The Superintendence of Industry and Commerce of Colombia orders TikTok to comply with the Colombian data protection standard

Bogotá D.C. October 8, 2020 - The Superintendence of Industry and Commerce (SIC), as Data Protection Authority, issued a mandatory order to ByteDance Ltd, TikTok, Inc and TikTok Pte. Ltd. to implement measures in accordance with the Colombian standard regarding the appropriate processing of personal data.

The decision was made, through Resolution 62132 of October 5, 2020, after determining that the Privacy Policy (PP) of TikTok owned by ByteDance Ltd, a company domiciled in Beijing (China), breaches 47,37% of the requirements demanded by the Colombian regulation. Additionally, the PP applicable to Colombia is not written in Spanish, which makes it difficult for everyone to understand the rules on the processing of their personal data.

On the other hand, it was found that TikTok does not comply with 58.33% of the requirements demanded by the Colombian regulation regarding what people must be informed before obtaining their consent to be able to collect and use their personal data.

TikTok process personal data of 12,447,549 users in the Republic of Colombia, of which 1,933,835 are children. Due to the foregoing, the SIC officially initiated an investigation to verify whether TikTok complied with Colombian regulations regarding the collection and use of personal data on children and adolescents. The investigation took into account the settlement between the Federal Trade Commission of the United States and TikTok regarding the collection of data from minors of age.

The Superintendence of Industry and Commerce was able to establish that TikTok uses "cookies" to collect or process personal data in the national territory, thus Law 1581 of 2012 is applicable because it collects or captures personal data through a tool that is installed in mobile devices and computers located in the Republic of Colombia.

The SIC ordered the following to the companies ByteDance Ltd, TikTok, Inc and TikTok Pte. Ltd:

  1. That with respect to the personal data that it collects or process from users in the territory of the Republic of Colombia, implement an appropriate, effective and demonstrable mechanism or procedure so that, when requesting consent from each Data Subject, it is informed clearly, simply and expressly the following:
    • The processing to which personal data will be submitted and the purpose of the processing.
    • The optional nature of the answer to the questions that are asked, when they regard sensitive data or data of minors of age.
    • The rights that assist the Data Subject.
    • The dentification of the Controller of the processing: physical or electronic address and the telephone number of the person in charge of the processing.
  2. Elaborate a Privacy Policy (PP) in Spanish that meets all the standards required by article 13 of Decree 1377 of 2013 (incorporated in Decree 1074 of 2015) and make it accessible to the Data Subjects in the Colombian territory.
  3. Implement an appropriate, effective and demonstrable mechanism or procedure to comply with the special requirements ordered by article 12 of Decree 1377 (incorporated in Decree 1074 of 2015) for the collection and processing of personal data of minor of age (under 18 years).
  4. Register your databases regarding the information collected in the Colombian territory in the National Registry of Databases, administered by the Superintendence of Industry and Commerce.
  5. Submit to the Superintendence of Industry and Commerce proof of the prior, express and informed consent issued by the legal representatives of children and adolescents (under 18 years of age), whose Data has been collected or processed after entry in force of Statutory Law 1581 of 2012.

Failure to comply with these orders leads to an administrative sanctioning investigation that may result in fines of up to 2,000 current legal minimum wages. Against the decision proceeds reconsideration and appeal.