Summary

Why this case belongs in a risk and accountability file

TikTok's child and teen privacy record belongs in a risk and accountability file because the central harm surface was a default. Defaults matter more than policies. A privacy policy may be long, a safety center may be helpful, and a parent may eventually find a setting. But the default setting is the actual first decision made for the child at the moment of use. If a young person's account, profile information, content, contactability, or discoverability begins in a state that invites a broad audience, the platform has already made a risk allocation before the child has made an informed choice.

That is why the Irish Data Protection Commission's 2023 TikTok decision matters. The DPC announcement at https://www.dataprotection.ie/en/news-media/press-releases/DPC-announces-345-million-euro-fine-of-TikTok described an inquiry into platform settings, public-by-default settings, Family Pairing, age verification, and transparency obligations for child users. The decision PDF at https://www.dataprotection.ie/sites/default/files/uploads/2023-09/Inquiry%20into%20TikTok%20Technology%20Limited%20-%20September%202023%20EN.pdf provides the detailed official record. The EDPB's binding decision page at https://www.edpb.europa.eu/documents/edpb-binding-decisions/binding-decision-22023-on-the-dispute-submitted-by-the-irish-sa_en and PDF at https://www.edpb.europa.eu/system/files/2023-09/edpb_bindingdecision_202302_ie_sa_ttl_children_en.pdf show the European cross-border layer.

The public record supports a direct accountability question: who had practical control over the child user's initial visibility, the clarity of the explanation, the age gate, the parental-control model, the default ability of others to find or interact with the child, and the repair after regulators found the prior design inadequate? TikTok and its relevant corporate entities owned the product design and data-processing choices. Parents, children, schools, regulators, and civil society could influence or challenge the system, but they did not set the default architecture.

This is not a claim that every young TikTok user suffered a specific injury. It is also not a claim that every TikTok employee intended harm. The accountability file is narrower and stronger. A large consumer platform knew or should have known that defaults shape real privacy exposure for children. Regulators later found that certain settings and explanations did not meet legal standards during the relevant period. The public question is whether the platform's design governance made children's privacy the starting state or a burden shifted onto children and guardians.

What regulators publicly confirmed

The Irish DPC's public announcement confirms the major outlines. It adopted a final decision on September 1, 2023, and announced a 345 million euro administrative fine on September 15, 2023. The inquiry examined TikTok Technology Limited's processing of children's personal data in relation to platform settings, including public-by-default settings and Family Pairing, and age verification as part of registration. It also examined transparency obligations, including information provided to child users about default settings. Those are confirmed public facts.

The DPC decision PDF at https://www.dataprotection.ie/sites/default/files/uploads/2023-09/Inquiry%20into%20TikTok%20Technology%20Limited%20-%20September%202023%20EN.pdf is important because it explains the logic of default exposure. The decision concerned child users aged 13 to 17 during the period from July 31, 2020, to December 31, 2020. It addressed the public-by-default processing of platform settings, the consequences of visibility, and the way a child user could be exposed to a broad audience. It also considered the Family Pairing feature and the registration process. A public-safe article should stay with that scope and not pretend the decision covers every later TikTok design.

The EDPB binding decision at https://www.edpb.europa.eu/system/files/2023-09/edpb_bindingdecision_202302_ie_sa_ttl_children_en.pdf confirms that the dispute had a European consistency dimension. The EDPB record states that the decision related to processing of children's personal data by TikTok Technology Limited, especially registered users aged between 13 and 17 in connection with certain design practices and issues relating to children under 13. That matters because child safety on a large platform is not confined to one regulator's local priorities. It becomes a cross-border governance question.

The UK ICO enforcement page at https://ico.org.uk/action-weve-taken/enforcement/2023/05/tiktok/ adds another confirmed regulator record. The ICO fined TikTok in 2023 in connection with children's data protection failures, including under-13 use and use of children's personal data without appropriate parental consent. The ICO matter is not identical to the DPC matter, so it should not be collapsed into one global finding. But it supports the broader conclusion that TikTok's child-user controls were under serious regulator scrutiny on both teen-default and under-13 access issues.

