairing)
  • GDPR art. 12(1) — transparency
  • GDPR art. 13(1)(e) — informing about recipients
  • GDPR art. 24(1) — controller accountability
  • GDPR art. 25(1) and 25(2) — privacy by design and by default

Key milestones

DateStage
September 2021DPC opens inquiry
4 April 2023ICO fine GBP 12.7M
August 2023EDPB binding decision
15 September 2023DPC fine EUR 345M
October 2023TikTok judicial review
OngoingHigh Court Ireland
  • Instagram Ireland: DPC fine EUR 405 million (September 2022) — analogous children’s case.
  • Meta EUR 1.2 billion fine (DPC, May 2023) — transfers to the USA, → A07.
  • TikTok EUR 530 million (DPC, May 2025) — transfers to China, → E03.

Penalties and settlements

DateAuthorityAmountJurisdictionBasis
4 April 2023UK ICO12,700,000 GBPUKUK DPA 2018, Children’s Code
15 September 2023DPC Ireland345,000,000 EUREUGDPR, all articles listed

Total: ~EUR 360 million

Precedents and implications

For EU law

  • Art. 5(1)(a) (fairness) as a weapon against deceptive interfaces — the EDPB’s binding decision of August 2023 is the first time fairness has been formally used against deceptive interfaces.
  • “Public-by-default” for children = automatic violation of the GDPR. A signal to every platform.
  • EDPB dispute resolution — the case showed that national DPAs can force the DPC to take their objections into account through EDPB Article 65.

For UK law

  • The Children’s Code (Age Appropriate Design Code) as a global standard. The ICO is currently the most active regulator for online child protection.
  • California CAADCA — California’s copy of the Children’s Code (2022, blocked in court in 2024).

For Big Tech practice

  • Instagram, Snap, YouTube Shorts, Pinterest — all had to adjust children’s settings.
  • Growing popularity of child-dedicated platforms (Pok.to, TikTok Kids in various countries).

Class actions

CaseCourtStatusValueAffected
TikTok child privacy class actions (US)US federalSettledUSD 92M (2022) + moreUS children

Conclusions for citizens

What does this mean for me?

If your child uses TikTok — before 2021 the account was probably public by default. Your child could have had hundreds of thousands of followers, most of them strangers. Their posts, comments, and location could have been visible globally. Since 2021, accounts for under-16s are private by default — but keep checking.

How to protect your child?

  1. Minimum age 13 — TikTok requires it, but many children lie. Do not create an account for a child under 13.
  2. Private account: Settings → Privacy → Private Account → ON.
  3. Family Pairing — set it up from your own parent account. Configure:
    • Screen Time Management
    • Restricted Mode (content filter)
    • Direct Messages: OFF for under-16s, restricted for 16–17.
    • Who can send me messages / Who can comment on my videos / Who can see my liked videos: Only Friends / Followers
  4. Disable personalized ads in Settings.
  5. Talk to your child — TikTok is designed to hook you (the algorithm). Work out a family strategy on screens.
  6. Do not Follow Anyone / Add Contacts automatically — turn off in Settings.

For teenagers 13–17

  1. Check settings regularly — TikTok changes its interface, and defaults can change.
  2. Do not share your location, phone number, or school address in your profile or posts.
  3. Block strangers — TikTok has a Block function. Don’t hesitate to use it.
  4. Watch out for “challenges” — some are physically dangerous.

What rights do I have?

In the EU (GDPR + Children’s Code):

  • GDPR art. 8 — children under 16 (or lower age under national law, Poland: 16) require parental consent for processing.
  • Art. 17 — right to be forgotten — particularly strong for children.
  • Poland: the UODO actively promotes child protection. Its “Protect your child online” campaign.

In the UK:

  • Children’s Code — 15 standards for services tailored to children.

Where to report?

  • Poland: UODO, NASK (CERT Polska), Dyżurnet.pl (harmful content), Helpline.org.pl (support for children and parents)
  • EU: national DPA
  • UK: ICO

Note for mediators, lawyers, educators

In divorce cases involving child contact arrangements:

  • A child’s TikTok account can be a vector of contact with a non-custodial parent. Agree: can that parent follow the child on TikTok? Can they DM?
  • Family Pairing with which parent’s device? Both?

In domestic violence cases:

  • A child’s TikTok account can be monitored by a former partner of the parent. Change passwords, clear followers.

For schools:

  • Do not use TikTok as an official communication channel. GDPR art. 8 requires parental consent.
  • Dangerous “challenges” — schools in many countries (including France and Spain) have reported concerns to their DPAs.

