Age verification and protection of minors under the GDPR: Decision on the processing of childrens’ data by TikTok

On 15 September 2023, the Irish Data Protection Commission published its final decision in the matter of TikTok Technology Limited (TikTok). In the decision, it issued an order imposing fines of €345m in total due to several infringements of the GDPR by TikTok in processing the data of children aged 13 to 17. The decision was preceded by a Binding Decision by the European Data Protection Board (EDPB). Among other things, the EDPB emphasised that data controllers must generally review age verification mechanisms on a regular basis. Companies that process children’s data should therefore take the EDPB's decision as an opportunity to review the technical design of their services.

Context: Coherence procedure by European data protection authorities with the involvement of the EDPB

In the cross-border proceedings against TikTok, the Irish Data Protection Commission, as the lead supervisory authority, submitted a draft decision to the other supervisory authorities concerned for comment in September 2022. The Italian data protection authority and two German supervisory authorities (the Berlin Commissioner for Data Protection and Freedom of Information and the Baden-Württemberg State Commissioner for Data Protection and Freedom of Information) each lodged objections to this draft decision, whereupon a binding decision by the EDPB was requested in May 2023. The EDPB then issued a binding decision on 2 August 2023 in relation to the objections of the Italian and the two German supervisory authorities. The Italian data protection authority had criticised the age verification mechanisms implemented by TikTok for users under the age of 13, which is why the EDPB addressed this in its decision. Based on this binding decision, the Irish Data Protection Commission issued its decision on 1 September 2023 and published it on 15 September 2023.

Objections to TikTok’s data processing: Mechanisms for age verification

The decision of the Irish Data Protection Commission and the decision of the EDPB concern, among other things, the question of whether TikTok’s age verification mechanisms for children under 13 meet the requirements of the GDPR. As an ex ante measure, TikTok had categorised the app as “12+” in the Apple App Store and as “Parental Guidance Recommended” in the Google Play Store. In addition, people had to enter their date of birth when using TikTok.

For users whose age, according to the date of birth entered, was below 13 years, the registration process was automatically cancelled without them being informed of the reason for the cancellation of the process. Users were only shown a pop-up notification stating that they were not authorised to use the TikTok platform. People who tried to enter their date of birth again, even after reinstalling the app, were still unable to complete the registration process and were again shown the pop-up notification stating that they were not authorised to use TikTok. In addition, TikTok had put in place some ex post mechanisms, such as blocking users who were reported to TikTok due to their age (under 13).

In its binding decision, the EDPB expressed serious doubts about the effectiveness of the age verification measures taken by TikTok and ordered the Irish Data Protection Commission to amend its draft decision accordingly. The EDPB emphasised that these doubts existed in the specific case particularly in view of the seriousness of the risks and the large number of vulnerable people affected. In addition, the EDPB emphasised that the appropriateness of age verification mechanisms changes regularly due to the constant change in the latest technology and that the data controller is therefore required to regularly review these measures to determine whether they are (still) appropriate, taking into account the criteria set out in Article 25 of the GDPR (data protection by design and by default).

However, the EDPB ultimately left the decision as to whether TikTok’s age verification mechanisms met the requirements of the GDPR up to the Irish Data Protection Commission, as it did not have sufficient information on the latest technology applied in the specific case to conclusively assess TikTok’s data protection compliance. Contrary to the serious doubts of the EDPB, the Irish Data Protection Commission concluded in its decision that it could not assume that TikTok’s technical and organisational measures in relation to age verification mechanisms infringed provisions of the GDPR.

In its decision, the Irish Data Protection Commission also criticised other aspects of TikTok’s data processing, including design practices in connection with two pop-up windows in which, according to the Irish authority, children between the ages of 13 and 17 are encouraged to make their profiles and videos publicly accessible, i.e. also to non-TikTok users. The Irish Data Protection Commission saw this as a violation of the principle of data minimisation and of Article 25 of the GDPR.

Reason for companies to revise age verification mechanisms

Even if the individual case decision of the Irish Data Protection Commission and the EDPB’s decision only have a direct effect on TikTok, companies that are subject to the GDPR and process children’s data should take the published EDPB decision as an opportunity to review their age verification mechanisms to ensure that they meet the legal requirements. This is because the EDPB's considerations also contain general statements that can be transferred to other companies, particularly with regard to the obligation of data controllers to review the appropriateness of age verification mechanisms. The UK Information Commissioner’s Office has issued a comprehensive code relating to the processing of personal data of children. Even if this is not directly applicable in the EU, it can provide good guidance. A summary of the considerations of the European Parliament Research Service on age verification measures and current projects in the European Union can be found here.