The U.S. DOJ and FTC lawsuit announced in 2024 is a different category. The DOJ announcement at https://www.justice.gov/archives/opa/pr/justice-department-sues-tiktok-and-parent-company-bytedance-widespread-violations-childrens and the FTC announcement at https://www.ftc.gov/news-events/news/press-releases/2024/08/ftc-investigation-leads-lawsuit-against-tiktok-bytedance-flagrantly-violating-childrens-privacy are allegations in a civil case, not final findings in this article's evidentiary frame. They are still part of the accountability record because they allege COPPA violations and alleged noncompliance with earlier obligations. The correct public wording is that U.S. authorities sued and alleged violations, not that all allegations have been adjudicated.

Default settings are governance, not decoration

Consumer platforms often treat settings as user empowerment. That framing can be true for adults who understand the service, read the controls, and have time to decide. For children, a default setting is governance. It tells the child what is normal, tells the system what processing is allowed, and tells other users how reachable or visible the child may be. The default therefore carries a duty of care that cannot be outsourced to a child clicking through a sign-up flow.

The DPC's public-by-default findings make that governance point concrete. If an account or posted content is public by default, the child user begins with a wider audience than a private-by-default model would provide. That may affect who can view content, follow the account, interact with the child, or infer personal details from videos, profile information, comments, and patterns of activity. The risk is not only the content of one post. It is the combination of repeat visibility, audience scale, social pressure, algorithmic discovery, comments, messaging boundaries, and the child's limited ability to understand downstream exposure.

TikTok's own January 2021 update at https://intelligence team.tiktok.com/en-us/strengthening-privacy-and-safety-for-youth is central because it shows a repair direction. TikTok said accounts for users aged 13 to 15 would be set to private by default and described other changes for comments, downloads, Duet, Stitch, and other features. The support page at https://support.tiktok.com/en/account-and-privacy/account-privacy-settings/privacy-and-safety-settings-for-users-under-age-18 describes age-differentiated settings for users under 18. Those company materials are useful because they show the platform recognized that age-based default controls belong in the product itself.

The accountable question is not whether TikTok eventually changed settings. It is whether the platform's governance process made the change early enough, measured the impact well enough, explained it clearly enough, and avoided leaving children exposed during the time when regulators later found the relevant configuration unlawful or inadequate. A repair can be meaningful and still raise accountability questions about why the earlier default existed and what evidence proved the new default worked.

Default governance also includes friction. A platform can say that users can change settings, but children may not understand visibility consequences, may be motivated by popularity, may copy peers, or may assume that the app's defaults are safe. A child-facing privacy design should not depend on the child discovering a safer state after exposure. The safer state should be the starting point unless there is a clear, age-appropriate, and lawful reason to do otherwise.

Transparency has to be understandable to the child

Transparency is often treated as a legal notice problem. For children, it is a comprehension problem. A privacy explanation that satisfies an adult lawyer may still fail the young user who needs to understand what public visibility, discoverability, comments, downloads, direct messages, Duet, Stitch, contact syncing, recommendations, and data sharing mean in practice. The DPC and EDPB records place transparency at the center of the TikTok file because child users needed information about default settings in a form they could realistically understand.

The DPC announcement at https://www.dataprotection.ie/en/news-media/press-releases/DPC-announces-345-million-euro-fine-of-TikTok expressly identified transparency obligations and the information provided to child users in relation to default settings. That is an important point. The issue was not merely whether a setting existed somewhere. It was whether the child could understand the setting's consequences at the time the setting mattered. If a child learns later that content was public, the transparency arrived too late.

