ICO Investigating TikTok’s Use of Children’s Data: Key Implications for Businesses on Data Protection Laws

4 March 2025

The Information Commissioner’s Office (ICO) has launched a major investigation into TikTok’s handling of children’s data. The investigation follows concerns over how TikTok uses the personal data of 13–17-year-olds to make recommendations to them. This inquiry raises important questions about data privacy and the obligations businesses must meet under UK data protection laws.

What Does the ICO Investigation into TikTok Mean?

The ICO’s investigation into TikTok focuses on whether the app has been collecting, processing, and using children’s personal data in compliance with UK data protection laws. Given TikTok’s large young user base, its data collection practices have come under scrutiny for potentially failing to meet the strict requirements outlined by the GDPR.

Under UK data protection law, specifically the GDPR, children are afforded special protection regarding their personal data. Businesses that process children’s data must ensure they have a proper legal basis for doing so and determine whether parental or guardian consent is required. The ICO’s findings could lead to significant changes in how TikTok—and other social media platforms—handle data collection from minors.

Implications for Businesses on Data Protection Laws

This investigation is a stark reminder of the need for businesses to comply with data protection laws, particularly when handling children’s data. The ICO has the authority to impose substantial fines for non-compliance, and businesses found in breach may face significant penalties.

For businesses operating in the UK, this case highlights several key points:

1. Children’s Data Requires Special Protection

Businesses must ensure compliance with all legal requirements regarding the processing of children’s data. This includes obtaining parental consent where necessary and ensuring data is used responsibly and lawfully.

2. Transparency and Accountability

Under GDPR, businesses must be transparent about the data they collect and how it is used. Clear and concise privacy notices must be provided, and informed consent must be obtained before processing personal data.

3. Data Minimisation

Companies should only collect the minimum amount of personal data necessary for a specific purpose. Data should not be retained longer than needed, and businesses must implement robust security measures to prevent misuse.

4. Data Protection Impact Assessments (DPIAs)

If a business processes children’s data or uses high-risk data processing methods, it is vital to conduct DPIAs. These assessments help identify risks and ensure compliance with privacy regulations.

What Should Businesses Look Out For?

Age Verification Mechanisms – Ensure your platform or service has reliable age verification systems to prevent the collection of data from underage users.
Obtaining Parental Consent – Businesses targeting children under 13 (or those that may inadvertently collect children’s data) must implement verifiable parental consent mechanisms before processing any data.
Data Security – Implement robust security measures to protect personal data. Any data breach could result in significant fines, particularly if it involves sensitive data such as children’s information.
Regular Privacy Policy Reviews – Ensure your privacy policies are up to date and reflect the latest legal requirements. They should clearly explain how data is collected, used, and protected, using language that is easy for both parents and children to understand.

Conclusion

This is not the first time the ICO has investigated TikTok. The platform is currently appealing a £12.7 million fine issued in 2023 for using children’s personal data under the age of 13 without parental consent.

As businesses expand their digital presence, particularly when targeting younger audiences, staying ahead of evolving data protection laws is crucial. Ensuring compliance with the GDPR and the Data Protection Act 2018 is not just about avoiding penalties—it’s about building trust with consumers and ensuring the ethical use of personal data.

By taking proactive steps, such as implementing strong consent mechanisms, conducting regular Data Protection Impact Assessments, and ensuring transparent privacy practices, businesses can avoid regulatory scrutiny and strengthen customer trust.For more information on data protection compliance or to discuss your organisation’s data protection strategy, contact our Commercial Team at Berry Smith on 02920 345511 or email ddowen@berrysmith.com.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.