The UK Information Commissioner’s Office (ICO) Tuesday issued TikTok a £12.7 million fine for its breach of UK General Data Protection Regulation, including TikTok’s illegal use of children’s personal data.

UK data protection law mandates companies obtain consent from parents or guardians of children under the age of 13 in order to use personal data when offering information society services to children under 13. However, TikTok did not do this, “even though it ought to have been aware that under 13s were using its platform.” Further, “TikTok also failed to carry out adequate checks to identify and remove underage children from its platform.”

According to the ICO, in 2020 TikTok allowed approximately 1.4 million UK children under 13 to use its platform, “despite its own rules not allowing children that age to create an account.”

UK Information Commissioner John Edwards stated that these “laws [are] in place to make sure our children are as safe in the digital world as they are in the physical world. TikTok did not abide by those laws.” Since children under 13 years of age were inappropriately granted access to TikTok, Edwards stated that “their data may have been used to track them and profile them, potentially delivering harmful, inappropriate content at their very next scroll.” 

In recent months, many governments around the world have become concerned about TikTok’s security and data privacy issues. Last month, the US Congress held a hearing in which TikTok’s CEO Shou Chew testified regarding consumer privacy and data concerns. The US Senate also introduced a bill which could ban TikTok in the US. Earlier this year, the European Commission, as well as Canada and several US states, banned TikTok on government mobile devices amid security and data privacy concerns.