Josie Croce, Contributing Member 2023-2024
Editor-in-Chief 2024-2025
Intellectual Property and Computer Law Journal
I. Introduction
As social media websites like TikTok explode in popularity with child users, parents and governments alike are concerned about potential safety and security risks.[1] Children on TikTok are at risk of viewing inappropriate/harmful material and the collection and use of their personal data only exacerbates that risk.[2] In response, both the EU and the U.S. have enacted strict regulations on websites, in order to ensure that parents are consenting before their children’s data is collected and used.[3] In the EU, TikTok has been penalized for violating the EU regulations and is expected to face even more penalties under the new EU regulation targeted at protecting child users.[4] In the U.S., TikTok faces a civil suit brought by the Justice Department and the Federal Trade Commission (FTC) for alleged violations of the Children’s Online Privacy Protection Act (COPPA).[5]
II. The Potential Risk to TikTok’s Increasingly Younger Demographic
Number of Child Users in the U.S. and the U.K
TikTok, a short-form video-sharing website owned by ByteDance, was launched in September 2016 and quickly gained massive international popularity.[6] TikTok began its global expansion in 2018 and by October 2018, TikTok had surpassed Facebook, Instagram, Snapchat, and YouTube in the number of monthly downloads on the U.S. App Store.[7] In 2023, it was estimated that TikTok had 150 million users in the U.S. and 134 million users in the EU.[8]
A large portion of TikTok’s users are children, which has raised serious privacy and safety issues. In 2020, TikTok received major criticism after internal company data exposed that more than a third of its 49 million daily users in the U.S. were under the age of fourteen, despite thirteen being the minimum age to use TikTok.[9] Although TikTok keeps its company practices private, some former and current employees have revealed TikTok’s methods to estimate age of its users.[10] TikTok relies on self-reported dates of birth as well as facial-recognition algorithms of profile pictures/videos and by considering a user’s activity and social connections in the app alongside users whose ages have already been identified.[11] These reports came shortly after TikTok paid a $5.7 million settlement in 2019 to the FTC for violation of COPPA after TikTok illegally collected child users’ personal information without parental permission.[12]
The U.K’s Information Commissioner’s Office (ICO) fined TikTok €12.7 million for a similar violation in April 2023.[13] Between May 2018 and July 2020, the ICO found that up to 1.4 million U.K. children under thirteen were using the platform, and TikTok was illegally collecting and using the personal data of these child users.[14]
Parents’ Concerns About Children’s Online Exposures
While TikTok and other social media sites are attractive to children, many parents are concerned about their children’s presence on these sites. A recent U.K. study of children’s social media consumption and online behaviors revealed that almost all children (96%) ages three to seventeen watch videos on video-sharing sites, and approximately 50% of children use TikTok.[15] 96% of children surveyed watch others’ videos while 32% post their own videos.[16] The study revealed that parents feel that the risks of their child using social media, messaging, or video-sharing sites outweigh the benefits.[17] The most common concern of parents was that their child may see content that was inappropriate for their age, including ‘adult’ or sexual content.[18]
These concerns are warranted, as TikTok collects and uses personal data to “track and profile [its child users], potentially delivering harmful, inappropriate content at their very next scroll.”[19] Some researchers warn of “TikTok’s manipulative and addictive design practices, which are designed to keep users engaged for as long as possible…[and] exposes children and young adults with pre-existing mental health challenges to serious risks of harm.”[20]
III. Overview of the General Data Protection Regulation, the Digital Services Act, and the European Data Protection Board
The General Data Protection Regulation
The General Data Protection Regulation (GDPR) is touted as the “toughest privacy and security law in the world.”[21] Enacted in May 2018, the GDPR prioritizes personal data protection of EU citizens/residents and leverages high penalties (up to €20 million or 4% of a company’s global revenue, whichever is greater) for those who violate it.[22] With respect to children, the GDPR affords “specific protection with regard to [children’s] personal data, as they may be less aware of the risks, consequences, and safeguards concerned and their rights in relation to the processing of personal data.”[23] Accordingly, the GDPR prohibits companies from processing a child’s personal data unless the company receives explicit consent from the parent or guardian.[24] The GDPR further specifics that “a reasonable effort must be made, taking into consideration available technology, to verify that the consent given is truly in line with the law,” and permits each EU Member State’s Data Protection Authority to set the age of consent between age 13-16.[25]