Context

  • 1.4 million British children under 13 — the scale seen by the ICO. That is more than the entire population of Birmingham. These children should not have had accounts, but TikTok did not verify them.
  • TikTok reformed itself before the inquiry — in 2021, before the DPC had formally opened its inquiry. The defense argument: “we already fixed it.” The DPC’s response: fixing it after the fact does not remove liability for the period of violation.
  • Family Pairing as a grooming vector — the fact that any adult could pair with a child’s account (no verification of the relationship) was the DPC’s strongest argument. A classic case of privacy by design failure.
  • “Dark patterns” in an EDPB binding decision — the first case of its kind. Finnish chair Anu Talus: “Options related to privacy should be provided in an objective and neutral way, avoiding any kind of deceptive or manipulative language or design.” The quote has become a template.
  • Berlin vs. Italy objections — an interesting dynamic. Berlin wanted more (deceptive interfaces). Italy wanted to undo the DPC’s decision on compliance with art. 25 (age verification). Extreme positions; the EDPB landed in the middle.
  • Helen Dixon — DPC Commissioner 2014–2024. The longest-serving regulator in the office’s history. Criticized for slowness in enforcement, but in 2022–2023 her office imposed over EUR 2 billion in fines. She strengthened the DPC’s reputation.
  • John Edwards — UK ICO Commissioner from 2022. Previously New Zealand’s Privacy Commissioner. Known for his assertive style. The ICO’s TikTok fine was one of his first major decisions.
  • Instagram EUR 405 million (2022) — an analogous case. The DPC enforced against Meta for the same thing before TikTok. Pattern: default public accounts for teenagers + business email/phone visible. Meta lost separately (A09).
  • The UK Children’s Code as a global export — California copied it (CAADCA 2022), but a California court blocked the law in 2024 (free speech grounds). The UK original stands.
  • TikTok is appealing — judicial review filed in the High Court Ireland in October 2023. Arguments: proportionality, lack of oral hearing, incompatibility of Irish law with the Charter. If TikTok wins, DPC fines could be called into question.
  • Polish context — TikTok has around 16 million users in Poland, of whom an estimated 3+ million are children. The UODO has not opened a separate proceeding (the case falls under the Irish DPC). Polish schools and pediatricians are increasingly hostile toward TikTok.
  • “TikTok Kids” — a separate version available in some countries (limited content). Not available in Poland. For Polish parents, there is no “safe” option short of a full ban.
  • PHMSA TikTok Amendment (2024) — a US law imposing additional platform obligations regarding children. Echoes of the DPC and ICO cases.
  • Post-GDPR children’s case pipeline — after the TikTok case, the DPC has applied a similar approach to Snap (ongoing), Twitch, and Roblox. The regulator is learning.
  • The 2024 EDPB Statement (December 2024) on AI training builds on the children’s precedents (TikTok, Instagram). The logic: children cannot give informed consent, so their data should not be used to train AI. It affects LinkedIn (C05) and others.
  • USD 92 million class action in the US (2022) — a separate settlement, covering BIPA Illinois and federal claims. Payout: about USD 2 per child. Symbolically small.

Sources

  1. Data Protection Commission Ireland, “DPC announces €345 million fine of TikTok,” 15 September 2023. URL: https://www.dataprotection.ie/en/news-media/press-releases/DPC-announces-345-million-euro-fine-of-TikTok

  2. European Data Protection Board, “Following EDPB decision, TikTok ordered to eliminate unfair design practices concerning children,” 15 September 2023.

  3. UK Information Commissioner’s Office, “ICO fines TikTok £12.7 million for misusing children’s data,” 4 April 2023.

  4. TikTok Technology Limited v. Data Protection Commission, Irish High Court, October 2023 — judicial review proceedings.

  5. BDO, “TikTok Receives Significant GDPR Fine for Mishandling Children’s Data,” February 2025.

  6. Baker Botts, “TikTok’s €345 Million Fine for GDPR Violations on Child Data Protection,” November 2023.

  7. McCann FitzGerald, “Data Protection Commission fines TikTok €345 million,” September 2023.

  8. IAPP, “Ireland’s DPC issues 345M euro TikTok children’s privacy fine,” 15 September 2023.

  9. Hunton, “Irish Regulator Fines TikTok 345 Million Euros,” September 2023.

  10. Anu Talus, EDPB Chair, public statements 2023.

  11. Burges Salmon, “TikTok fined €345 million by Irish Data Protection Commission,” 2024.

  12. UK Age Appropriate Design Code (Children’s Code), 2 September 2020.

  13. 5Rights Foundation, reports on online child protection, 2019–2024.

  14. EDPB Binding Decision 02/2023, August 2023.

  15. Irish Times, “TikTok can pursue challenge to €345m fine,” 23 October 2023.

Last updated: 2026-04-18 Card in database: E02_tiktok_children.md

Related cases

Cases that share a company, mechanism, legal precedent or jurisdiction.