TikTok's privacy-policy and safety-center materials, including https://www.tiktok.com/legal/page/us/privacy-policy/en and https://www.tiktok.com/safety/en/guardians-guide/, can help users and parents understand the current product. But accountability requires asking how well those materials connect to the live product flow. A guardian guide is valuable only if guardians know it exists, understand it, and can use it before meaningful exposure occurs. A privacy policy is valuable only if it is connected to settings that protect the child by default and give age-appropriate explanations at the decision point.

The supported inference is that child transparency should be layered. The first layer is the default setting itself. The second is a short, age-appropriate explanation at onboarding and at each feature boundary. The third is a parent or guardian resource. The fourth is a complete legal policy for formal compliance. If the first two layers are weak, the third and fourth layers cannot fully repair the risk.

The unknowns are important. Public sources do not show all TikTok interface tests, comprehension research, localization work, design-review minutes, or internal metrics on how child users understood privacy choices. The absence of public evidence is not proof that no work existed. It means the public accountability file can judge only the official findings, company-facing materials, and regulator-visible product choices.

Age assurance is the weak hinge in the system

Age-based defaults depend on age assurance. If a platform cannot identify whether a user is under 13, 13 to 15, 16 to 17, or an adult with reasonable reliability, age-tiered settings can fail at the entry point. The TikTok file therefore cannot be reduced to one privacy toggle. It includes registration design, age prompts, under-13 exclusion or experience routing, signals that an account may belong to a child, parental consent where required, and deletion or remediation when the platform learns that an account is underage.

The DPC inquiry examined age verification as part of the registration process. The EDPB record also refers to issues related to children under 13. The UK ICO enforcement matter at https://ico.org.uk/action-weve-taken/enforcement/2023/05/tiktok/ likewise places under-13 use in the public accountability file. The U.S. DOJ and FTC lawsuit announced at https://www.justice.gov/archives/opa/pr/justice-department-sues-tiktok-and-parent-company-bytedance-widespread-violations-childrens alleges COPPA violations involving children under 13. These records make age assurance a central governance surface.

Age assurance is difficult, but difficulty is not an excuse for pretending the problem is small. A platform can use self-declared age, behavioral signals, parental reporting, moderation review, device or account signals, youth-specific experiences, and appeal processes. Each method has tradeoffs. Overly invasive age verification can create privacy risks of its own. Weak self-declaration can invite children to misstate age. Automated inference can be inaccurate or discriminatory. Manual review can be slow.

The accountability task is to choose proportionate controls, measure error, and document why the chosen balance protects children without collecting unnecessary sensitive data.

The supported inference is that TikTok's accountable repair file should include age-assurance evidence. How many accounts were age-challenged? How many were removed, moved into a younger experience, or restored after appeal? How quickly were parent deletion requests handled? How did the platform prevent repeat registration by underage users? How did it avoid collecting excessive biometric or identity data in the name of age assurance? How did it evaluate false positives and false negatives? Public sources do not fully answer those questions.

This hinge matters because every downstream control depends on it. A private default for 13-to-15 accounts does not protect a 12-year-old who registers as 18. A guardian tool does not help if the child has no guardian connection. A policy promise does not help if the product does not detect the category of user the promise is meant to protect. Age assurance is therefore not a compliance sidebar. It is the control plane for child privacy.

Family Pairing shows the risk of proxy control

Family Pairing is a valuable idea in principle. A platform should give parents and guardians practical tools to help protect young users. But a proxy-control system also creates its own accountability questions. Who is allowed to pair with the child? What does pairing reveal? Can the paired adult weaken a child's privacy settings or only strengthen them? How is consent handled? Can a child understand what control the paired account has? How are abusive household situations considered? How are changes logged and explained?

The DPC announcement identifies Family Pairing as one of the examined settings areas. That means the issue was not only whether TikTok had a parental-control feature. It was whether the design and transparency of that feature met legal expectations for child-user data. The public file should treat that as a governance question. A parental tool can reduce risk when it is carefully designed, but it cannot substitute for safe defaults. Children without active guardians, children in complex households, and children whose guardians do not understand the service still need baseline protection.