The Digital Services Act
Complementing the GDPR is the Digital Services Act (DSA), intended to “regulat[e] the obligations of digital services…that act as intermediaries in their role of connecting consumers with goods, services, and content.”[26] Put into effect in November 2022, the DSA promulgated more regulations for the protection of minors on online platforms, including a ban on advertising targeted at children and a ban on the use of ‘dark patterns,’ or “misleading tricks that manipulate users into choices they do not intend to make.”[27] The DSA sets even stricter regulations for ‘very large’ online platforms and search engines—defined as those reaching at least 45 million users—due to the greater capability of these sites to disseminate illegal or harmful content.[28] Under the DSA, the Commission is responsible for overseeing very large platforms and can fine up to 6% of a company’s worldwide annual turnover for breaches.[29] Member States are responsible for overseeing smaller platforms within their own jurisdiction and overseeing ‘non-systemic’ issues on very large platforms.[30]
The European Data Protection Board
The European Data Protection Board (EDPB) is in charge of ensuring compliance with the GDPR.[31] Instituted in May 2018, the EDPB works to “ensure that the data protection law is applied consistently across the EU and work[s] to ensure effective cooperation amongst DPAs [Data Protection Authority of Member States]. The Board will not only issue guidelines on the interpretation of core concepts of the GDPR but also be called to rule by binding decisions on disputes regarding cross-border processing, ensuring therefore a uniform application of EU rules.”[32]
IV. Irish Data Protection Commission’s €345 million fine against TikTok
In September 2023, Ireland’s Data Protection Commission (DPC)—in operation with EDPB procedures—fined TikTok €345 million for violating the GDPR and illegally processing children’s personal data.[33] The DPC conducted an investigation into TikTok’s practices between July 31st and December 31st of 2020, focusing particularly on “certain TikTok platform settings, including public-by-default settings as well as the settings associated with the ‘Family Pairing’ feature, and age verification as part of the registration process.”[34]
The DPC found that TikTok’s practices had violated eight articles of the GDPR, and five infringing practices were identified in the report:
(1) “profile settings for child user accounts were set to ‘public’ by default, meaning anyone (on or off TikTok) could view the content posted by the child user,” (2) “the ‘Family Pairing’ setting allowed a non-child user (who could not be verified as the parent or guardian) to pair their account to a child user’s account. This allowed the non-child user to enable Direct Messages for child users above the age of 16,” (3) “the fact that profile settings for child users were also set to public by default also posed several possible risks to children under the age of 13 who gained access to the platform,” (4) failure to provide sufficient transparency information to child users, (5) implementation of “ ‘dark patterns’ by nudging users towards choosing more privacy-intrusive options during the registration process, and when posting videos.”[35]
The DPC decision included a reprimand, an order that TikTok bring their personal data processing into compliance with the GDPR within three months, and a €345 million fine.[36]
It is also expected that the EU Commission, responsible for overseeing the large-scale/systemic issues of very large online platforms, will soon launch a probe into whether TikTok has been complying with the DSA.[37]
V. Comparison to U.S. Law: Children’s Online Privacy Protection Act
The COPPA went into effect in the U.S. in 2000, requiring the FTC to issue and enforce rules to protect children online.[38] In particular, COPPA “applies to commercial websites and online services directed to children under 13 that collect, use, or disclose personal information from children….[and] general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13.”[39]
Scienter Requirement
Under DSA, there is a broad prohibition on the collection of a child’s personal data without the “explicit consent of their parent or guardian.”[40] In order to ensure that the parental consent is compliant with the regulation, a “company/organisation must implement age-verification measures.”[41]
