Site icon Sophos News

TikTok’s handling of child privacy gets another watchdog’s attention

TikTok: sometimes it’s funny, sometimes it’s cringey, pretty much all times it’s addictive (particularly for young people, and particularly during lockdown).
Also pretty much all the time, the app – which lets users share their short videos – is being investigated for how it handles children’s data. This time around, it’s the Dutch privacy watchdog’s turn.
On Friday, the Dutch Data Protection Authority (DPA) announced that it’s launched an investigation into how TikTok handles user privacy.
As it is, millions of children and teenagers all over the world are sharing their videos on the social media app, the DPA said. It’s grown to be a particularly important tool for staying in touch and spending time with friends, particularly during the coronavirus crisis. But what kind of danger is it exposing our children to?
From the DPA’s announcement:

In the Netherlands many children now have TikTok on their phones. The rise of TikTok has led to growing concerns about privacy.

Are the kids alright?

The watchdog noted that under Dutch law and under the EU General Data Protection Regulation (GDPR), children are seen as particularly vulnerable because they’re “less aware of the consequences of their actions, especially when it comes to sharing personal data on social media.”
Yes, they are, and that’s why TikTok has been scrutinized by other countries over its adherence to child protection law or lack thereof. In February 2019, the US hit TikTok with the biggest-ever fine for violating the nation’s child privacy law.
Next up came the UK. In July 2019, information commissioner Elizabeth Denham told a parliamentary committee that the US Federal Trade Commission’s (FTC’s) fine of $5.7 million had triggered a UK probe into how TikTok handles the safety and personal data of underage users.
In the US, at least some parents have already decided that TikTok has broken the law. In December 2019, two mothers filed a class-action suit against TikTok on behalf of their teenage daughters, who were under the age of 13 when they started using the app. In spite of their children being underage, the parents said, they were never asked for their verifiable consent. Lack of parental consent is a violation of the Children’s Online Privacy Protection Act (COPPA), which is the nation’s strictest child privacy law.


COPPA applies to any site or service that collects children’s personally identifiable information (PII), which TikTok does: users handed over their email addresses, phone numbers, usernames, first and last names, short bios in which users could choose to mention their age, and profile pictures. For a while, between December 2015 and October 2016, TikTok was also hoovering up users’ geolocation data, which let the app figure out where its users were located.

Musical.ly (bought by TikTok parent company ByteDance in 2017 and merged with the TikTok app in 2018) had all of that PII set to public view, by default. That meant that a child’s profile bio, username, picture, and videos could be seen by other users – including by adults and, potentially, by child predators. Even if a user switched their profile to private, their profile pictures and bios remained public, meaning that users/adults/predators could still send them direct messages, replete with colorful, cartoonish icons – animals, smiley faces, cars, trucks, hearts, that kind of thing.

In fact, there have been reports of adults posing as minors and messaging children, sometimes asking them for nude photos.

Lately, TikTok has been trying to better protect its adoring, underage users.
In April, the social media app blocked the live chat and video streaming function for users under 16 and introduced parental controls – what it refers to as “Family Pairing” – to restrict inappropriate content and manage screentime.
In a statement sent to Reuters, TikTok spokeswoman Gudrun Herrmann said that protecting users – particularly kids – is the company’s number one priority:

TikTok’s top priority is protecting our users’ privacy and safety, especially our younger users.

The Dutch DPA said it plans to examine whether the app clearly states how it uses data and whether “parental consent is required for TikTok to collect, store and use children’s personal data.”
The watchdog expects preliminary results later this year.

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Exit mobile version