TikTok’s appeal against a £12.7 million penalty from the UK Information Commissioner’s Office (ICO) has suffered an early defeat. A tribunal has ruled that TikTok can only challenge the amount of the fine, not the ICO’s finding that it breached the UK GDPR. The decision affirms the regulator’s authority and raises the stakes for tech companies handling children’s data.
The ICO issued the fine in 2023 after finding TikTok allowed over a million children under 13 to access its platform without proper parental consent. The company was found to have failed to verify users’ ages and processed children’s personal data unlawfully, violating several core provisions of the UK GDPR.
At issue are legal obligations around lawful processing, transparency, and data protection by design. The tribunal’s ruling makes clear that these duties were not met, leaving only the question of whether the penalty was proportionate.
This case reinforces that compliance with the UK GDPR is not optional. Platforms targeting or accessible to children must build privacy protections into their systems and be prepared to demonstrate full legal accountability.