Under COPPA, websites that are either directed toward children or have actual knowledge of its collection/maintenance of personal information from children are prohibited from the collection, maintenance, and disclosure of this information without parental consent.[42] This “actual knowledge” standard has received criticism, as some contend that platforms are incentivized to purposefully ignore the age of their visitors and/or to investigate whether their users are underage.[43] The FTC itself counsels that COPPA does not require general websites to ask users their age, although if they choose to “screen [their] users for age in a neutral fashion [they] may rely on the age information [their] users enter, even if that age information is not accurate.”[44]
Potential Fines
Under the DSA, the Commission can issue fines of up to 6% of the website’s worldwide annual turnover for breaches of the DSA, plus penalties of up to 5% of the average daily worldwide turnover for each day that the website delays compliance.[45]
Under COPPA, websites may be liable for a fine of up to $51,744 per individual violation.[46] Some of the largest COPPA settlements include a $136 million fine against Google (and its subsidiary, YouTube) after YouTube tracked and delivered targeted ads to child users, and a $275 million fine against Epic Games (creator of Fortnite) for collecting data from its child users without consent.[47]
VI. Conclusion
As TikTok has grown in popularity among child users, it faces increasing scrutiny for the ways that it collects and uses children’s personal data. In particular, TikTok’s algorithm relies on personal data to determine what content to show the users and, accordingly, may expose the user to repeated harmful content. By requiring parental consent, new regulations in the EU and the U.S. allow parents to decide whether the child user may access these platforms and whether the platforms may collect and use the child’s personal data. When platforms like TikTok fail to obtain consent, these regulations authorize government agencies to issue considerable penalties. Still, COPPA lags behind the DSA as it requires platforms to have actual knowledge before the obligation to obtain parental consent kicks in, permitting platforms to feign ignorance about the age of their users.
[1] Cecilia Kang, F.T.C Hits Musical.ly With Record Fine for Child Privacy Violation, The New York Times, (Feb. 27, 2019) https://www.nytimes.com/2019/02/27/technology/ftc-tiktok-child-privacy-fine.html; Raymond Zhong, Sheera Frenkel, A Third of TikTok’s U.S. Users May Be 14 or Under, Raising Safety Questions, The New York Times, https://www.nytimes.com/2020/08/14/technology/tiktok-underage-users-ftc.html (Sept. 17, 2020); Teens on screens: Life online for children and young adults revealed, Ofcom, (Mar. 29, 2023) https://www.ofcom.org.uk/news-centre/2023/life-online-for-children-and-young-adults-revealed.
[2] Kevin Rawlinson, How TikTok’s algorithm ‘exploits the vulnerability’ of children, The Guardian, (Apr. 4, 2023 3:38 PM) https://www.theguardian.com/technology/2023/apr/04/how-tiktoks-algorithm-exploits-the-vulnerability-of-children; Global: TikTok’s ‘For You’ feed risks pushing children and young people towards harmful mental health content, Amnesty International, (Nov. 7, 2023) https://www.amnesty.org/en/latest/news/2023/11/tiktok-risks-pushing-children-towards-harmful-content/.
[3] Press Corner: Questions and answers on the Digital Services Act, European Commission, (Feb. 23, 2024) https://ec.europa.eu/commission/presscorner/detail/en/QANDA_20_2348; Complying with COPPA: Frequently Asked Questions, Federal Trade Commission, https://www.ftc.gov/business-guidance/resources/complying-coppa-frequently-asked-questions#A.%20General%20Questions (last visited Mar. 8, 2024); What is GDPR, the EU’s new data protection law, Gdpr, https://gdpr.eu/what-is-gdpr/ (last visited Mar. 8, 2024).
[4] Irish Data Protection Commission announces €345 million fine of TikTok, Data Protection Commission, (Sep. 15, 2023) https://www.dataprotection.ie/en/news-media/press-releases/DPC-announces-345-million-euro-fine-of-TikTok; Mandy Dalugdug, TikTok Braces for Potential Probe and Hefty Fine in EU Over Child Safety Concerns (Report), Music Business Worldwide, (Feb. 13, 2024) https://www.musicbusinessworldwide.com/tiktok-braces-for-potential-probe-and-hefty-fines-in-eu-over-child-safety-concerns-report/.
[5] Justice Department Sues TikTok and Parent Company ByteDance for Widespread Violations of Children’s Privacy Laws, U.S Dept. of Justice (Aug. 2, 2024), https://www.justice.gov/opa/pr/justice-department-sues-tiktok-and-parent-company-bytedance-widespread-violations-childrens.
[6] Rita Liao, Catherine Shu, TikTok’s epic rise and stumble, TechCrunch, (Nov. 26, 2020 4:11 AM) https://techcrunch.com/2020/11/26/tiktok-timeline/.
