TikTok’s unlawful use of children’s data

Tyumen, Russia - April 28,2019: Social media icons apps on the smartphone screen, close up

Popular video-sharing app TikTok is facing a claim backed by millions of children over its collection and use of personal data. The issue is that this illegal collection of data is being passed onto third parties and TikTok is receiving a financial gain from it all. Former children’s commissioner for England, Anne Longfield, lodged the claim in the high court on behalf of children in the UK and EU. Longfield is calling for TikTok to delete all existing data and compensate these children. This could run into a hefty figure for the social media giant. 

TikTok’s privacy policy clearly states that it collects information that ‘you share with us from third-party social network providers and technical and behavioural information about your use of the platform’. They can also access a user’s phone book if it is granted by the user. 

The question of consent is central to this story as it comes down to the question of can children actually consent to their data being processed?

This blog will outline the importance of transparency when it comes to the storage and use of personal data.  


What is personal data?

The Information Commissioner’s Office (ICO) defines personal data as information relating to an individual who can be identified directly from the data. This includes information such as names, email addresses and even IP addresses.

For more information about how data should be correctly processed, read our guide on processing personal data.


How do I know if my privacy policy is fit for purpose?

A privacy policy informs your customers about what type of data you’re collecting, how you are collecting data (usually from a website) and what you’re doing with that data. Some provisions you should address in your privacy policy  include:

  • Important information about who you are
  • Explain the data you collect about the user
  • How that user’s personal data is collected 
  • How you use that user’s personal data
  • Data retention 

It is important that you are transparent about this to your website visitors. If you are intending to share a user’s personal data with third parties, you must set out the purpose for which you will use that data.  If you are not processing children’s data you should make it obvious that your website is not intended for children and that you do not knowingly collect data relating to children.

Make your bespoke privacy policy using Rocket Lawyer’s document template. 


What do I need to do if I am processing children’s data?

If you are relying on consent as the lawful basis for processing children’s data then you must be aware that when you are offering an online service directly to a child, only children aged 13 or over are able to provide their own consent in the UK. For children under the age of 13, you will need to get consent from whoever holds parental responsibility. However, there is an exception when your business is offering counselling services. Children have the exact rights as an adult with their personal data and this includes the right to access their personal data, request rectification,  objecting to processing and erasure

Read our quick guide on data protection for more information about complying with the Data Protection Act, what constitutes personal data and what your obligations are if you collect personal data.