Facebook has relinquished its first place. Within the sphere of social media, TikTok is now the most downloaded application in the world. TikTok is also very popular among children. Many Dutch children were also aware of the latest dance crazes. Unfortunately, according to the Dutch data protection authority, the Autoriteit Persoonsgegevens (AP), this did not apply to the use of their data. The AP imposed a fine of 750,000 euros on TikTok for violating the privacy of young (Dutch) children.
Transparency, that is taking into account the target audience
The reason why the AP decided that TikTok Inc. invaded the privacy of young children has everything to do with the transparency principle in the GDPR. TikTok has the obligation to inform all its users about how their personal data are being processed. TikTok does this by means of a privacy statement.
It must convey the information in a ‘transparent’ manner. This will effectively allow users to understand what is happening with their personal data.
According to the Article 29 Data Protection Working Party (WP29), this means that an average member of the target audience must be able to understand the information.
Also for children
In addition, a controller who addresses children must ensure that the used language, tone and style are appropriate for children. This also applies to a data controller who should normally be aware that children use his or her goods or services.
So in data protection law, children themselves have a genuine right to transparent information! If they are part of the intended audience, they must also be able to understand the content of a privacy statement. That was precisely the problem with TikTok. Although Dutch children are indeed part of the application’s target audience, TikTok Inc. only provided an English privacy statement in the first place. Moreover, there was no child-friendly version. Therefore, according to the AP, TikTok violated its transparency obligation towards young Dutch children.
TikTok has now provided a Dutch version for its Dutch target audience and has also made a shorter and simpler privacy statement available for children. Although TikTok has lodged an appeal against the decision of the AP and we will have to wait and see what the result of this will be, let us draw already lessons from it.
A child-friendly privacy statement, how?
If you offer a good or service that can also reasonably be used by children, make sure that, in addition to a more extensive privacy statement for adults, you also provide a privacy statement in a language and form that is easily understood by children. Think for example of a broadcaster or production studio for children’s shows.
Does it have to be done via a written text to be GDPR compliant? Not necessarily! A good alternative may be to do this via a catchyvideo. That will appeal much more to children than a text. However, do not forget to be understandable as well as sufficiently comprehensive.
Cheap templates and hasty copy/paste work are not going to pass the test of a good privacy statement. The guiding principle remains “say what you do” and “do what you say”. Besides, this is an evolving concept which means that you will have to check the adequacy of your privacy statement internally on a regular basis.
Moreover, this is not a “check the box” exercise and your privacy statement must be truly transparent. Does your business also target children? Then the bar is set extra high.
Our specialists, however, can help you tailor your privacy statement to your target audience. You can always contact us for this via email@example.com.
Written by Larissa De Keyser, Legal Adviser deJuristen, and Kris Seyen, Partner deJuristen