TikTok's support materials at https://support.tiktok.com/en/account-and-privacy/account-privacy-settings/privacy-and-safety-settings-for-users-under-age-18 and safety-center materials at https://www.tiktok.com/safety/en/guardians-guide/ help describe current controls. The accountability question is whether these controls are understandable, enforceable, resistant to misuse, and supported by audit trails. The platform should know when a setting was changed, by whom, under which age category, and with what notice to the child and guardian.

The supported inference is that Family Pairing should be judged by child safety outcomes, not feature presence. A feature name does not prove protection. Protection requires defaults, authentication, clear roles, limited authority, abuse safeguards, easy review, and metrics showing that the tool actually reduces exposure. Public sources do not provide all such metrics, so the public conclusion must remain cautious.

The U.S. COPPA record is allegation-heavy and still relevant

The U.S. child-privacy record has two layers. First, there was an earlier FTC matter involving Musical.ly, the predecessor service associated with TikTok's lineage. The FTC's 2019 announcement at https://www.ftc.gov/news-events/news/press-releases/2019/02/video-social-networking-app-musically-agrees-settle-ftc-allegations-it-violated-childrens-privacy described allegations and settlement terms under COPPA. Second, the DOJ and FTC announced a 2024 lawsuit against TikTok and ByteDance at https://www.justice.gov/archives/opa/pr/justice-department-sues-tiktok-and-parent-company-bytedance-widespread-violations-childrens and https://www.ftc.gov/news-events/news/press-releases/2024/08/ftc-investigation-leads-lawsuit-against-tiktok-bytedance-flagrantly-violating-childrens-privacy.

Those U.S. materials should be handled carefully. A lawsuit announcement is not the same as a final judgment. The responsible wording is that the DOJ, acting with the FTC, alleged violations of COPPA and alleged issues with data collection, retention, parental consent, deletion requests, and compliance with earlier orders. The article should not state that every allegation has been proven unless a court or settlement record establishes it.

Even with that caution, the U.S. record is relevant because it identifies the same accountability surfaces: under-13 access, parental consent, notice, deletion, data retention, and institutional compliance. COPPA's implementing rule at https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-312 establishes the public legal framework for children's online privacy in the United States. The FTC's COPPA page at https://www.ftc.gov/legal-library/browse/rules/childrens-online-privacy-protection-rule-coppa gives further public context.

The supported inference is that a platform facing both European teen-default findings and U.S. under-13 allegations needs a unified child-privacy governance file. It cannot treat teen defaults, under-13 registration, parent deletion requests, transparency, and data-retention controls as unrelated compliance tickets. They are connected because a child experiences the platform as one system.

The unknowns are substantial. The public record does not establish all TikTok internal communications, deletion-workflow metrics, account-classification decisions, parent-request queues, historical data-retention maps, or technical controls used to separate under-13 users from older users. Those unknowns should not be converted into accusations. They should be listed as the missing evidence required for a complete accountability review.

Confirmed facts, supported inference, and unknowns

Confirmed public facts include that the Irish DPC fined TikTok Technology Limited 345 million euros in 2023 after an inquiry into children's data processing, platform settings, public-by-default settings, Family Pairing, age verification, and transparency. Confirmed public facts include that the EDPB issued Binding Decision 2/2023 in the dispute submitted by the Irish supervisory authority. Confirmed public facts include that TikTok announced youth-safety changes in January 2021, including private-by-default accounts for younger teen users, and publishes under-18 safety setting guidance.

Confirmed public facts include that the UK ICO issued a TikTok enforcement action in 2023 and that U.S. DOJ and FTC materials announced a 2024 COPPA lawsuit.

Supported inference includes the conclusion that default visibility, age assurance, child-facing transparency, guardian controls, data-retention practices, deletion workflows, product analytics, and post-enforcement repair evidence were central accountability surfaces. That inference follows from the official regulator findings, company product notices, and child-privacy legal context. It does not require access to private source code or confidential design documents.

