Excerpt
TikTok was fined by the Dutch DPA for violating GDPR Article 12(1) by providing its privacy policy solely in English to Dutch users, many of whom are children under the age of 16.
Our analysis
The Dutch Data Protection Authority conducted an investigation into TikTok Inc's processing of personal data. TikTok, a California-based company, operates a mobile app that allows users to create, edit, and share short videos. A large number of Dutch children under the age of 16 use the app. During the AP's investigation, it was found that between May 25, 2018, and July 28, 2020, TikTok only provided its Privacy Policy to Dutch users, including children, in English. This was the case both during the registration process and when users wanted to access the policy while logged in. From July 29, 2020, TikTok began providing its Privacy Policy to Dutch users in Dutch. Additionally, the company provides a separate document designed for Dutch-speaking children.
The AP determined that TikTok violated Article 12(1) of the GDPR between May 25, 2018, and July 28, 2020, by only providing its Privacy Policy in English to Dutch children. This article requires that data controllers take appropriate measures to provide information about the processing of personal data in a concise, transparent, and easily accessible form, using clear and plain language. This is particularly important for information aimed at children. According to the WP29's Guidelines on Transparency, TikTok must understand its target audience and ensure that the information it provides is understandable to them. The company must be aware that a significant portion of its user base consists of children under the age of 16.
The AP emphasized that the requirement of intelligibility means that the controller must provide a translation of the information into the language spoken by the data subjects. This is particularly important when addressing young children to ensure that they can easily understand the information. It is irrelevant that some Dutch children may have a good command of English, as it cannot be assumed that all children in that age group will have the same level of proficiency in the language. TikTok violated the GDPR by failing to provide its Privacy Policy in Dutch to Dutch children during the relevant period amounting to language discontinuity.
Outcome
TikTok was fined €750,000 by the Dutch Data Protection Authority (AP) for violating Article 12(1) GDPR. The AP can impose a fine of up to €20 million or 4% of the total worldwide annual turnover for such infringements. The infringement was classified as category III with a penalty range of €300,000 to €750,000, with the AP increasing the basic amount of the fine by €225,000 to the maximum of the penalty range due to the gravity and duration of the breach. The breach affected a large number of data subjects, including approximately 830,000 Dutch children under the age of 18 who were less aware of the risks and their rights in relation to the processing of their personal data.
Parties
TikTok Inc. and Dutch DPA
Case number
Press release/22 July 2021
Decision
Related deceptive patterns
The trick wording deceptive pattern takes advantage of user expectations and ambiguous language to mislead and deceive users. It is normal for users to scan-read when they are online, as a way to cope with the sheer volume of information they are faced with. This means they don't read and dwell on every word on every page. Trick wording usually takes advantage of the scan reading strategy, by making a piece of content look like it is saying one thing, when in fact it is saying something else that is not in the user's best interests.
Related laws
Ensures transparent information and easy access for individuals to their personal data processing, with the right to obtain a copy in a clear and common format.
Specifies required information for data subjects when collecting personal data from other sources, including controller identity, processing purposes, personal data categories, recipients, and retention period.
Empowers supervisory authorities to carry out investigations and order controllers and processors to comply with the regulation.
Outlines conditions for fines and penalties for non-compliance, including up to 4% of global annual revenue or €20 million, whichever is greater.
Outlines the use and calculation of administrative fines for violations of privacy laws.