TikTok could also be fined £27m for failing to protect children
TikTok could face a £27m fine for failing to guard children's privacy when they're using the platform.
The UK's Information Commissioner's Office (ICO) found the video-sharing platform may have processed the info of under-13s without appropriate consent.
The watchdog said the breach happened over quite two years - until July 2020 - but that it had not yet drawn final conclusions.
TikTok says it disputes the findings, noting that they're "provisional".
The ICO has issued TikTok Inc and TikTok Information Technologies UK Limited with a "notice of intent" - a legal instrument which precedes a potential fine.
The notice sets out the ICO's provisional view that TikTok breached UK data protection law between May 2018 and July 2020.
The ICO investigation found the social platform may have:
processed the info of children under the age of 13 without appropriate parental consent
failed to provide proper information to its users in a concise, transparent and simply understood way
processed special category data, without legal grounds to try to to so
According to Ofcom, 44% of eight to 12-year-olds within the UK use TikTok, despite its policies forbidding under-13s on the platform.
Information Commissioner John Edwards said: "We all want children to be ready to learn and experience the digital world, but with proper data privacy protections.
"Companies providing digital services have a duty to put those protections in place, but our provisional view is that TikTok fell in need of meeting that requirement."
TikTok has unrolled a number of features to strengthen the privacy and safety on the site - including allowing parents to link their accounts to their children's, and disabling direct messaging for under-16s.
But Mr Edwards continued: "I've been clear that our work to raised protect children online involves working with organisations, but also will involve enforcement action where necessary.
"In addition to the present , we are currently looking into how over 50 different online services are conforming with the Children's Code, and have six ongoing investigations looking into companies providing digital services who haven't, in our initial view, taken their responsibilities around child safety seriously enough."
Rolled out in September last year, the Children's Code put in situ new data protection codes of practice for online services likely to be accessed by children, built on existing data protection laws, with financial penalties an opportunity for serious breaches.
The ICO said its findings within the notice were provisional, with no conclusion to be drawn at this stage that there had been any breach of knowledge protection law.
It added: "We will carefully consider any representations from TikTok before taking a final judgment ."
A TikTok spokesperson said: "This notice of intent, covering the amount May 2018-July 2020, is provisional and because the ICO itself has stated, no final conclusions are often drawn at this time.
"While we respect the ICO's role in safeguarding privacy within the UK, we afflict the preliminary views expressed and intend to formally respond to the ICO in due course."
Previous action
In 2019, the firm was given a record $5.7m fine by the Federal Trade Commission, for mishandling children's data.
It has also been fined in South Korea for similar reasons.
In July, the United States Senate Commerce Committee voted to approve a measure that would raise the age that children were given special online privacy protections to 16, and prohibit targeted advertising to children without consent.