Unknowns include the complete internal rationale for the 2020 default settings, the full list of product experiments, all child-comprehension testing, complete age-assurance model performance, the exact underage-account detection rate, the full volume and handling time for parent deletion requests, historical retention maps, detailed internal governance records, and the complete effect of later repair measures. Public sources also do not establish the individual experience of every child user or guardian.

Those distinctions matter for fairness. A public accountability article should not allege secret intent, undisclosed surveillance, or hidden criminal conduct beyond the public record. It can say that regulators found specific failures, that U.S. authorities alleged additional failures, and that the platform's own changes confirm that default child-safety controls were a product-design issue. That is enough to make the case important without overstating the evidence.

The safety problem is not solved by asking parents to do more

Parents and guardians matter, but the platform cannot make them the primary control for a system they do not operate. Many guardians do not use TikTok. Many do not understand the implications of public visibility, recommendations, comments, downloads, contact syncing, or messaging. Some children use devices shared with family members. Some children create accounts without permission. Some families face language barriers, time scarcity, digital-literacy gaps, or household safety issues. A platform that knows children use the service must build protection into the default architecture.

This is why the guardian-guide layer at https://www.tiktok.com/safety/en/guardians-guide/ should be treated as a supplement, not the core control. A strong guide can help families make better decisions. It can explain settings, reporting, screen time, content controls, and communication features. But a guide does not protect the child who never reaches it. The default state protects that child.

The same principle applies to deletion and consent. If a parent must repeatedly request deletion of underage data, chase support channels, or prove a child's age after the platform has already collected data, the platform has shifted operational cost to the family. A strong child-privacy program should reduce that burden through prevention, fast response, clear escalation, and measurable deletion completion.

The public record does not prove the quality of every TikTok support process. It does, however, show why the burden-shift question is central. COPPA is built around parental notice and consent for children under 13. GDPR child-data protection and transparency requirements are built around the child's vulnerability and need for clear information. Both frameworks resist the idea that a platform can place exposure first and education later.

Product repair has to be measurable

TikTok's January 2021 youth-safety update is a key repair marker. It described making accounts for users aged 13 to 15 private by default and tightening several interaction features. That is exactly the kind of product-level repair that child-privacy accountability requires. But repair is not complete when the announcement is published. It has to be measured.

A measurable repair file would answer several questions. What percentage of relevant teen accounts were actually shifted to private defaults? Were legacy accounts handled differently from new accounts? Did users understand the change? Did the change reduce unwanted adult contact, scraping, downloads, harassment, or exposure? Did it increase pressure on children to misstate age? Were there regional variations? How were appeals and exceptions handled? How were creators aged 16 to 17 treated differently from younger teens? What ongoing monitoring detected regression?

The support page at https://support.tiktok.com/en/account-and-privacy/account-privacy-settings/privacy-and-safety-settings-for-users-under-age-18 provides the user-facing rulebook, but a public support page cannot prove operational effectiveness by itself. The company should be able to connect the page to internal metrics, incident reports, audit logs, enforcement statistics, and independent review where appropriate. A regulator can then evaluate whether the repair is durable.

The DPC's order to bring processing into compliance, described in its public materials, also makes repair measurable. Compliance is not a promise. It is a state that can be tested. If a platform says a default changed, the evidence should show the code path, affected population, rollout date, exceptions, monitoring, and any remaining risk. If a platform says children receive clearer information, the evidence should show comprehension testing, localization, accessibility, and the timing of disclosures.

Data minimization is part of child safety

The TikTok case is often discussed as a visibility or age-gate matter, but data minimization is part of the same safety problem. A child-user account can generate profile data, videos, drafts, comments, likes, followers, device information, location signals, contacts, behavioral analytics, ads or measurement signals, support records, moderation records, and inference data. Some of this may be necessary to operate a service. Some may be optional. Some may be retained longer than needed. The accountability question is whether the platform minimized collection and retention consistent with child protection.

