The Irish Data Protection Commission (DPC) found that TikTok Technology Limited (TTL) violated the General Data Protection Regulation (GDPR). The violation arises from TikTok’s deficient protection of children’s privacy. As a result of these findings, the DPC imposed a hefty fine of 345 million Euros on TikTok for these violations and ordered the company to modify its data processing practices according to the required standards within three months.
The DPC’s investigation revealed that by default, children’s account settings were set to public, allowing any individual to view the content posted by underage users. Also, some features that were not supposed to be available could be turned on, exposing users younger than 13 who should not have access to the platform, to further risks. Moreover, the “family pairing” feature allowed adults to activate direct messaging for users over the age of 16 without their consent. The DPC also emphasized TikTok’s use of deceptive “dark patterns” during account setup and video posting, and the failure to provide adequate transparency information to young audience.
In California, Attorney General Rob Bonta announced a settlement agreement regarding Google’s violations of the California Privacy Rights Act (CPRA), following a comprehensive investigation by the California Department of Justice. The investigation uncovered Google’s deceptive practices related to the collection, storage, and use of individuals’ location data, for consumer profiling and advertising without obtaining informed consent.
Despite assurances from Google that user location will not be tracked after a user’s opt-out, the investigation found that Google continued to collect and store their location data. This data was used for commercial gain, building behavioral profiles to target ads to users. Notably, even when users turned off location history, Google persistently collected and stored their location data through other sources.
As part of the settlement, Google is mandated to pay a fine of 93 million dollars and adhere to injunctive terms to prevent future violations. According to the California Attorney General, the settlement ensures enhanced user information, transparency, and control over location technologies data, alongside clearer and more explicit disclosures, and consents regarding the use of location information for ad personalization.
Click here to read the Irish Data Protection Commission Press release.
Click here to read the proposed settlement terms in the matter of Google’s infringement of the California Privacy Rights Act (CPRA).