UK DPA Fines TikTok €14.5 Million for Failing to Protect Children's Data
The UK's ICO fines TikTok €14.5 million for breaching GDPR rules on safeguarding children's data. Learn about the violations, implications, and lessons from this case.
The UK's data protection watchdog, the Information Commissioner's Office (ICO), has fined TikTok EUR 14.5 million (GBP 12.7 million) for failing to comply with data protection principles under the General Data Protection Regulation (GDPR).
The GDPR is a comprehensive set of data protection laws that applies to all organizations that process the personal data of individuals in the European Union (EU). The GDPR sets out a number of data processing principles that organizations must comply with, including the principle of lawful, fair, and transparent processing. This principle requires organizations to obtain consent from individuals before collecting and processing their personal data, unless there is another legal basis for processing the data.
The GDPR also sets out specific requirements for organizations that process the personal data of children under the age of 13. These requirements include obtaining parental consent before collecting and processing children's data, and providing clear and transparent information to children about how their data is being collected and used.
What was the violation?
In the case of TikTok, the ICO found that the company had allowed children under the age of 13 to create accounts on its platform, in violation of the GDPR's requirement that organizations obtain parental consent before collecting and processing the personal data of children under 13.
The ICO also found that TikTok had not taken adequate measures to prevent children from accessing its platform, and that it had not provided clear and transparent information to children about how their data was being collected and used.
What was the decision?
Based on the violations, the ICO fined TikTok EUR 14.5 million, or GBP 12.7 million. The final fine imposed on TikTok is significantly lower than the original fine of GBP 27 million, since the ICO did not pursue the provisional finding on unlawful use of special category data. This fine is a reminder to all organizations that they must take data protection seriously, especially when it comes to children's data.
How could the fine have been avoided?
There are a number of steps that TikTok could have taken to avoid the fine. These include:
- Implementing stricter age verification measures to prevent children under the age of 13 from creating accounts.
- Providing more clear and transparent information to children about how their data is being collected and used.
- Obtaining parental consent before collecting and processing the personal data of children under the age of 13.
By taking these steps, TikTok could have ensured that it was complying with the GDPR and avoiding the fine.
What are the implications of the fine?
The fine imposed on TikTok is significant for a number of reasons. First, it is the third-largest fine ever imposed by the ICO under the GDPR. Second, it is a warning to other tech companies that they must take data protection seriously, especially when it comes to children's data. Third, the fine could damage TikTok's reputation and make it more difficult for the company to attract users and advertisers.
The fine is also a reminder that the GDPR is a powerful tool that can be used to protect the privacy of individuals. Organizations that fail to comply with the GDPR can face significant fines, and they can also damage their reputation and lose the trust of their users.
What can we learn from this case?
There are a number of lessons that we can learn from this case. First, it is important for organizations to have a clear understanding of the GDPR and the requirements that it imposes. Second, organizations need to take steps to ensure that they are compliant with the GDPR, especially when it comes to children's data. Third, organizations should be prepared to face the consequences if they fail to comply with the GDPR.
The GDPR is a complex piece of legislation, but it is important for organizations to understand and comply with it. By doing so, they can protect the privacy of individuals and avoid the risk of significant fines.
Get Started For Free with the
#1 Cookie Consent Platform.
No credit card required

Personalization Without Privacy Violations: Tactics & Tools for GDPR & CCPA Compliance
Your personalization strategy is a privacy violation waiting to happen. While customers demand tailored experiences, personalization privacy compliance has become the make-or-break factor that determines whether your customization efforts build trust or trigger devastating regulatory penalties.
- Legal & News
- Data Protection
- GDPR

First-Party Data Collection & Compliance: Best Practices for GDPR & CCPA in 2025
Your marketing strategy depends on first-party data collection compliance, but navigating the complex web of privacy regulations can feel overwhelming. With GDPR fines reaching €20 million, CCPA penalties expanding under CPRA, and 20+ US states enacting comprehensive privacy laws by 2025, collecting customer data legally has never been more critical—or complicated.
- Legal & News
- Data Protection
- GDPR
- CCPA

Customer Journey Mapping Under GDPR & CCPA: How to Embed Privacy at Every Touchpoint
Your customer journey maps are exposing you to massive privacy violations and regulatory penalties — and you might not even realize it. Most organizations approach customer journey mapping GDPR compliance as an afterthought, failing to integrate privacy requirements into each touchpoint where personal data flows through their customer experience.
- Legal & News
- Data Protection
- GDPR