The U.S. FTC materials at https://www.ftc.gov/news-events/news/press-releases/2024/08/ftc-investigation-leads-lawsuit-against-tiktok-bytedance-flagrantly-violating-childrens-privacy and the COPPA rule at https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-312 make retention and deletion part of the public conversation. The European GDPR framework, reflected in the DPC and EDPB records, likewise connects data protection by design, transparency, and appropriate processing. A child user's privacy risk is not limited to what strangers can see. It also includes what the platform collects, infers, shares, retains, and can later use.

A durable repair should therefore show not only safer defaults but also data maps. Which child-user data is collected? Which fields are necessary for safety, integrity, recommendations, advertising, analytics, or legal compliance? Which data is retained after account deletion? Which data is deleted or anonymized? Which third parties receive child-related data? Which internal teams can access it? How are under-13 records segregated or removed? How are parent deletion requests verified and completed?

Public sources do not answer all of those questions. That is why the article does not make private-data-flow claims beyond the public record. But the minimization questions are not speculative; they are the natural evidence demands created by the enforcement record.

The business incentive problem

A platform optimized for growth and engagement may have incentives that conflict with child privacy. Public profiles can increase visibility. Broad discoverability can increase interactions. Social feedback can increase retention. Downloads, stitches, duets, comments, and recommendations can amplify content. For adult creators, these features may be central to the product. For children, the same features can create exposure they do not fully understand.

The accountability task is to prove that child privacy can override growth incentives. That proof has to be institutional, not rhetorical. It should appear in product-review gates, launch checklists, privacy impact assessments, child-rights analysis, metrics that penalize risky exposure, escalation rules, executive accountability, and regulator-facing evidence. If engagement metrics dominate and child-safety metrics are secondary, the default will drift toward exposure.

The DPC and EDPB records show why this matters. A public-by-default design can be defended as a product norm, but child privacy asks whether the norm is appropriate for children. A teen may want audience and interaction. That desire is real. But the platform still has to design for the child's developmental limits, peer pressure, and inability to forecast long-term data consequences. The answer is not to ban all youth expression. The answer is to make privacy-protective states the starting point and require deliberate, age-appropriate choices for wider exposure.

That is also where advertising and measurement issues enter the accountability file. Even when the immediate enforcement focus is default visibility, a child-oriented privacy program should ask how the platform's business model uses youth engagement signals. Public sources in this file do not establish every advertising data flow, so the article does not assert them as hidden facts. It identifies the business incentive problem as a supported governance inference.

Regulator fragmentation can obscure the child user's experience

The TikTok record is fragmented across Ireland, the EDPB, the United Kingdom, and the United States. Each authority has a different legal frame, jurisdiction, period, and population. The DPC examined a 2020 relevant period for child users and specific settings. The EDPB handled consistency issues. The ICO focused on UK data-protection failures involving children, including under-13 processing. The DOJ and FTC brought COPPA allegations in the United States. The FTC's 2019 Musical.ly matter is a separate earlier record.

For lawyers, those distinctions matter. For a child user, the experience is one product. The app does not feel like separate compliance zones. The child sees account creation, videos, comments, messages, recommendations, privacy controls, and support. A strong governance program should integrate regulator lessons into one child-safety architecture rather than treating each case as a separate legal exposure.

This is why the source file must distinguish evidence categories. Official regulator findings can support confirmed statements. Pending litigation can support statements about allegations. Company pages can support current representations. News coverage such as AP's account of the EU fine at https://apnews.com/article/8ebacba7646ef872fb8e85a1bcb93876 can support public chronology but should not replace official decisions. Civil-society or legal commentary can explain context but should not become the factual backbone.

The public article's job is to reconcile those layers without blurring them. It should not say the U.S. lawsuit proves the European findings. It should not say the DPC decision proves all later U.S. allegations. It should say that multiple public records point to the same accountability surfaces: age, default visibility, transparency, parental control, deletion, retention, and institutional repair.

