TikTok ordered to eliminate unfair design practices concerning children

18 settembre 2023

Following the EDPB’s binding dispute resolution decision,the Irish Data Protection Authority (IE DPA) has issued a final decision, finding, in particular, that TikTok Technology Limited (TikTok) infringed the GDPR's principle of fairness when processing personal data relating to children between the ages of 13 and 17. The EDPB's decision was issued on 2 August 2023 and covers TikTok's processing activities between 31 July and 31 December 2020.

Anu Talus, EDPB Chair, said: “Social media companies have a responsibility to avoid presenting choices to users, especially children, in an unfair manner – particularly if that presentation can nudge people into making decisions that violate their privacy interests. Options related to privacy should be provided in an objective and neutral way, avoiding any kind of deceptive or manipulative language or design. With this decision, the EDPB once again makes it clear that digital players have to be extra careful and take all necessary measures to safeguard children’s data protection rights.”

In its binding decision, the EDPB analysed the design practices implemented by TikTok in the context of two pop-up notifications that were shown to children aged 13-17: the Registration Pop-Up and the Video Posting Pop-Up. The analysis found that both pop-ups failed to present options to the user in an objective and neutral way.

In the Registration Pop-Up, children were nudged to opt for a public account by choosing the right-side button labelled “Skip”, which would then have a cascading effect on the child’s privacy on the platform, for example by making comments on video content created by children accessible.

In the Video Posting Pop-Up, children were nudged to click on “Post Now”, presented in a bold, darker text located on the right side, rather than on the lighter button to “cancel”. Users who wished to make their post private first needed to select “cancel” and then look for the privacy settings in order to switch to a “private account”. Therefore, users were encouraged to opt for public-by-default settings, with TikTok making it harder for them to make choices that favoured the protection of their personal data. Furthermore, the consequences of the different options were unclear, particularly to child users. The EDPB confirmed that controllers should not make it difficult for data subjects to adjust their privacy settings and limit the processing.

The EDPB also found that, as a result of the practices in question, TikTok infringed the principle of fairness under the GDPR. Consequently, the EDPB instructed the IE DPA to include, in its final decision, a finding of this additional infringement and to order TikTok to comply with the GDPR by eliminating such design practices.

The EDPB also assessed whether age verification measures implemented by TikTok between 31 July and 31 December 2020 complied with the requirements of data protection by design (Art. 25(1) GDPR). The EDPB expressed serious doubts regarding the effectiveness of the age verification measures put in place by TikTok during this period, particularly taking into account the severity of the risks for the high number of children affected. Among others, the EDPB found that the age gate deployed by TikTok to prevent child users under the age of 13 from accessing the platform could be easily circumvented and that the measures applied after users gained access to TikTok were not applied in a sufficiently systematic manner.

Based on the elements available in the context of this dispute resolution procedure, the EDPB concluded that it did not have sufficient information, in particular in relation to the state of the art, to conclusively assess TikTok’s compliance with Art. 25 (1) GDPR during this period. However, considering the serious doubts regarding the effectiveness of the measures chosen by TikTok, the EDPB required the IE DPA to reflect this in its final decision.

The IE DPA's final decision incorporates the legal assessment expressed by the EDPB in its binding decision. This decision was adopted on the basis of Art. 65(1)(a) GDPR after the IE DPA, as lead supervisory authority (LSA), triggered a dispute resolution procedure concerning the objections raised by some concerned supervisory authorities (CSAs). These objections outlined the scope of the EDPB’s decision, described above.

The IE DPA’s final decision also includes legal assessment that was not subject to objections by CSAs, such as the finding that the public by default settings were contrary to the principles of data protection by design and default, of data minimisation and transparency. In addition to a reprimand and a compliance order, the IE DPA imposed a fine of €345 Million.

The final decision taken by the IE DPA is available in the Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.

 



Archivio news

 

News dello studio

lug13

13/07/2026

Google Android: the Court of Justice upholds Google’s fine of around €4.1 billion

Judgment of the Court of Justice of the EU in Case C-738/22 P | Google and Alphabet v Commission The appeal brought by Google and its parent company Alphabet against the judgment of the General Court

lug13

13/07/2026

Judgment of the General Court in Joined Cases T-1079/23, T-1080/23 | Apple v Commission and T-214/24 Apple and Apple Distribution International v Commission

Digital services: the General Court of the EU dismisses Apple’s actions regarding its designation as a gatekeeper in relation to the App Store and iOS The General Court also rules that

lug13

13/07/2026

Opinion of the Advocate General in Cases C-535/25 | Amazon Italia Logistica, C-536/25 | Amazon Italia Services and C-537/25 | Amazon Italia Transport

According to Advocate General Campos Sánchez-Bordona of the Court of Justice of the European Union, companies in the Amazon group provide postal services in Italy Consequently, the requirement

News Giuridiche

lug14

14/07/2026

Autovelox, il Decreto atteso da 32 anni: cosa cambia per multe e ricorsi

Per i verbali futuri le contestazioni saranno

lug14

14/07/2026

La salute mentale dedotta dai dati della didattica online

Dal dato comportamentale al dato sulla

lug14

14/07/2026

L’abusivo esercizio dell’attività di intermediazione finanziaria è illecito deontologico

Sanzionato l'avvocato che si è fatto consegnare