They ruled that the company was inappropriately collecting and using children's personal data
Social media platform TikTok’s efforts to keep underage users out have generally been ineffective, per the results of an investigation conducted by the Office of the Privacy Commissioner of Canada, the Commission d’accès à l’information du Québec, the Office of the Information and Privacy Commissioner for British Columbia, and the Office of the Information and Privacy Commissioner of Alberta.
TikTok had improved its proactive age assurance mechanism to include facial analytics; this was designed to prevent under-18 users from accessing the platform’s livestreaming function. However, while the company used age-estimating analytics tools for business purposes, it did not apply the same or similar tools to detect underage users.
Per the platform’s terms of use, those under 13 (14 in Quebec) were banned from registering as users; however, the privacy commissioners found that there was just one voluntary age gate that required registrants to provide their birthdate. Moreover, TikTok enforced the human moderation of user accounts that were tagged as potentially underage based on language used and user reports.
Underage users were still able to remain on the platform as “lurkers” who did not post content but did consume it. Thus, TikTok gained access to Canadian children’s personal information, including data the privacy commissioners labelled as sensitive.
The privacy commissioners determined that the company ejected about 500,000 underage users from the platform every year, but “where these children were engaging with the platform before being removed, TikTok was already collecting, inferring and using information about them to serve them targeted ads and recommend tailored content to them,” they said in their decision, which was published on the Office of the Privacy Commissioner of Canada’s website.
“Recognizing the significant gaps that we observed in TikTok’s underage user detection mechanisms, we found it likely that many more children continued to use the platform, undetected, and therefore subjected to profiling and targeting by TikTok,” the privacy commissioners wrote. “Ultimately, the offices found that TikTok was collecting and using the personal information of children with no legitimate need or bona fide interest, and that its practices were therefore inappropriate.”
Inadequate consent process
The privacy commissioners also found that the process by which TikTok secured user consent on information collection and use was inadequate.
The company claimed that it had implemented steps to keep advertisers from using users’ sensitive information in targeting campaigns; however, during a demonstration of the platform’s advertising portal, the privacy commissioners “noted with concern” that advertisers could target users based on their status as transgender. Per TikTok, it was impossible, but the company reportedly could not provide an explanation of the option’s availability.
“While TikTok requires users to expressly accept its Terms and Conditions and Privacy Policy during account sign-up, we found that such consent – vis-à-vis TikTok’s practices related to tracking, profiling, targeting and content personalization – was not valid or meaningful,” the privacy commissioners wrote in the decision.
The investigation showed that in seeking consent from adult users, the company did not directly indicate what information it would collect and use for ad purposes and content personalization. It also did not clarify TikTok’s practices in this area and kept users from easily accessing documents that listed what the privacy commissioners described as “additional important details.” Moreover, TikTok could not adequately explain why it obtained and utilized users’ biometric information in video/image and audio analytics.
In addition, a French version of the Privacy Policy and other relevant privacy communications was not provided. With regard to young users, TikTok failed to explain in layman’s terms how it would access and use their information for ads purposes; rather, it used the same language that it did for adults.
TikTok’s new commitments
Per the privacy commissioners, TikTok disagreed with the investigation’s findings in general. Nonetheless, the company committed to the following steps:
- Implementing three new enhanced age assurance mechanisms that will effectively keep out underage users.
- Improving its privacy policy to clarify its targeted advertising and content personalization practices and to make privacy communications accessible through links and direct notices.
- Prohibiting advertisers from targeting under-18 users except through generic categories like language and approximate location.
- Publishing a plain-language summary of its privacy policy for young users and explaining its key privacy practices in video form.
- Improving privacy communications on the collection and use of biometric information in up-front notices.
- Incorporating a new “Privacy Settings Check-up” mechanism for Canadian users, of which these users would need to be informed.
TikTok was also required to submit privacy impact assessments and testing/research plans, deliver on its commitments under an agreed deadline, implement feedback from the commissioners in a timely manner, and update the commissioners each month on the delivery of its commitments.