What an accountable TikTok repair file should prove

An accountable repair file would first prove default protection. It would identify each child and teen age band, each major privacy and interaction setting, the default state, the date of change, the rollout path, the exceptions, the monitoring plan, and the rollback controls. It would show how the platform avoids accidentally widening visibility through new features, regional variants, experiments, or legacy account states.

Second, it would prove age-assurance governance. It would document the registration process, signals used to detect underage accounts, review workflows, appeal rights, deletion processes, parent request handling, and error rates. It would explain how the platform avoids collecting excessive identity data while still enforcing age-based protections. It would include metrics for false positives, false negatives, time to action, repeat evasion, and regional variation.

Third, it would prove child-readable transparency. It would provide onboarding screens, setting explanations, translations, accessibility review, comprehension testing, and evidence that children understood the consequences of public visibility and interaction features. It would show that explanations arrived before exposure, not after the child had already posted publicly.

Fourth, it would prove guardian and support effectiveness. It would show how Family Pairing works, who can pair, what permissions exist, what changes can be made, how the child is notified, how abusive or coercive situations are considered, and how support requests are handled. It would connect parent deletion requests to completion evidence.

Fifth, it would prove data minimization and retention control. It would map child-related data, purposes, storage locations, retention periods, third-party sharing, deletion triggers, and audit logs. It would show that product teams cannot expand child-user data use without privacy review and that legacy data is not retained simply because it is useful.

Why this is a platform accountability case, not only a privacy-law case

The TikTok file is about privacy law, but it is also about platform accountability. A platform mediates social attention. It creates the audience, sets the defaults, suggests content, normalizes behavior, and turns settings into lived experience. For children, that means privacy is inseparable from safety, dignity, reputation, harassment risk, grooming risk, and long-term data control.

The law supplies important enforcement hooks. GDPR, COPPA, UK data-protection law, regulator decisions, and consent orders create formal duties. But the deeper accountability question is whether the product's operating model treats children as a protected class of users or as ordinary engagement units with extra policy language. Defaults reveal the answer because they show what the platform does before a child asks for help.

The public record shows a platform that received serious regulator findings, announced youth-safety changes, faces continuing U.S. allegations, and maintains current support materials for under-18 settings. That record is enough to make TikTok a major accountability case. It is not enough to write a private internal history of the company. The difference is important. Public accountability must be evidence-based, especially when the subject involves children.

The lesson for other platforms is direct. Do not wait for regulators to tell you that child accounts should not begin in an unnecessarily public state. Do not make privacy depend on a child reading complex explanations. Do not treat parental controls as a substitute for safe defaults. Do not build age-tiered safety without measuring age-assurance errors. Do not announce repair without evidence that the repair reached the affected population. The default is the duty.

The accountable story

The dramatic story is that TikTok was fined hundreds of millions of euros and sued again by U.S. authorities. The accountable story is more precise. During a defined 2020 period, regulators found that TikTok's handling of child-user settings, including public-by-default issues and transparency, failed important legal standards. TikTok later announced and documents youth-safety settings that move younger teen accounts toward more protective defaults. Other regulators and agencies have pursued related child-privacy concerns, including under-13 access and COPPA allegations.

That story is strong because it separates confirmed facts from supported inference. Confirmed facts come from the DPC, EDPB, ICO, FTC, DOJ, and TikTok's own public materials. Supported inference identifies the governance surfaces that must be evidenced: defaults, age assurance, transparency, Family Pairing, deletion, retention, product testing, and durable repair. Unknowns remain where public sources do not reveal internal metrics or complete design records.

TikTok's case belongs in the Risk and Accountability 500 because it shows how child safety can turn on the smallest product choice. A default setting is a policy decision disguised as interface behavior. When the users are children, that decision carries a higher burden. The platform that controls the default controls the first layer of risk.