[7] Sarah Perez, TikTok surpassed Facebook, Instagram, Snapchat & YouTube in downloads last month, TechCrunch, (Nov. 28, 2018 3:58 PM) https://techcrunch.com/2018/11/02/tiktok-surpassed-facebook-instagram-snapchat-youtube-in-downloads-last-month/; Joe Tidy, Sophia Smith Galer, TikTok: The story of a social media giant, BBC, (Aug. 5, 2020) https://www.bbc.com/news/technology-53640724.
[8] Celebrating our thriving community of 150 million Americans, TikTok, (Mar. 21, 2023) https://newsroom.tiktok.com/en-us/150-m-us-users; European Union (EU) – Monthly Active Recipients Report, TikTok, (Jul. 2023) https://www.tiktok.com/transparency/en/eu-mau-2023-7/.
[9] Raymond Zhong, supra note 1.
[10] Id.
[11] Id.
[12] Kang, supra note 1. Since the settlement, TikTok merged with the video-sharing app Musical.ly.
[13] Alex Hern, Aletha Adu, TikTok fined €12.7m for illegally processing children’s data, The Guardian, (Apr. 4, 2023 1:50 PM) https://www.theguardian.com/technology/2023/apr/04/tiktok-fined-uk-data-protection-law-breaches.
[14] Id.
[15] Teens on screens: Life online for children and young adults revealed, supra note 1.
[16] Id.
[17] Id.
[18] Id.
[19] Rawlinson, supra note 2.
[20] Global: TikTok’s ‘For You’ feed risks pushing children and young people towards harmful mental health content, supra note 2.
[21] What is GDPR, the EU’s new data protection law, supra note 3.
[22] Id.
[23] Recital 38 – Special Protection of Children’s Personal Data, Gdpr, https://gdpr-info.eu/recitals/no-38/.
[24] Legal grounds for processing data: Are there any specific safeguards for data about children?, European Commission, https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-grounds-processing-data/are-there-any-specific-safeguards-data-about-children_en (last visited Mar. 8, 2024).
[25] Id.
[26] Press Corner: Questions and answers on the Digital Services Act, European Commission, supra note 3.
[27] Legal grounds for processing data: Are there any specific safeguards for data about children?, European Commission, supra note 24.
[28] Id.
[29] Id.
[30] Id.
[31] Enforcement: What is the European Data Protection Board (EDPB)?, European Commission, https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/enforcement-and-sanctions/enforcement/what-european-data-protection-board-edpb_en (last visited Mar. 8, 2024).
[32] Id.
[33] Irish Data Protection Commission announces €345 million fine of TikTok, supra note 4.
[34] Id.
[35] Id.
[36] Id.
[37] Mandy Dalugdug, supra note 4.
[38] Complying with COPPA: Frequently Asked Questions, supra note 3.
[39] Id.
[40] Legal grounds for processing data: Are there any specific safeguards for data about children?, supra note 24.
[41] Id.
[42] 16 C.F.R. 312.3 (2013).
[43] Zhong, supra note 1.
[44] Complying with COPPA: Frequently Asked Questions, supra note 3.
[45] The enforcement framework under the Digital Services Act, European Commission, https://digital-strategy.ec.europa.eu/en/policies/dsa-enforcement#:~:text=Starting%20from%2017%20February%202024,to%20comply%20with%20interim%20measures (last visited Mar. 8, 2024).
[46] Id.
[47] Google and YouTube Will Pay Record $170 Million for Alleged Violations of Children’s Privacy Law, Federal Trade Commission, (Sep. 4, 2019) https://www.ftc.gov/news-events/news/press-releases/2019/09/google-youtube-will-pay-record-170-million-alleged-violations-childrens-privacy-law; Fortnite Video Game Maker Epic Games to Pay More Than Half a Billion Dollars over FTC Allegations of Privacy Violations and Unwanted Charges, Federal Trade Commission, (Dec. 19, 2022) https://www.ftc.gov/news-events/news/press-releases/2022/12/fortnite-video-game-maker-epic-games-pay-more-half-billion-dollars-over-ftc-allegations.
The University of Cincinnati Intellectual Property and Computer Law Journal 
Leave a comment